The Need for New Standard Clauses. Like the old SCCs, the new SCCs are model data transfer provisions designed to provide an “adequate” level of data protection in countries that have not received an adequacy determination (“third countries”).

A lot has changed, however, since the European Commission developed the old SCCs; and the SCCs were due for an update. The old SCCs were based on the GDPR’s predecessor, the Data Protection Directive 95/46/EC, and only addressed controller-to-controller transfers (issued in 2001) and controller-to-processor transfers (2010), respectively. The previous SCCs did not cover processor-to-processor transfers or processor-to-controller transfers, and gave limited choices for governing law and venue to resolve disputes, among other limitations.

In the intervening years, data transfers have increased in complexity and volume. The GDPR imposes its more comprehensive obligations on controllers and processors. And the Schrems II decision, which invalidated the EU-US Privacy Shield, requires analysis of surveillance practices and other conditions in third countries such as the United States.

Key Changes. The new SCCs apply to a more complete range of data relationships and are divided into four different modules:

• (Module 1) controller to controller;
• (Module 2) controller to processor;
• (Module 3) processor to sub-processor; and,
• (Module 4) processor to controller.

These modules are covered by a single draft of the SCCs (unlike the old SCCs, which were issued in two separate decisions, which were a source of much confusion).

The new SCCs more closely mirror the GDPR’s requirements and address important issues raised in the Schrems II ruling. Schrems II focused on the potential harm to EEA data subjects whose information was transferred outside of the EEA and could be accessed by third-country authorities in bulk and without sufficient safeguards. The European Commission included several contractual terms in the new SCCs to address these concerns, such as:

• Clause 14: Parties provide contractual warranties regarding protections for personal data in cases of access by authorities;
• Clause 15: Data importer agrees to further obligations in cases of a request for disclosure by authorities, including to notify the data exporter, review the legality of the request for disclosure, appeal if the request is unlawful under international law, and provide the minimum information possible to a request;
• Annex II: SCCs provide an opportunity to list all supplemental technical and organizational measures used to protect personal data.

What About the UK? It is important to note—since the UK recently left the EU and the transition period for its withdrawal expired at the end of 2020—the SCCs do not automatically apply to the UK GDPR. However, the Schrems II decision does apply to UK law because it was handed down in 2020 during the Brexit transition period. The UK Information Commissioner’s Office (ICO) is expected to come out with guidance in the coming months for revisions to the SCCs under the UK GDPR that incorporate the Schrems II provisions.

Practical Impact. Any contracts that were finalized prior to September 27, 2021 can continue to rely on the old SCCs until December 27, 2022 as long as the data processing obligations remain unchanged.

It would be worthwhile for data importers to take stock of their data collection practices and review their responsibilities under the new SCCs. This is a good time for companies to determine whether their DPAs have terms that are inconsistent with the new SCCs and, if they do, to resolve those inconsistencies. For companies that have global DPAs, an SCC-driven review presents a good opportunity to update the DPA to account for new contract requirements from the CPRA, VCDPA, and ColoPA. For example, the CPRA requires third party contracts to include provisions limiting personal information sales to specified purposes. Both VCDPA and ColoPA require controllers to have contracts with specific instructions on how the processors must process data such as the type and duration of processing.

As brief background, the EU General Data Protection Regulation (GDPR) requires that businesses have in place mechanisms that ensure an adequate level of protection for EU data subject personal data transferred to the United States. Until July 16, the available transfer mechanisms were Privacy Shield, SCCs, and Binding Corporate Rules. This case arose from a complaint, filed by Austrian privacy activist Max Schrems, with the Irish Data Protection Commission (DPC). Schrems alleged that the transfer of EU personal data to the U.S. via SCCs did not ensure an adequate level of protection (and therefore violated EU data subject rights) because U.S. law enforcement and government agencies were provided essentially unrestricted access to that data. The DPC then referred to the CJEU 11 questions about whether SCCs and Privacy Shield violate EU data subject rights, including the rights to the protection of personal data, under the Charter of Fundamental Rights of the EU.

