Businesses that have not yet taken steps to guard the security of customers’ data should take note: A 16-month old law in the European Union, and one taking effect in January in California, could have a major, and potentially costly, impact on operations.
In effect since May 25, 2018, the GDPR – General Data Protection Regulation – is a wide-ranging set of rules protecting the privacy of citizens of the EU. While that’s an ocean away from New Jersey, businesses that have offices in Europe or that conduct business with Europeans still may need to follow this law. Not doing so could prove to be very expensive, as the GDPR provides for huge fines for companies that fail to protect Europeans’ data privacy. The law allows for a maximum fine of the greater of 20 million euros, or 4 percent of total worldwide revenue. In early July, the United Kingdom’s data protection authority fined British Airways $228 million and Marriott International $124 million for data breaches.
“There’s a potential for very significant fines here,” says Phil Yannella, practice leader of Ballard Spahr’s Privacy and Data Security Group. Many companies worked hard last year to comply, but “there are a number of other companies that perhaps didn’t think that they were within the scope of the GDPR that have since realized that they are within the scope either because there’s been additional guidance from EU regulators or perhaps because their business plans have changed and made it clear that they’re subject to the GDPR.”
The law puts significant requirements on firms that collect data from European citizens, with an eye toward preventing or at least minimizing future personal data leaks akin to the 2017 Equifax data breach that exposed information about 147 million people or, separately, multiple instances of outsiders gaining improper access to the data of hundreds of millions of Facebook users.
“The main goal is to protect people in Europe from unauthorized use of their personal information and grant them control of who has their data and how they can use it,” says Chris Mulvaney, CEO of Colts Neck-based CMDS Marketing Agency. “The way it does this is two-fold: by putting strict requirements upon businesses regarding how they handle and process consumer data and granting more control to consumers regarding who has access to their personal information and how they can use it.”
Businesses can only collect consumer data under limited circumstances – because an individual is a customer or otherwise gives consent, for instance, Mulvaney says. Organizations that collect or process individuals’ personal data must inform consumers about their rights at the point of collection.
“Are they going to be selling it or sharing that data? How long are they going to hold onto that data?” says Kate Sherlock, a member of the data privacy group at Archer in Haddonfield, in explaining what a business must disclose. “One of the unique features about it (the GDPR) is it provides individuals with many rights to control their data so they can request access to it. They can request to be forgotten. They can request a record of what the company has done with their data. … It gives individuals a lot of control and power over their personal data.”
Additionally, according to Mulvaney, businesses must guarantee the security of consumer personal information and inform consumers of any data breaches within 72 hours.
Yannella says companies with customers in Europe are subject to the GDPR and “those customers may force a lot of GDPR requirements onto the US companies.”
“Any sort of tangential isolated connection to the EU is not enough to trigger” the law, explains Sherlock. “You would likely be subject if you’re accepting payment in euros from individuals in the EU. You’d likely be subject if you’re advertising specifically to individuals in the EU.”
Businesses that may not fall under the purview of the GDPR, and even those that do, should evaluate whether they need to comply with another new law, the California Consumer Privacy Act, or CCPA, which takes effect January 1. Sherlock calls it “GDPR light,” but says there are enough differences between the laws to prompt businesses that have already updated their policies and procedures to conform with the GDPR to do another check against the CCPA.
“It applies not only to businesses located in California, but it applies to businesses that collect information from California residents … if a business has $25 million or more in gross revenue per year,” Sherlock says. “That’s not a very high threshold. It’s not a mom and pop shop, obviously, but you know there’s going to be many businesses and corporations that are located outside of California that are subject [to it].”
Businesses may also need to comply if they have the personal data of more than 50,000 California consumers or earn more than half their annual revenue by selling individuals’ data.
Yannella says that the CCPA is “very broad,” with the law requiring businesses to give individuals the right to access their personal data and to erase it, like the GDPR. It does not have the significant fines that the EU law does. However, the CCPA does provide for “a private right of action for data breaches, which is going to be very attractive to plaintiffs’ lawyers in the US,” he adds.
Yannella says risk assessment is part of the compliance strategy, making sure to meet those sections of the GDPR that are most important. So a small company may not have “a huge lift” to comply.
“It tends to be looking at their privacy disclosures, making certain that they’re clear and transparent,” he says. “Making certain that they are getting consent to process data where they need those consents, making certain that their data security controls are appropriate. Those are really the main areas right now that appear to be the focus of EU regulators.”
For those businesses looking to meet CCPA requirements, Yanella says that efforts toward complying with the GDPR are a good place to start.
“It’s quite likely that you can leverage the work that you did for GDPR to come into compliance with the CCPA,” he says. “That probably won’t be enough, but it’s better than starting from scratch.”
His advice for businesses that have not gone through GDPR compliance: “You’ve got to get your arms around what data of Californians you’re collecting, what you’re doing with that data, where you’re storing it, with whom you’re sharing it, et cetera. That’s a big operational challenge for a lot of companies, because they haven’t gone through that. And there’s a whole range of actors that can help companies … and then quite often companies will do that mapping internally.”
After the mapping is completed, Yannella says a business needs to determine what its privacy disclosures should look like.
Businesses are in an awkward position, though, given that the CCPA is complex and ambiguous, amendments to it are pending and the rules for implementing it have not been written yet.
“I would recommend that companies that are concerned about the CCPA, or just data privacy in general, work with either in-house counsel to the extent that they have someone with privacy experience or external counsel to help them work through it because it’s not black and white,” she says. “You know there’s a lot of factors at issue and the company really needs to do a risk analysis to determine, ‘What is our potential risk under this law and what steps can we take to comply?’ It can be very expensive to overhaul your entire internal cybersecurity operation.”
She adds that businesses should work “with not only their internal IT and management, but perhaps an outside cybersecurity consulting firm to come up with a solution that that works for them.”
California is the only state to have such legislation right now and businesses may have the power to apply data privacy rules only to Californians, but they might not want to do that, Sherlock says.
“Even if they do have that capability, do they want to?” she asks. “That could be a PR (public relations) nightmare if they’re treating this data of California residents with a higher level of security and giving them greater access and control over their data, but they’re not giving that to their other customers located in other states. What I anticipate is that companies are going to comply with the strictest requirement, which as of right now is the CCPA, and they will likely adopt that standard across the board.”
To access more business news, visit NJB News Now.Related Articles: