Skip to navigation.

Author Archives: David C. Johnson

  1. Complying With the Incomplete: Does California’s Privacy Law Apply to Your Business?

    Leave a Comment

    Back in July 2018, we introduced you to some of the sights and smells of the new California Consumer Privacy Act of 2018 (the CCPA). Not long after, the California legislature issued some technical corrections to the legislation. But there are still a number of open questions and issues that require attention from the legislature and Attorney General’s office with respect to this groundbreaking privacy law, which was written and passed in 7 business days. While those questions may be  resolved (or not) before the law’s enforcement date,, companies that do business in California should not wait for all of the answers before they start planning for it.

    One of the pressing open issues is when the privacy provisions of the CCPA take effect (the data breach class action provisions take effect on January 1, 2020.  In the August 2018 technical corrections, the California legislature added new Section 1798.185(7)(c), which states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” As such, enforcement of the CCPA may begin on January 1, 2020, July 1, 2020, or sometime in between – we don’t know yet.

    What we do know, however, is that companies should take time to determine if the CCPA applies to them and start thinking about some of the key requirements under that Act. We also know that the CCPA isn’t the GDPR-lite as it was initially described. The CCPA lacks the teeth of the European privacy regulation. The fines for non-compliance are significantly lower ($2,500 per violation not cured within 30 days of receiving notice from the CA AG, or $7,500 per intentional violation, versus GDPR’s 2-4% of global annual revenues); private rights of action only exist for data breaches with respect to nonencrypted or nonredacted personal information; and cross-border data transfers aren’t addressed. That said, the CCPA does include some important rights for Californians that are similar to GDPR and additional requirements related to the right to opt out of the sale of personal information.

    Does It Apply to My Company?

    So, while the details are being hammered out, companies should be thinking about whether the CCPA applies to them and what they need to do, at minimum, to comply with this new law.

    Most of the CCPA obligations apply only to “businesses” that are for-profit entities “that collect[] consumers’ personal information” and which “alone, or jointly with others, determines the purposes and means of the processing” as it does business in California. The businesses also must meet one or more of the below thresholds to be subject to the CCPA:

    (i)   Annual gross revenues in excess of $25,000,000;
    (ii)  Buys, sells, receives, or shares personal information of 50,000 California residents for commercial      purposes; or,
    (iii) Derives 50% of more of revenue from selling personal data of California residents.

    When a business has been identified as being subject to the CCPA, its parent companies and subsidiaries may qualify automatically even if they would not individually be subject to the CCPA. And, as with the GDPR’s definition of processing, “collect” is defined very broadly under the CCPA to include “buying, renting, gathering, obtaining, receiving, or accessing any personal information” of a consumer, regardless of if such collection is active or passive.

    Okay, CCPA Applies to My Business. What Should I do First?

    If the CCPA applies to your business, it’s time to consider some of the basic requirements for compliance. These include facilitating the exercise of privacy rights by California residents, including the right to access personal data (similar to GDPR) and five new rights that differ from GDPR:

    • the right to cancel (erase) data (but only when that data is collected by a business directly from the California resident exercising the right);
    • the right to know what is being collected;
    • the right to know what information has been shared;
    • the right to opt out of the sale of personal information (or opt-in for individuals under age 16); and
    • the right not to be discriminated against for the exercise of these privacy rights (meaning charging different prices or providing different quality goods/services is prohibited if that difference is reasonably related to the value provided by the consumer’s data, but this right doesn’t prevent up-charging for enhanced services above the baseline).

    The CCPA will require businesses to update their privacy policies to reflect these rights, as well as provide at least 2 reasonably accessibly means for California residents to exercise the rights, including a toll free phone number and, if the business has a website, a web address.

    In addition, the CCPA requires businesses to provide a link on their homepage and privacy policy explicitly titled “Do Not Sell My Personal Information” to enable California consumers to opt-out of the sale of their personal information without having to create an account with the business.

    • For businesses that went through the practice of reviewing their data practices and updating their privacy policies and websites for GDPR, the process should feel familiar and many of the steps you have already taken will help inform you as to whether the CCPA applies to your business. For those who haven’t had a sweeping privacy law apply to them yet, there are careful considerations to address to ensure compliance and minimize your exposure to claims that your company is not meeting its obligations under the CCPA.