Schrems had followed the same process in 2015, and in that decision, the CJEU agreed with Schrems, holding that the data transfer framework that existed at that time (Safe Harbor) did not provide protection equivalent to that afforded within the EU, and therefore did not meet the adequacy standards for international transfers. As a result, the EU Commission agreed to replace Safe Harbor with Privacy Shield, which currently has over 5,000 participants. Most companies, including Facebook, switched to SCCs after that decision.

As the CJEU explains in the decision issued on July 16, although Privacy Shield provides an adequate level of protection for data transferred thereunder, it allows derogation from those protections “to the extent necessary to meet national security, public interest, or law enforcement requirements” and therefore “cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter [of Fundamental Rights].” As a result, Privacy Shield is invalid, effective immediately. The CJEU upheld SCCs as a valid transfer mechanism, but reiterated that companies cannot simply sign the SCCs and be done with them. Rather, they have an obligation to ensure that their privacy and security practices are in compliance with the requirements within the SCCs, and should therefore be sensitive to sharing any EU personal data with U.S. law enforcement and government agencies.

An appeal is possible, and could result in a different outcome, but Schrems is pleased with the CJEU decision. In the meantime, please reach out for any assistance implementing, or confirming that your practices are in compliance with, SCCs.

The CCPA ignited a debate about whether it rejects or maintains the “American approach” to privacy. Some observers panned the CCPA for departing from the “American approach” of “largely permissionless innovation with a post hoc regulatory response to concrete [privacy] harms.” Others criticized the CCPA for generally allowing personal data collection and use unless prohibited by a “specific legal rule.”

This debate is unlikely to be resolved soon or conclusively, but it is clear that at the federal and state levels, U.S. data privacy laws are likely to expand. While some states – including Washington and Virginia – are considering GDPR-influenced comprehensive bills, states also continue to consider and add laws that address specific data practices, which could cause further fragmentation in U.S. privacy laws and additional compliance challenges for companies.

How should companies manage the uncertain path that privacy legislation is following in the U.S.? Taking a comprehensive, holistic look at an organization’s data practices is often key to complying with current requirements (such as the CCPA) and also is likely to be an effective way to manage disparate state laws as they develop.

Toward Comprehensive State Privacy Laws

The GDPR has had an important impact on global privacy laws. Argentina, Brazil, Malaysia, and Uruguay, among others, have adopted privacy laws modeled after the GDPR. The CCPA includes several GDPR elements, such as the rights to access and to deletion, though significant differences remain. (For a more granular look at how the GDPR and CCPA compare, see our comparison chart here.) In addition, Washington state legislators are currently pushing for a Washington Privacy Act (SB 6281), a new regulation governing data privacy and facial recognition. The bill explicitly references the GDPR, stating, “The European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world. Washington residents deserve to enjoy the same level of robust privacy safeguards” (emphasis added). Virginia similarly is considering privacy legislation that would give consumers the right to access their data and determine if it has been sold to a data broker (HB 473). Virginia’s bill would generally track the GDPR consumer rights, including the rights to access, correction, erasure, and the right to opt-out of further processing.

The Differences: An Example

Other aspects of the “American approach” to privacy are holding fast against the movement toward comprehensive laws. Biometric privacy exemplifies the differing approaches of the EU and U.S. In the EU, biometric data falls under the GDPR as a "special category of personal data," and companies must not process this data unless they obtain explicit consent, or the processing meets other stringent grounds for lawful processing that apply across all EU member states. Also as part of the GDPR, any unauthorized access to or acquisition of biometric data that constitutes a data breach must be reported to the relevant authority within 72 hours.

