Data Privacy Update Part I: Domestic U.S. Businesses Can No Longer Afford to Ignore the “GDPR Effect”

Client Alerts · March 21, 2019

This alert is the first in a two-part series on GDPR’s influence in shaping U.S. domestic legislation. Here we will outline some ways that the California Consumer Privacy Act (“CCPA”) was influenced by the GDPR and will cover important steps to take now. The next issue will focus on GDPR and the CCPA’s influence on pending consumer privacy legislation in Massachusetts and Washington, new biometric privacy legislation proposed last month in Florida, and facial recognition legislation introduced in the U.S. Senate on March 18, 2019.

As cybersecurity incidents continue to dominate the headlines, states across the U.S. are becoming more active in the data protection and privacy space. Unless and until the federal government enacts a law addressing data protection and privacy, organizations must be vigilant in staying abreast of developing state laws and in identifying what new policy and operational changes should be undertaken as a result. Inspired by the European Union’s General Data Protection Regulation (GDPR), California enacted the sweeping California Consumer Privacy Act (“CCPA”) in 2018, and sister states—including Massachusetts and Washington State—are now taking note and creating new consumer privacy legislation and corresponding regulations of their own. Additionally, as of 2018, all fifty states and U.S. territories now have finally enacted data breach notice laws, and many are also passing amendments that impose new data breach notice and mandatory remedy requirements on organizations.

While there are both significant as well as nuanced differences amongst the states that have new laws or legislation imbued with themes taken from the GDPR and CCPA, the fundamental principles underlying privacy and data protection remain constant. Keeping these principles in mind while striving for compliance will help those organizations stay focused while charting a strategic and risk-weighted course and while trying to appease different regulators in the face of overlapping and sometimes conflicting regulatory demands. This approach also helps avoid a sense of frustration in this very dynamic regulatory climate.

The recently enacted CCPA creates obligations for “Businesses” [1] that collect, share, or sell consumer personal information while simultaneously providing rights for consumers. Under the law, the word “consumer” means a natural person who is a California resident (e.g. anyone in California on a non-temporary basis), and applies to such individuals even if they are temporarily outside of California; it does not necessarily require an actual consumer-business relationship; and, as the law reads, may even include employees and contractors—all of which serves to impact a business’ existing operations and policies. “Collection” and “personal information” are also broadly defined. Notably, “personal information” is anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” So, for example, if a business has a website that tracks the IP addresses of fifty thousand or more consumers’ or households’ devices, this is considered collection of consumer personal information under the statute, and the business is likely required to comply with the CCPA [2].

While not enforceable until January 1, 2020, the CCPA’s consumer personal data access request obligation already requires entities falling under its scope to begin to implement policy and operational changes now in order to be in compliance by the effective date. Under the CCPA, consumers have the right to request (and obtain within forty-five days) data records going back twelve months detailing collection, sale, and/or third-party disclosures of their personal information for a business purpose, otherwise known as the “look-back” access requirement. The information must also be separated into three distinct lists, organized by category:

• consumer personal information sold by the business;
• consumer personal information disclosed for a business purpose; and
• third-parties to whom the consumer’s personal information was disclosed for a business purpose.

This means businesses will need to provide such information going back as far as January 2019. For this reason, although the CCPA enforcement date is less than a year away, working towards compliance today will significantly reduce the pressure organizations may face at the start of 2020. Please look forward to Part II of this Alert in April 2019.

As consumer (and politicians’) awareness increases, and data privacy and security practices become more highly regulated, Prince Lobel Tye is drawing upon its experience helping clients navigate the changes demanded by GDPR and U.S. domestic legislation. If you or your organization have any questions on how to tackle these developing legal duties and obligations, members of Prince Lobel’s Data Privacy and Security Practice Group are here to help. Please contact William S. Rogers, Jr., the head of the Data Privacy and Security Practice Group at 617.456.8112 or wsrogers@princelobel.com

Special thanks to our Data Privacy Group intern, Miranda Jang, for her help in preparing this alert.
_______________________________________________________________________________________________________________

[1] Under the law, a “business” is considered to be a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information, determines (alone or jointly) the purposes and means of the processing of personal information, does business in California (which, under California law has broad application), and satisfies one or more specific thresholds:

  • Has an annual gross revenue of $25,000,000;
  • Buys, receives for the business’ commercial purposes, sells (a term broadened under the new law), or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

[2] Notably, and indicative of the frustrations dealing with contradictory and ambiguous language throughout the CCPA, the law is unclear whether this requirement is limited to California consumers’ and California household devices, or if this applies to the business’ general reach. This is but one of many aspects of the law for which organizations are requesting clarifying amendments and/or regulations.