    As with any important business planning effort, start early. The team at Protorae Law continues to track developments with the CCPA, and other state, federal, and international privacy laws, and is here to answer your questions and help you understand your compliance obligations.

  2. FTC Focuses on Ensuring Businesses Keep Their Privacy Promises

    Leave a Comment

    2018 has been a big year for privacy issues for companies around the world. The new European privacy law – the General Data Protection Regulation (GDPR) – came into force, the Facebook-Cambridge Analytica data breach came to light, the new but imperfect California Consumer Privacy Act (CaCPA) was created and passed at the speed of light, and real discussions occurred at the White House about the potential development of a new US national privacy framework, among many other global privacy initiatives. Some companies have responded by evaluating their privacy practices and many have affirmed their promises to consumers through updated privacy policies and new internal procedures designed to safeguard sensitive information about individuals.

    As a reminder to U.S. companies (and those doing business in the United States), making a promise to keep personal information private is just the first step: you have to also keep that promise. Failure to do so may lead to legal problems. On-going diligence in ensuring that your company complies with its stated internal and consumer-facing privacy practices is not only required to comply with laws like the EU’s GDPR and the CaCPA, it can be enforced in the U.S. by regulatory agencies as well.

    The FTC Is Now Policing Privacy Promises

    Putting aside any debates about the ability of European privacy authorities and agencies to enforce the GDPR or other European laws or treaties against US companies, the Federal Trade Commission (FTC) has also indicated that it will enforce the promises made by companies with respect to their privacy policies.

    Empowered by the FTC Act, the FTC can, does, and will take enforcement actions to ensure that companies are not deceiving U.S. consumers including with regard to their privacy promises. Much like other FTC actions to protect consumers, the concern is whether companies are deceiving the consuming public with their claims about how personal information is being protected, the rights of consumers with respect to their personal information, and the consumers’ abilities to access and manage their personal data.

    Living up to their own promise to enforce, the FTC reached a settlement in early July 2018 with a California company regarding its false claim of working toward compliance with one of the cross-border data transfer mechanisms approved under the GDPR: the EU-U.S. Privacy Shield Framework. In its complaint, the FTC alleged that ReadyTech Corporation falsely claimed in its written privacy policy to be “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” ReadyTech did, in fact, initiate an application with the U.S. Department of Commerce in October 2016 to participate in the Privacy Shield Framework, but never completed the steps required to complete its application and actually participate in the Framework. The FTC alleged that this representation was a false claim violating the FTC Act’s prohibition against deceptive acts or practices. The FTC’s complaint and the July settlement is the fourth action taken by the agency for non-compliance with the requirements of the Privacy Shield Frameworks, following three other settlements in September 2017. Combined with the prior cross-border transfer mechanisms, including the predecessor Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework, the FTC has brought 47 cases to enforce false claims of compliance involving data transfer and protection practices.

    What to Expect From the FTC Regarding Privacy Enforcement in the Future

    Compliance with cross-border transfer mechanisms is just one avenue of privacy practices enforcement for the FTC. Any deceptive claim a company makes to US consumers regarding their privacy practices is subject to the enforcement powers of the agency under the FTC Act. And, while the fines for non-compliance are less in the United States than the statutory fines for non-compliance with the strict terms of the GDPR (between 10-20 Million Euros or 2-4% of global revenue, whichever is greater), these FTC settlements typically come with long, expensive, and administratively-taxing compliance and reporting requirements that significantly drive up the cost of making false claims with respect to privacy practices. In its settlement with the FTC, ReadyTech is required to create certain records for a period of 20 years following the issuance of the order and must submit to compliance reporting under penalty of perjury and monitoring for that entire period.

    Companies should be sure that they are living up to the promises they have made to consumers via their privacy policy. If there are claimed practices that are inaccurate, it is important to revisit and update the privacy policy to ensure that it is correct and compliant with the relevant laws that govern collection, use, sharing, and destruction of consumers’ personal information. Moreover, companies should periodically review their privacy policy and other Terms of Service/Terms of Use to ensure that they are up-to-date, correct, and complete in describing the businesses current practices, protocols, and legal authority to do what it does with data covered by privacy laws.