In the United States, biometric privacy is a state law issue (for now), complemented by a handful of enforcement orders that address biometric data. Only three states have relevant laws on point – Illinois, Washington, and Texas – and the scope of and requirements under these laws vary considerably. For example, biometric information may trigger data breach notification obligations if it is compromised, but whether the obligations are triggered will vary from state to state. An important distinction also lies in enforcement capabilities – Illinois’s biometric law has a private right of action, whereas the Texas and Washington laws do not. Additionally, laws such as HIPAA and Title VII may provide additional protections in some situations.

Outside of the U.S. and EU, countries are following Europe’s lead. Very few countries have specific laws that govern biometric data, and instead include this data under a national law, which often contains informed consent requirements and data subject rights. While questions remain about how protective this approach is where biometric data is concerned, very few countries are addressing these questions through laws that apply to sectors or territories.

The Implications: A Conversation

While the EU approach to privacy seems to be winning globally, U.S. policymakers are not ignoring more targeted requirements that address specific data practices. However, this piecemeal approach could also cause confusion, complexity, and expense. For example, the CCPA’s “Do Not Sell My Personal Information” requirement could quickly become impractical if states were to adopt different definitions of “selling” personal information.

Members of Congress who are considering a federal privacy bill have the chance to decide how much of the U.S. approach and how much the EU approach to put into any comprehensive federal law protecting personal information, as well as whether to include preemption and a private right of action. We will be watching closely to see how they decide.

At bottom, this is just the beginning for data privacy laws. Consumer data rights, governance and accountability requirements, and regulatory structures will surely evolve and likely expand. For companies attempting to build some future-proofing into their privacy programs, taking the time to understand their data practices, what types of personal information they collect and maintain, where it is, why and how long they need it, and whether the personal information is sufficiently protected against compromise will enable more options for business strategies as well as more efficiently manage enterprise risk in response to the changing legal landscape.

• RETAILERS: New Colorado Consumer Protection Law Requires Redemption of Gift Cards with a Cash Value of $5 or Less May 10, 2010
• Dietary Guidelines for Americans, 2010 February 2, 2011
• Insurance Coverage for Lanham Act False Advertising Claims April 2, 2012
• How to Properly Use Establishment Claims in Advertising October 28, 2013
• White House Objects to Commercial Use of President’s Photo April 8, 2014
• Applying the Video Privacy Protection Act to Online Streaming June 2, 2015
• The Regulatory Landscape for Indirect Auto Lenders After Ally January 30, 2016
• Read This Before Scanning A Driver’s License In New Jersey July 26, 2017
• GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR July 13, 2018
• CCPA Update: California Governor Signs Seven Amendments to the CCPA October 13, 2019

• California Consumer Privacy Act (CCPA) CCPA was far and away the most popular topic of 2019 and, as mentioned in one of our last posts of the year, “businesses and privacy professionals would do well to catch their breath over the holiday season. Next year is going to need focus and investment to reach the [CCPA] finish line (which, yes, will continue to move because this is privacy law, after all).​” Here are a few CCPA related posts you may want to read if you haven’t already:
  • Broad Range of Implementation Worries Surfaces at CCPA Rulemaking Hearing in LA December 5

• • Be Careful What You Say About the CCPA November 12

• • CCPA Update: California Attorney General Issues Draft Privacy Rules October 11

• • CCPA Update: Legislature Amends the CCPA to Exclude Employee Data, B2B Communications for One Year September 15

• The FTC’s Powers Under Section 13(b) The continuing questions over the extent of the FTC’s enforcement authority to obtain monetary relief under Section 13(b) were a popular topic with Ad Law Access readers. So popular that we created a Section 13(b) sub-blog:
  • Direct Seller Stands Its Ground: Neora Seeks Declaratory Judgment Against the FTC, Challenging the Agency’s Section 13(b) Authority November 5
  • Business As Usual? FTC Practice in the Wake of Shire ViroPharma and Credit Bureau Center October 22
  • A Potential New Fight Over FTC’s 13(b) Authority May 19

Other posts that resonated with readers:

