CCPA

GDPR Update: Your Questions Answered About GDPR and Data Privacy

Michael Jones Podcast_Image for Blog.png

In this episode of podcast In Process: Conversations About Businesses in the 21st Century, Trusted Counsel’s Evelyn Ashley and John Monahon speak to Michael Jones, Attorney at Trusted Counsel, whose practice specializes in privacy, compliance and technology licensing. Michael discusses the latest developments regarding the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and data privacy in the United States. This blog post and podcast continue discussion of two earlier blog posts; The EU General Data Protection Regulation and The California Consumer Privacy Act.

As you probably already know, the GDPR entered into effect on May 25, 2018. By now you’ve most likely been bombarded with emails from various vendors stating their privacy policies are updated. What you might not know is that the driving force behind this flurry of email activity is the GDPR. A key requirement of the GDPR is that customers and other users must be notified of certain changes to privacy policies. The goal of the GDPR is to allow individuals to have greater control over how their personal information is processed by organizations. And although the GDPR is a European Union regulation, many U.S. businesses are discovering that they may have certain obligations under the law. If you are a U.S. business providing goods or services to individuals in the EU (even through other businesses), you should undergo a thorough review of how you access, store and use your data. 

“If you are quick to dismiss the GDPR due to the idea that it is an EU regulation, really think it through,” Michael says. “What’s really striking about the GDPR is its extraterritorial effect. By this I mean the idea that it protects the personal information of EU residents. A business can process, hold, maintain, and use the personal information of EU residents even if they’re not living in the EU. In other words, the individual could be located in the state of Georgia, or anywhere in the world. In this example, it applies to your business.”

About a month after the GDPR went into effect, the California Legislature passed the CCPA, which has suddenly become the gold standard for privacy legislation in the United States. It imposes requirements much like those imposed by the GDPR, but it doesn’t go into effect until January 1, 2020. Much like the GDPR, you might be thinking that you’re not affected because you don’t have a business in California. But look at it this way, chances are that somewhere in your database, you’ve obtained the personal information of at least one California resident with whom you do business. And, if California just passed this legislation, could other states soon follow suit? Yes, they will.

Businesses need to prepare now, and here’s what you need to do:

  • Read our past blog posts on GDPR and CCPA (each includes detailed and important questions to ask yourself)
  • Listen to the entire conversation by clicking the audio player below
  • Identify the employees in your company that know where your data is. Get them together, put together a team and start talking about how your organization collects personal data.
  • Take good notes and document everything
  • Contact Trusted Counsel with questions. We can help you put together a compliance plan if needed. This will allow you to not only be in compliance now, but also to stay in compliance. 

During the course of the podcast, CEOs, business owners, and C-level executives will learn:

  • The difference between the GDPR and the CCPA
  • What questions businesses should be asking themselves regarding GDPR
  • Internal steps a business should take right now to become compliant
  • Legal advice for organizations that are reviewing their data privacy policies and procedures and their compliance risks
  • Commentary regarding the future of data privacy in the U.S.

Stream the conversation in the player below to learn more. You can also subscribe to In Process Podcast to receive this episode as well as future updates from the show on your smartphone. If you have any questions or comments regarding the GDPR, the CCPA, data privacy and your compliance efforts, please contact Michael Jones with Trusted Counsel. You may reach him at 404-400-3886 or email him at mjones@trusted-counsel.com.

California Enacts Groundbreaking Privacy Law

By Michael Jones, Attorney

By Michael Jones, Attorney

What is the CCPA?

On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA), which imposes sweeping new requirements on companies that transact business in California. The CCPA becomes effective on January 1, 2020. The text of the CCPA can be found here.

Hard on the heels of the EU’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018 and which we previously blogged about, the CCPA seeks to drive greater transparency in the way that companies collect, use, and share personal information. The CCPA defines “personal information” extraordinarily broadly as:

information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA then goes on to list examples of personal information, including some usual suspects like social security number, driver’s license number and the like, but also some less common items, such as geolocation data, biometric information, and—most interestingly—“inferences” drawn from items of personal information: in other words, a consumer’s “profile.”

To whom does the CCPA apply? It applies to the personal information of California consumers.

The CCPA governs the collection, use and disclosure of the personal information of California residents. As of 2018, California would have the fifth largest economy in the world (if it were an independent country), and its population is recently estimated as just shy of 40 million. It is a safe assumption that many, many U.S. companies (including many non-U.S. companies) access or use the personal information of California residents, especially if they conduct business online.

Companies otherwise at risk of being subject to the CCPA are, however, not subject to the CCPA if they meet any one of the following requirements:

  • They do not have annual gross revenues of over $25 million; or
  • They do not receive the personal information of at least 50,000 California “consumers, households, or devices”; or
  • They do not earn at least half of their annual revenue from selling the personal information of California residents.

That said, a recent study by the International Association of Privacy Professionals notes that at least 500,000 U.S. companies are likely subject to the CCPA, most of which are small- to medium-sized businesses. Is your company one of them?

What does the CCPA require?

The CCPA imposes a number of obligations on companies that, until now, have been unheard of in the United States, although they will be familiar to those U.S. companies that have recently worked to become compliant with the GDPR. The most important of them are briefly described below.

Transparency

The CCPA requires that companies disclose the categories of personal information they collect and identify the types of third parties with which they share such information.

Opt-out of sale of personal information

The CCPA requires that companies provide users with the right to opt out of the sale of their personal information. To enable such opt-out right, the CCPA requires a “clear and conspicuous” link on the company’s homepage labeled “Do Not Sell My Personal Information,” in addition to a link to the company’s privacy policy.

Right to delete

The CCPA empowers California residents to request any company subject to the CCPA to delete any personal information it holds. The company that receives such a request must also instruct its service providers to delete the resident’s personal information. This right is limited to 2 requests per year and is subject to certain exceptions.

Data portability

The CCPA requires that, upon request, a company provide a California resident with any personal information collected about the resident “in a readily useable format that allows the [resident] to transmit [the] information from one entity to another entity without hindrance.”

Right to be free from discrimination

The CCPA forbids companies from charging different prices to California residents, providing different services or denying goods or services to California residents who exercise their rights under the CCPA, although there are certain exceptions to this right.

What are the penalties for non-compliance?

The CCPA allows a California resident to sue for each unauthorized disclosure of unencrypted personal information, to the tune of up to $750 for each individual disclosure.

Next steps

For those companies that thought they were exempt from the GDPR because they had no exposure to the EU, the CCPA will require them to think again and to take another look at the way they handle personal information. Here are some key questions:

  • Where does your personal information come from?
  • How do you treat that personal information in your systems?
  • What do you do with that personal information?

If you can answer these questions with clarity and specificity, you are well on your way to complying with the CCPA.

If you need assistance or have any questions please contact us. At Trusted Counsel, we have tools and strategies to help you. Contact John Monahon at jmonahon@trustedcounsel.com or Michael Ridgway Jones at mjones@trustedcounsel.com or call our main line 404.898.2900 to speak with either attorney.