    As you do this in your own business, if you have questions or need help determining if your practices and your statements are legal and consistent, the attorneys at Protorae Law are here to help.

  3. A New Whiff of Privacy, California Style

    Leave a Comment

    Apparently how you smell is personal information (in California).

    With the EU’s General Data Protection Regulation (GDPR) of 2016 in force for about a month, California’s legislature was looking to up its game and “get tough” on its big, home-grown tech companies’ well-documented privacy faux pas. So on June 28, 2018, California enacted the U.S.’s first elevated, GDPR-like privacy measures at the state level. Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will be effective, and it will have a far-reaching impact on US and foreign companies business activities involving personal information of Californians.

    Many companies with a US presence choose to apply the most stringent privacy standards of any US state to simplify their privacy compliance effort. So California’s new law will have the practical effect of enhancing privacy protections that benefits U.S. citizens nationwide. Here’s some crazy and not so crazy things you should know about this new law (which was drafted in a mere 7 days).

    Is California’s New Law GDPR-Lite?

    Some of the features of the CCPA will look familiar to anyone who has been dissecting and analyzing the GDPR. The right of privacy is now an “‘inalienable’ right of all people” in California, though it is a “fundamental” right in the EU regulation. Now Californians have a right to:

    • Be informed about what personal information businesses collect about them
    • A right to be informed of the extent and purposes of the collection at the time the personal information is collected
    • A right to access the collected information, and
    • A right to have personal information deleted from a business’s records.

    To keep consumers informed about how businesses collect, use, and (sometimes) sell their personal information, as well as their rights with respect to that personal information, businesses subject to the CCPA will be required to refresh their privacy policies at least annually. Like the GDPR, the CCPA gives businesses a short period of time to comply with personal information access requests (here, 45-days instead of 30-days under the GDPR, but both deadlines are extendable for cause). Businesses also may not discriminative against consumers for exercising their rights relating to their personal information, including by being denied goods or services, being charged different prices based on their choices/restrictions on use of their personal data, or by receiving different levels or qualities of service unless such differences are reasonably related to the value provided to the consumer by the consumer’s data (think about a Facebook feed made more content rich by sharing personal information versus one minimally populated as a result of limited sharing). Interestingly, businesses can also provide incentives to consumers for authorizing the sale of their personal information including payments directly to the consumer for the right/consent to engage in that activity.

    Like GDPR, but different in important ways….

    Some of the features of California’s new law, however, are not drawn from the GDPR and seem to be targeted towards curbing some often-criticized practices of California’s Silicon Valley tech giants. It will be easier for consumers and employees to sue businesses, including under a class action lawsuit, following disclosure of a data breach involving their personal information. The California Attorney General also has broader powers under the new privacy law to investigate and fine companies that don’t adhere to the requirements of the CCPA. Most notably, however, are the incredibly broad definition of “personal information” that is caught in the law’s net and the right of consumers to opt-out of giving businesses the right or consent to sell their personal information.

    Although the definition of personal data (the EU equivalent of personal information) was broader than other similar laws at the time of the GDPR’s enactment in 2016, California has exceeded that definition and expanded its definition of information subject to its new privacy law. California covers identifiers like name, address, email address, social security number, and biometric information, and included some additional categories like audio, visual, thermal, olfactory, or similar information about a person. How you smell and the heat your body gives off apparently are personal information under the CCPA!

    Importantly for most businesses, however, California includes in its definition of personal information:

    • Unique identifiers like Internet Protocol (IP) addresses
    • Geolocation data
    • Shopping, browsing, and search histories as well as other information relating to a consumer’s interaction with a website, application, or advertisement, and
    • Consumer profiles created from this information or inferences drawn from personal information regarding a consumer’s “characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”

    Practically speaking, this means that businesses that use online identifiers like cookies and web beacons to track and take action on users activities involving their websites must both disclose their use of these technologies and give people the option to opt-out and request the company delete all information collected through those cookies and other tracking technologies.

    Don’t sell my data, dude!