• FTC Releases New Guide for Influencers November 9
• CBD and False Advertising: Lessons Learned From The Food Court August 9
• Nevada and Maine Advance Legislation Addressing the “Sale” of Personal Data June 4
• FDA and FTC Issue Joint Warning Letters to Three Online CBD Marketers April 2
• FTC to Use 6(b) Authority to Examine Tech Companies’ Data Practices March 22
• Taking Stock of the TCPA in 2019: What is an “Autodialer”? March 4
• The Direct Selling Self-Regulatory Council: What it Means for Multi-Level Marketers January 10

AD LAW ACCESS PODCAST

2019 also saw the launch of the Ad Law Access podcast. Top episodes included:

• CCPA Update: Legislature Amends the CCPA to Exclude Employee Data, B2B Communications for One Year
• Privacy Update: The Terms of the Facebook Settlement; CCPA Amendments Advance in Calif. Senate
• Cause Marketing - Commercial Co-Ventures: What You Need to Know Before Getting Started (12:30)
• CCPA Update (Amendments, Draft Regulations, and Classification issues) (12:00)
• Texting 101 - The Hot Button Issues to Consider When Running a Texting Campaign (11:25)
• Challenging Competitors' Claims
• Making it in the USA – When Product Origin and Origin Marketing Claims Matter (13:00)
• Influencers Gone Wrong (10:30)
• Influencers and Endorsers: Understanding the Upfront Legal Requirements (9:10)

Geographic Limitations

The first case decided on Tuesday arose in 2016 after France’s privacy watchdog CNIL fined Google for refusing to de-list links globally upon request. As a policy, Google only deletes links within the European Union, stating that most searches occur on country-specific sites such as Google.fr. Google and its supporters argued that individuals should not be able to determine what information appears about them in other countries. The European Court of Justice agreed with Google, finding that the right to be forgotten cannot be enforced outside of the European Union.

Sensitive Information

In the second ruling of the day, the Court found that certain categories of data deserve special consideration from businesses when they receive a right to be forgotten request. The case was brought by individuals whose requests to remove links were denied by Google. The Court gave a mixed ruling, acknowledging that privacy considerations must be weighed against the public’s right to know, but stating that businesses should give careful consideration to requests to remove certain categories. These categories include, for example, religion, political belief, sex life and past criminal convictions. It is not yet clear how Google and other businesses will interpret and implement this decision.

***

These cases are a notable development in defining the broad rights given to European data subjects. In each case, the Court must balance individual privacy rights with the public’s right to information. While the privacy laws are different in the United States, some of these GDPR interpretations may well serve as examples for how practitioners will evaluate and apply analogous provisions under the California’s Consumer Privacy Act (CCPA) and other U.S. privacy laws. We will continue to track these developments. For information on the GDPR and recent enforcement please see additional articles here and here, or contact Alysa Hutnik.

“Our goal is to provide listeners with high-level, insightful analysis on the major issues in consumer protection law as they develop,” said Christie Thompson, chair of the advertising and marketing practice. “We have structured these as shorter episodes – perfect for a morning or evening commute or lunch break – to give people digestible information that they can easily apply.”

Currently, listeners can find the following episodes:

• Challenging Competitors' Claims
• Influencers Gone Wrong
• Influencers and Endorsers: Understanding the Upfront Legal Requirements
• GDPR Update
• EU Cookie Law Update
• FTC v. Shire Viropharma, Inc.: Will it limit FTC's ability to bring certain claims in federal court?
• California Consumer Privacy Act (CCPA)

For additional information, visit:

• Kelley Drye's Advertising Law Practice Page
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Ad Law News and Views Newsletter

In Denmark, Datatilsynet recommended fining the taxi company Taxa 4x35 nearly $180,000 for failing to delete records on 9 million taxi rides after they were no longer needed. Article 5 of the GDPR discourages companies from holding on to data that they no longer need: “personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); …” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’).”

