(Data) Privacy, Please!

July 3, 2018

The European Union made headlines back in May this year when it enacted the European Union’s General Data Protection Regulation (“GDPR”). GDPR was enacted to regulate data privacy for all individuals within the European Union. It overhauls the 1995 Data Protection Directive and replaces it with stronger protections. These rules and regulations would affect many companies that rely on gathering and selling user data and online advertisements such as Google and Facebook. So, the GDPR can potentially change a lot of online habits.

Broadly speaking, GDPR provides individuals with greater control, access, and understanding to the information collected on them, provides for higher penalties, and set guidelines for  companies that conduct data processing. The GDPR creates and strengthens many rights for users such as the right to transparent information, right of access, right to rectification, right to erasure, right to restriction of processing, obligation to notify recipients, right to data portability, right to object, and automated decision making and profiling rights as well.

These rights revolve around on the processing of personal data or sensitive personal data.  “Personal data” that defined as any data that is identified or identifiable to a natural person. This definition is broader then just name, driver license number, GDPR’s “personal data” would encompass any information that can identify the data subject including location, mobile device, and a user’s internet protocol address. Moreover, GDPR defines “sensitive personal data” to be data that can reveal the racial, ethnic origin, political opinions, religion, organizational membership, genetic, biometric, and health data as well. Sensitive personal data has even higher restrictions then just personal data. In addition, GDPR expands the definition of data “processed” to mean:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structural, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Any company or business that processes personal or sensitive personal data of individuals in the European Union will need to abide by GDPR’s guidelines or risk penalties. Penalties can vary depending on the nature of the violation. Penalties can go from 10 million Euros or two person of a company’s worldwide revenue or even higher to 20 million Euros or four percent of global revenue.

It was only a matter of time until data privacy guidelines would reach State side. This past week, California became the first state to enact stronger consumer data privacy laws in the nation with the passing of the California Consumer Privacy Act “CCPA”. While it is not as stringent as the GDPR framework, it creates a template for other jurisdictions to follow.

The CCPA builds upon the right of privacy enumerated in Article 1 § 1 of the State’s Constitution, Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light laws. Specifically, Section 1 of the Constitution reads:

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.

Building upon those previous privacy laws, California’s Legislature ensured five rights in the CCPA:

  1. The right of Californians to know what personal information is being collected about them.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, even if they exercise their privacy rights.

The CCPA does not use “personal data” as a term but rather “personal information” which is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably by linked, directly or indirectly, with a particular consumer or household.” This definition also encompasses certain biometric, educational, professional or employment, commercial, audio, electronic, visual, thermal, olfactory or similar information. Health information is also protected but under existing Federal and other State laws. The CCPA does mention that any information that is publicly available is not personal information. In addition, the CCPA defines “processing” as “any operation or set of operations that are performed on personal data or on sets of personal data.

The CCPA applies to any business who owns or operates a commercial website or online service that collects personal information from a consumer residing in California. The business must either have (1) an annual gross revenue exceeding $25 million dollars, (2) collects, buys, receives, sell personal information of 50,000 or more consumers, households, or devices, or (3) derive 50% or more of its annual revenues from selling consumer personal information to fall under the CCPA regulatory framework. The business collecting the information must notify the consumer the type of information to be collected, the purpose of collection and possible uses, delete personal information at the request of the consumer, and notify the consumer about potential sale of information.

While the CCPA is not as stringent and exhaustive as the GDPR, it is sufficiently more expansive then any enacted legislation by any other US State. Because the internet is so amorphous and California being a populous state, the CCPA could potentially affect a lot of businesses around the country, big or small. Such is the nature of the internet. While the implications and effects of such data privacy laws will play out in the years ahead, it seems data privacy has landed ashore.

The CCPA will go into effect on January 1, 2020.

Image Source: REUTERS/Kacper Pempel

Not a Westlaw subscriber? Sign-up for a free trial today.