Consumer data privacy laws are rapidly changing both in the US and abroad. Businesses must comply with the requirements set forth for collecting, using, and handling consumer data. But what does that mean, exactly?
Privacy Law – Basic Definitions
Personal Data means any information relating to an identifiable “Natural Person”—meaning a real live human. An Identifiable Natural Person is someone who can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, email address, an online identifier like a screen name, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal Data, also called “PII,” includes technical identifiers, location data, IP address, photos and other information that directly or indirectly can identify the person, regardless of context. Even business emails can be considered Personal Data. For example, Patty@email.com would be considered personal data, but email@example.com likely would not, as it is not directly tied to a Person.
Processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Europe kicks off consumer privacy law reform
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) took effect, replacing the EU Data Protection Directive (the prior privacy law and other sporadic laws enacted by member countries).
On its face, the GDPR applies to companies that:
1. Have an establishment in the EU
2. Provide goods or services to EU residents, or
3. Monitor the behavior of EU residents.
With the way marketing works today—think Pixel tracking, retargeting, email opt-ins, heat maps, abandoned cart recovery—this means the GDPR basically applies to anyone who offers products or services to consumers in Europe—or who doesn’t exclude European consumers from their offerings.
States begin to enact privacy legislation
The US followed Europe with some state-issued privacy laws, most notably the California Consumer Privacy Act (“CCPA”). The CCPA, one of the first pieces of digital consumer data privacy legislation in the US, provides strong individual rights and protections around data access and collection. The CCPA guarantees consumers:
- “The right to know what personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.” (Office of the Attorney General)
The CCPA applies to a “business” that:
(i) Does business in the State of California;
(ii) Collects personal information (or on behalf of which such information is collected);
(iii) Alone or jointly with others determines the purposes or means of processing of that data; and
(iv) Satisfies at least one of the following:
- Annual gross revenue in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
In Virginia, lawmakers passed the Virginia Consumer Data Privacy Act. The VCDPA applies to for-profit entities (e.g. businesses) doing business in Virginia if they control or process personal data of 100,000 Virginia residents in a calendar year. That number drops to 25,000 if the business derives over 50% of its gross revenue from the sale of personal data. There is no revenue trigger.
Several other states have passed similar privacy laws, notably, Illinois with its biometric data privacy requirements.
Why should businesses care about privacy laws?
Failure to adhere to the various state privacy laws can result in fines to the data processor and/ or data controller, prosecution by the state attorney general, or a private right to sue (“cause of action”) for individuals whose privacy rights have been violated.
Businesses both large and small should look at (i) privacy policies, (ii) data retention policies, and (iii) data retrieval/ deletion policies to ensure compliance with both the GDPR and US-based privacy laws. We recommend:
- Adhering to the strictest privacy law implemented at the time to ensure compliance with other data privacy laws;
- Businesses should designate a team member to work with counsel on maintaining privacy compliance for new and ongoing projects;
- Businesses and apps should regularly revisit privacy policies to ensure it has disclosed all third-party websites, apps, and software used to process, house, or use data (think Mailchimp, FB Pixel, etc.);
- Any email list generation or lead generation should include a “click-to-opt-in” or a “double-opt-in” feature;
- Large scale data controllers, including businesses with large email lists, apps, ecommerce websites, and businesses purchasing “mailing lists” from third parties should be especially careful to ensure their adherence to new and changing privacy laws;
- Businesses should never “share” email lists or Personal Data with third parties unless that has been explicitly disclaimed to the consumer at the time of data collection.
While compliance is a potentially winding road, the risk of non-compliance may be met with fines, prosecution, or lawsuits from litigious citizens. If you’d like help with your organization’s consumer data privacy compliance, please email us!