In Taxa 4x35’s case, the company allegedly sought to comply with Article 5 by anonymizing its data after two years. In practice, the company only removed customer names from its database, keeping other data points such as customer phone numbers and ride histories for five years for purposes of business analytics.

The Datatilsynet said this procedure was insufficient. The data protection authority found that phone numbers still permit identification of a data subject, meaning that Taxa 4x35 did not properly anonymize its records. Furthermore, the Datatilsynet rejected Taxa 4x35’s explanation that its technical systems did not allow preservation of ride history data without an associated phone number. “One cannot set a deletion deadline, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the Data Protection Regulation,” the data protection authority wrote.

Meanwhile, Poland’s Personal Data Protection Office (UODO) fined digital marketing company Bisnode €220,000 for failing to notify 6 million people about its data scraping activities. The UODO said that Bisnode was required to notify data subjects that it was pulling their publicly-available personal data from public sources in accordance with Article 14 of the GDPR, which mandates notice to data subjects where personal data was not obtained from the data subject.

UODO noted that of the data subjects Bisnode did notify, 13 percent objected to the data processing. “This shows how important it is to properly fulfill the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR,” UODO wrote.

In response to UODO’s inquiries, Bisnode pointed to a notice it had posted on its website, apparently explaining to UODO it would be far too costly to notify data subjects directly. UODO rejected such an approach: “[w]hile having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them,” UODO wrote in a press release.

These actions by the Danish and Polish authorities are just the latest in an increasing number of GDPR-related enforcement actions so far in 2019.

How Does Google Violate GDPR, According to CNIL?

• Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:

• • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
  • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
  • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
  • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.

• Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:

• • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
  • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
  • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

While Google’s size, market power, and diversity of offerings (and associated scope of data collection) places it in a somewhat unique position within the online ecosystem, CNIL’s action nevertheless offers several practical takeaways for all companies that may be re-assessing their GDPR compliance status in light of this action:

• Don’t Hide the Ball: Make a concerted effort to ensure that privacy disclosures are clear, easily discernible to consumers, and contain a plain-language description of the categories of personal data that you collect, and the purposes for which you collect it.
• Minimize Clicks: To avoid EU regulator scrutiny, reduce the number of clicks required for a consumer to determine the scope of personal data collection relating to your service.
• Be Upfront on the Legal Basis for Processing: Explicitly state within your privacy notice your lawful basis for the intended data processing. If you are relying on consent, and your business intends to use the collected data for different purposes, ensure that the consumer has a reasonable opportunity to provide consent for each specific purpose (and avoid pre-checked boxes!).
• Sweat the Details: the CNIL action shows that regulators are taking a comprehensive look at how companies are complying with GDPR requirements, including ensuring that consumers understand how long a controller may retain their personal data. Take a checklist approach to GDPR compliance to ensure your privacy disclosures satisfy all requirements.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy. In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).

The UK, however, is of the view that its historic relationship with the bloc and current regulatory alignment places it in a different position than other third countries vis-à-vis the EU. The UK recently published a position paper outlining its proposal for a data agreement that goes beyond the unilateral EU adequacy decision. Instead, the UK seeks a legally binding agreement to allow for EU-UK data flows that cannot be changed unilaterally by the EU. According to the UK, such an agreement would provide greater legal certainty, stability and transparency, as well as reduced costs and more efficient processes, for both UK and EU businesses.