    The CCPA gives consumers the right to opt out of the sale of their information from one business to another. Businesses will be required to make at least two methods available for consumers to exercise their rights under the CCPA, including at minimum a toll-free phone number and, if the business operates a website, a web address. In addition, much like opt-outs involving direct marketing operate now with direct links to the opt out page at the bottom of marketing emails, businesses will be required to have a conspicuous link on their homepage titled “Do Not Sell My Personal Information” enabling consumers to exercise that right to opt out. Businesses must respect these opt-outs for at least a period of 12 months before contacting the consumer again for authorization to sell their personal information.

    With about 18 months to go before the CCPA goes into effect, there is still time for the California legislature to make changes to the legislation. California needs to address some drafting errors given that this law was put together astonishingly fast (the law went from draft to law in a single week) in order to meet a deadline related to the withdrawal of a ballot measure on the same issue. But it is unlikely that major changes to the law will be made any time soon. Businesses nationwide should continue to watch as California prepares to enter the enforcement period under its new upgraded privacy law and think about how they will address these new requirements that take effect in January of 2020.

    As always, we’ll continue to write about this and other important privacy compliance updates. And if you would like to learn more about California’s privacy law and how it may affect your business, please contact us, we’re here to help.

  4. EU Data Protection Laws: Why US Companies Should Care

    Leave a Comment

    After being introduced in April 2016, the European Union’s General Data Protection Regulation (GDPR) officially comes into enforcement effect today, replacing the existing EU Data Protection Directive. Although similar to the previous data protection law, the GDPR includes new and enhanced requirements aimed to protect the fundamental rights of natural persons with respect to their personal data. The territorial reach of the GDPR is also broad, requiring businesses processing personal data of EU and European Economic Area (EEA) individuals to comply with its obligations, whether those businesses are performing the processing directly or through the use of downstream vendors and regardless where that processing activity takes place. Failure to comply with the regulation risks imposition of significant monetary sanctions – starting at the greater of either 10 million euros or 2% of a company’s global revenue for the prior fiscal year per incident. If you have not already, the time is now to consider whether and how your business may be affected by the broad reach of the GDPR.

    Who and what does the GDPR affect?

    The GDPR centers on the principal that the protection of personal data is a fundamental right enjoyed by all Europeans. The GDPR affirms that fundamental right, including the right of access, right to correction of inaccuracies in their personal data, right of erasure (popularly known as the “right to be forgotten”), and the right to restrict processing, among others. The new regulation requires companies to create mechanisms for natural persons in the EU and EEA to exercise these rights and control how their data is used. Individuals are also empowered to enforce these rights with the ability to bring a complaint to the supervisory authorities, as well as bring a private cause of action in court against the companies processing their personal data illegally.

    Under the GDPR, “personal data” is information about a living natural person that can be used on its own or combined with other information to identify that person (a “data subject”). Personal data includes not only the familiar – names, mailing addresses, EU/EEA Member State ID card, passport numbers, and credit card information – but also less obvious online personal identifiers such as an individual’s IP address, location data, and cookie data. Additional obligations and restrictions apply to the processing of specific categories of sensitive personal data including personal data revealing racial or ethnic origin, genetic data, or religious beliefs, as well as processing of the personal data related to children, criminal convictions, and criminal offenses.

    The regulation applies to “processing” of that personal data, which is any operation performed on the personal data such as collection, storage, consultation, use, transmission, and even activities like erasure or destruction. Both data controllers (the organizations originally collecting, storing, and using personal data) and data processors (the vendors hired by data controllers to analyze or use that personal data for business purposes of the data controllers) are subject to these requirements when either a data controller or their engaged data processors (1) operate within the EU/EEA; (2) are located outside the EU/EEA but offer goods and services to individuals in the EU/EEA (regardless if payment is required); or (3) monitor the behavior of individuals in the EU/EEA. Essentially, simply possessing personal data about a person from the EU or EEA constitutes processing sufficient to require your compliance with the GDPR.

    What are the main GDPR requirements?

    The GDPR’s enhanced requirements on companies processing personal data fall into several general categories: (1) openness and transparency about what is being done with an individual’s personal data, (2) how that personal data is being protected, (3) with whom it may be shared, (4) whether and how it is transferred outside of the EU/EEA, (5) notification to individuals that they may manage how their personal data is used and informing them how to do so, (6) updating existing and new contracts between controllers and processors to address the mandatory terms imposed under the GDPR, and (7) appropriate and timely response to data breaches. Here are some of the big-ticket items that must be addressed by every company handling personal data of EU/EEA data subjects.

