The compliance deadline for the California Consumer Privacy Act (“CCPA”) is January 1, 2020. Even though the CCPA is the first privacy law that will directly impact a large number of U.S. businesses, the best strategy for most U.S. businesses will be to take a measured response toward this new law.

GDPR Hysteria

The General Data Protection Regulation (“GDPR”) has been in effect for more than a year. And, without question, GDPR has impacted privacy law across the world as 59,000 data breaches were reported to the EU supervisory authorities which resulted in the assessment of about 90 penalties since the May 25, 2018 compliance deadline. However, while GDPR has undoubtedly impacted many businesses, it has not become a daily concern for most businesses in the EU and almost no concern for the vast majority of U.S. businesses.

Before the compliance deadline, there was what can only be called “GDPR hysteria” over how the world would look after GDPR. As the GDPR deadline loomed many experts and U.S. law firms grew hysterical and rushed to create GDPR practices. While an assessment of privacy safeguards and preparation is always recommended, the best advice at that time was for American businesses to simply use GDPR as another opportunity to review their privacy safeguards rather than stress over compliance.

A Measured CCPA Response   

Today, we are seeing a similar hysteria over the upcoming January 1, 2020, CCPA compliance deadline. In the days leading up to the enactment of CCPA, we are seeing law firms and other experts set up practice groups dedicated to the onslaught of CCPA claims. And, once again, a measured response may be the best course when determining a game plan for compliance as not every U.S. business will be subject to the CCPA.

Before any business pays a law firm’s newly-minted CCPA practice group a large retainer, it may be worth looking at the fundamental principles of this new law. First, the impact of the CCPA may be limited to the extent the “businesses” subject to this law must collect consumers’ personal data, do business in California, and satisfy at least one of the following additional requirements to fit into the definition of “business” under the law:

• Annual gross revenues exceeding $25 million;
• Possess the personal information of 50,000 or more consumers, households, or devices; or
• Earn more than half of its annual revenue from selling consumers’ personal information.

These requirements will most likely narrow the scope of the CCPA to larger, national businesses.

Admittedly, if the CCPA applies, the stakes are high for compliance as a business that violates the CCPA can be prosecuted by the California Attorney General or be sued in a civil suit for damages ranging from $100 to $750 for each California resident (or actual damages if greater) involved in a breach. (Cal. Civ. Code § 1798.150)  Therefore, any business subject to CCPA has reason to be concerned about this privacy law.

However, while it is reasonable to expect the CCPA to have a greater impact on U.S. businesses than GDPR, the CCPA may not apply to the vast majority of businesses. In many cases, the best place to start to determine if the CCPA should cause concern for a business falling into this gray area is to look at the California legislature’s stated intent behind the CCPA which includes:

• “…the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”

• “The bill would require a business to make disclosures about the information and the purposes for which it is used.”

• “The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.”

• “The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.”

• “The bill would require a business to provide this information in response to a verifiable consumer request.”

• “The bill would authorize a consumer to opt-out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.”

• “The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.”

• “The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers.”

CCPA compliance may not need to be an overriding concern for a smaller business that does not face any of the challenges outlined above. That is, if a business does not have many requests to destroy stored personal information, it may not need an elaborate process to field such requests. Of course, even if a business believes the CCPA does not apply to it, a measured response may still include taking steps toward compliance. First, businesses are always best served by protecting customer/client data that they have been entrusted with. Also, it is only a matter of time before almost every business will operate under state or federal privacy laws. Therefore, while it may be practical for all businesses to begin working toward CCPA compliance, there is no reason to be hysterical about this new privacy law.

The post No Need To Get Hysterical Over The Compliance Deadline For The California Consumer Privacy Act appeared first on Privacy Risk Report.

Discussions on privacy laws have taken front and center in recent weeks as European Union (EU) member states begin enforcing the General Data Protection Regulation (“GDPR”) on May 25, 2018.  As we have been discussing for a while, there is confusion as data collectors try to figure out the impact of this legislation.  There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance.  However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.

Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following:

GDPR Overview

The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector.  The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to be handled and stored.  For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Should We be Concerned About GDPR Regulations?

We have been getting questions from our clients about how GDPR may impact them.  The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents.  Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.

The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR.  Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States.  Commentators have provided the following analysis on this issue:

For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.

Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl  from the Netherlands — would certainly seal the case.

Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:

– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.

– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer.  Keeping data safe may result in more business and cutting losses related to a cyber incident.

– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date.  However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow.  Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.

The Initial, Practical Approach To GDPR Compliance

Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:

1. Data Inventory. Data collectors need to first inventory the information and data that is being collected. A website that collects names and emails of visitors may gather EU resident’s data occasionally, but may not target the European Union for business.  A data collector cannot thoroughly access liability without taking stock of the origin of the collected data.
2. Consent? While it is still early in the process of GDPR compliance, it is assumed that most data collectors will find there is a peripheral chance that data belonging to an EU resident will be collected.  This is the proper time to determine whether consent should be obtained from all individuals providing any data or information.  Consent does not have to be an elaborate policy that no one would want to read (we are looking at you Apple).  Rather, consent can be obtained through clear language without legalese.  From a practical standpoint, data collectors may want to use a website such as SecurePrivacy.AI, which has recently begun offering a free tool that scans websites for GDPR compliance
3. Data/Privacy Officer. Reviewing GDPR compliance also provides an opportunity to consider whether a data/privacy officer should be appointed. This person will be responsible for handling data and information retention issues and would be a point of contact for anyone worried about how their data was gathered, used or retained.

The issues concerning GDPR are not new.  Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years.  For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana.  This employer may have been trying to harmonize privacy regulations for years at this point.  Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.

The post Tick Tock: A GDPR Primer To Meet The Deadline Next Week appeared first on Privacy Risk Report.