While the UK strives for special treatment, time may be too short to achieve a bespoke agreement, even if the EU was willing to treat the UK differently than other third countries. Further, even a standard adequacy decision may be difficult to obtain by the time the UK exits the EU. Once it is no longer part of the EU, Brussels can demand higher protection of personal data held by government agencies, including intelligence agencies, which are excluded from EU data protection requirements while the UK is part of the bloc. The same issues arising from a conflict between expectations for the protection of personal data and security interests as were seen during the negotiation of the EU – U.S. Privacy Shield (adequacy mechanism) may surface once data protection negotiations or the procedure to determine the adequacy of UK data protection laws begins. In the absence of an agreement or adequacy decision, companies trading in the EU27 (the EU minus the UK) that rely on personal data being stored, managed or processed in the UK will have to provide appropriate legal safeguards to continue those operations. For example, a German based-business using a UK Cloud provider for accounting information would have to implement an appropriate data transfer mechanism for the data-sharing to satisfy the adequacy requirement under GDPR. Even the flows of personal data within the same company (or group of companies) from the EU to the UK would be subject to this requirement for an appropriate data transfer mechanism. Given the current uncertainties in the Brexit negotiations, companies urgently need to ensure they have legal mechanisms in place to allow for continuing data flow necessary to support their international trade and business operations.

This post was originally published on Trade and Manufacturing Monitor.

Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.

Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda.

The Commission’s lack of civil penalty authority was a common theme throughout the hearing, especially with members of Congress questioning the number of large-scale data breaches that have occurred in the past few years. Although the Commissioners did not speak on the current Facebook or Equifax cases, Chairman Simons articulated his view that civil penalty authority would be an effective deterrent to ensure that companies take data privacy and security seriously. As it stands, the FTC can only impose financial penalties on defendants or respondents who violate a specific rule, or an existing order (absent violation of a rule that includes civil penalty authority, such as the Children’s Online Privacy Protection Act (COPPA) or the Fair Credit Reporting Act (FCRA)). The FTC can impose equitable monetary awards based on measurable financial harm, such as consumer harm or ill-gotten profits, but measuring the financial impact of incidents such as data breaches is difficult. The other Commissioners echoed Chairman Simons regarding the FTC’s need for specific civil penalty authority.

Four of the five Commissioners also advocated for general rulemaking authority under the Administrative Procedure Act (APA), with Commissioner Phillips noting that he had yet to make a decision about the issue. Although the agency can promulgate rules under the Magnuson-Moss Act, it is a much more burdensome and difficult process than under the APA, which most other agencies can employ. Commissioner Chopra emphasized that specific rules would aid in the Commission’s enforcement goals. He also noted his support for the passage of specific data privacy legislation, explaining that although the EU and California have taken steps to develop their own privacy laws, the U.S. should be leading the way. In this same vein, Representative Janice Schakowsky of Illinois offered that she has introduced the Secure and Protect Americans’ Data Act, which would give the FTC both rulemaking and civil penalty authority regarding data breach notification. All of the Commissioners, except Commissioner Phillips regarding rulemaking, voiced approval for such authority.

Although privacy and data security were popular topics for the day, the Commissioners did speak on other topics, such as the lack of competition in the pharmaceutical market, robocalls, general antitrust matters, and the U.S. Safe Web Act (which Commissioner Phillips noted has a sunset provision for 2020). Still, it was clear that both Congress and the Commission have privacy and data security at the forefront of their agendas, which may mean that we will see more action on both the legislative and regulatory fronts in the near future.

The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.

Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included.

Another key component of the law is that it offers consumers a private right of action if their nonencrypted or nonredacted personal information is breached. The law provides businesses with a right to cure any consumer complaint prior to the consumer initiating an action for statutory damages, but it also requires consumers to notify the Attorney General of any filing to give the office the opportunity to pursue its own prosecution instead. Importantly, businesses cannot enforce terms that waive or limit a consumer’s rights under the Act, such as a class action waiver in a privacy policy.

Given that the law is not set to be implemented for more than a year, there could very likely be changes. However with this law, California is leading the way for other states to enact similar laws to protect their consumers’ personal information, potentially raising questions about the feasibility of companies meeting differing requirements across state lines.

This law also comes on the heels of the Federal Trade Commission’s announcement of hearings on the harmonization and interpretation of federal and state laws that address unfair and deceptive practices, including privacy. This new law will likely be a topic of those conversations.

For more information about the California law, including a more comprehensive summary of its requirements, see our Client Advisory.