    Lawful basis. Companies must identify and document an appropriate lawful basis for its processing activities before it begins processing personal data. Companies can choose from a number of lawful bases, including freely given and informed consent from the data subjects, legal obligations, and legitimate business interests (which includes direct marketing); which one is most appropriate depends on your particular circumstances and intended activities. Under the notice and transparency principles of the GDPR, companies are obligated to inform data subjects of their processing activities, the lawful bases for that processing, and how to exercise their rights with respect to the processing activities, commonly done through direct notification and updates to the company privacy policies.

    Contracts.  The GDPR now requires that whenever a controller uses a processor to process data subject to the GDPR, the controller must engage only vendors, regardless of where those vendors operate, who agree to comply with the requirements of the GDPR so long as they are processing EU/EEA personal data. These controller-processor relationships must be governed by a written agreement making clear each party’s obligations under the GDPR and must include certain terms mandated by the regulation. These obligations extend to agreements in force as of May 25, 2018, so companies need to audit their agreements to ensure that the mandatory terms are present and, if not, execute addenda as necessary to bring those contracts into compliance. These mandatory terms including, among others, that data processors:

    • Only act under the written instructions of the data controller;
    • Ensure that the employees of the processor have committed to ensuring the confidentiality of the data shared by the data controller;
    • Ensure the security of the shared personal data;
    • Only engage sub-processors with the prior approval of the data controller;
    • Assist the data controller with responding to requests from EU/EEA data subjects to exercise their rights over their own data, as well as requests from regulatory bodies to confirm compliance with the GDPR; and,
    • Keep appropriate records of the processing activities.

    Cross-border transfers of personal data subject to specific frameworks. The GDPR is also specific about how personal data may be transferred from the EU to other countries where privacy laws are less strict and protections less obvious, including the United States. The GDPR provides certain approved frameworks that are permitted to allow for legal cross-border transfers of data subject to the GDPR. Each transfer mechanism comes with its own obligations, advantages, and disadvantages, so it is important to review your organizational and technological security practices and select accordingly. Additionally, some of the mechanisms are under attack in European courts, so companies may wish to build in redundancies to ensure the on-going legality of their cross-border transfers of personal data.

    Data breach notification. Responding to data breaches is a serious matter under the GDPR. In the event of a data breach, controllers and processors are required to notify the appropriate authorities to the extent possible without undue delay and no later than 72 hours after learning of the breach. Controllers and processors must also notify the affected individuals without undue delay if the breach results in a high risk to the rights and freedoms of individuals. If the processors is breached, they are required to notify the controller of that data breach without undue delay after becoming aware of the event and with enough time to enable the controller to fulfill its 72 hour notice obligations. At minimum, the notification must include:

    • The nature of the data breach;
    • Categories and the approximate number of data subjects and personal data records concerned;
    • Contact information for the organization’s data protection officer;
    • Likely consequences of the breach; and
    • Measures the controller has taken or proposes to take to mitigate the breach.

    Where to go from here?

    The GDPR is a far-reaching regulation that touches on the business operations of companies around the world. In a global economy where multinational companies engage vendors in many countries to assist with their operations, personal data about EU/EEA data subjects can be touched by companies anywhere and regardless of whether they directly seek out European business. Downstream vendors are subject to GDPR just as much as the multinational data controllers who hire them. There are many ways that the GDPR can touch your business that may not be initially obvious, and, as the regulation begins to be enforced, more will be learned about how far its reach actually extends. As such, it is important for companies to assess their obligations under the GDPR now and act appropriately to update their operations and policies as necessary to comply.

    If your business may receive personal data from the EU/EEA either by directly operating in Europe, marketing your goods or services to Europeans, or you provide services to companies who may share personal data from EU/EEA data subjects, you should carefully assess how the GDPR may impact your business. The attorneys at Protorae Law are working with many clients to assess their obligations under the GDPR and to execute the policies, procedures, and contracts necessary as businesses work toward GDPR compliance. If you would like to learn more about the GDPR and how it may affect your business contact us.