Valid consent under the GDPR must be: (1) freely given; (2) specific; and (3) informed. And a consumer must make a clear, affirmative action to consent. This means pre-populated check boxes aren’t going to count as valid consent for GDPR purposes. Here are a few tips for meeting GDPR’s consent requirements:

• Make sure consent is specific. Identify what type of processing the data subject is consenting to, so that the data subject understands exactly what data is collected and how it is used. Example 1 provides a consent mechanism for each specific type of communication (text message, email, etc.). This makes it clear to the data subject what she is signing up for when she consents to processing.

• Make sure consent is unbundled. Provide a separate consent mechanism for each type of processing the data is expected to be used for. Do not bury consent in an agreement for terms and conditions or a general privacy policy. Example 2 offers unbundled options for separately consenting to marketing messages and the website’s terms and conditions.

• Make sure to provide enough information. State: (1) who the controller is; (2) how the data will be used; (3) what type of data will be used; (4) that the data subject can withdraw consent; (5) how the data will be used for automated processing decisions; and (6) the possible risks associated with data transfers (if applicable). Example 1 clearly separates out each of these requirements in the consent mechanism. The additional information via a hyperlink is clearly labeled and takes the consumer directly to a page with additional information about the company’s data processing.

• Make withdrawing consent an easy process. Ensure that a data subject can easily withdraw consent for processing if she so chooses. This should be a one-step process, such as clicking a button or un-checking a box. Examples 1 and 2 provide easy, single-step opt-out mechanisms. In Example 1, the data subject sends an email to the provided address. Example 2 makes it even easier, allowing the data subject to click a sliding button to opt out.

• Keep adequate records of data subjects’ consent. Record how and why data subjects have given their consent to data processing. Since the controller has the responsibility to provide a record of consent, adequate records are necessary in case processing is challenged.

• Harmonize U.S. and EU consent requirements. If doing business both in the U.S. and EU Member States, it is easiest to implement consent practices that are sufficient for both countries. Trying to differentiate will likely become complicated.

[1] The six lawful bases are the following: consent; contract; legal obligation; vital interests; public task; and legitimate interests. The Article 29 Working Party has warned that "when initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing."

What is the European Data Protection Board? How is It Different from the Article 29 Working Party?

The EDPB is made up of the head/representative of each of the EU national supervisory authorities, the European Data Protection Supervisor, and a non-voting member of the European Commission. The Board is tasked with ensuring the consistent application of GDPR by monitoring and ensuring the correct application of the GDPR, issuing guidelines, recommendations, and best practices regarding GDPR requirements, and approving data protection certification mechanisms encouraged under the GDPR, among other things. While the structure of the EDPB resembles that of the WP29, unlike the WP29, the EDPB has the power to adopt binding decisions to ensure the correct and consistent application of the GDPR.

What’s New on the European Data Protection Board Front?

The EDPB is carrying out its mandate to ensure a consistent level of data protection for individuals and the consistent application of GDPR by taking following steps:

• Endorsing GDPR material issued by the WP29 (i.e., WP29 guidelines, recommendations, working documents, and referential).
• Adopting a draft version of the Guideline on certification, which explains key concepts of certification provisions under GDPR Articles 42 and 43 as well as the scope and purpose of certification. The deadline for comments (which should be sent to [email protected]) is July 12, 2018.
• Adopting the final version of the Guidelines on derogations applicable to international transfers, which provides guidance on the application of GDPR Article 49 on derogations when transferring personal data to third countries or international organizations.
• Releasing a statement on the revision to the ePrivacy Regulation, supporting the swift adoption of the new ePrivacy Regulation and offering insights and clarifications on key issues including, preventing the processing of electronic communications on the basis of “legitimate interest” or the general purpose of performance of a contract, ensuring that the new regulation maintains at least the current level of protection under the ePrivacy Directive, providing protection for all electronic communications, encouraging the use of anonymized electronic communication data, and ensuring that consent is obtained for websites and mobile apps.

Now that GDPR is effective, the EDPB is moving swiftly to provide implementation guidance and compliance recommendations. All businesses with an EU footprint should familiarize themselves with and monitor the EDPB website for GDPR guidelines and public consultations. Given the anticipated end of 2018 entry into force of the ePrivacy Regulation, which will complement the GDPR, companies should likewise scrutinize the EDPB’s recent ePrivacy Regulation statement in relation to their electronic communications practices.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them. Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII. If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that "sell" PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country.

What is Considered PII?

The term “personal information” is broadly defined as “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular consumer or device.” The term expressly includes, but is not limited to:

• Typical personal or contact information (such as name, address, email, account name, SSN, driver’s license number, or other similar identifiers);
• Any persistent identifier that can be used to recognize a consumer or a device over time and across different services (such as IP address, device identifier, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number or user alias);
• Internet or other electronic network activity information (such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement), or geolocation data;
• Commercial and purchasing information (such as records of property, products or services that have been provided, obtained or considered, or other purchasing or consuming histories or tendencies);
• Biometric data, or audio, electronic, visual, thermal, olfactory, or similar information;
• Professional or employment-related information, information relating to characteristics of protected classifications under California or federal law (such as race, ethnicity, or gender); and
• Any inferences drawn from any of this information.

What are the Consumer “Rights”?

The Act enumerates four specific consumer “rights”:

• “Right to Know” What PII is Collected: Consumers would have the right to request that a business that collects PII disclose the categories of PII that it has collected about the consumer.
• “Right to Know” Whether Information is Sold or Disclosed: Consumers would have the right to request that a business that sells PII or discloses it for a business purpose identify the categories of PII that the business sold or disclosed about the consumer and the identity of the third parties (name and contact information) to whom it was sold or disclosed (whether or not it was sold or disclosed for marketing purposes).
• “Right to Say No” to Sale of PII: A consumer shall also have the right to direct a business that sells PII about the customer, not to sell the customer’s PII. Businesses must provide notice on the website or app homepage and privacy policy that such information may be sold and that consumers have a right to opt out of such sale.
• “Right to Equal Service and Price”: The Act provides that a business is prohibited from discriminating against a consumer for exercising these rights. This includes prohibiting the business from denying goods or services to the consumer, charging different prices or rates (including through the use of discounts or other benefits or imposing penalties), providing a different level of quality or services, or suggesting that the consumer will receive a different price or rate, or level of quality or service, for exercising these rights.

The Act provides very specific compliance obligations for each of the consumer rights, and enumerates certain disclosure requirements for online privacy policies. This includes:

• Contact Designation: Business must designate two or more methods for submitting requests, including at a minimum a toll-free telephone number, and if the business maintains a website, the website address.
• Timeframe for Response: Business would be required to provide the requested information free of charge and within 45 days of receiving a verifiable request from the consumer. Businesses must take steps to verify the request, but this verification shall not extend the 45 day time period to respond. The disclosure must cover the information collected, sold, or disclosed in the preceding 12 months.
• “Right to Say No”: Business must provide a clear and conspicuous link on the homepage and in the online privacy policy, titled “Do Not Sell My Personal Information,” that provides consumers a link of where to opt out of the sale of the consumer’s PII.
• Privacy Policy Requirements: The Privacy Policy must contain the following information, and must be updated at least once every 12 months:
  • A description of the consumers’ “rights.”
  • A list of the categories of PII it has collected about consumers in the preceding 12 months by reference to one or more of the enumerated categories in the Act.
  • A list of the categories of PII that it has sold about consumers in the preceding 12 months by reference to one or more of the enumerated categories, or if a business has not sold consumers’ information, the business shall disclose that fact.
  • A separate list of the categories of PII it has disclosed about consumers for a business purpose in the preceding 12 months by reference to one or more of the enumerated categories, or if a business has not disclosed consumers’ information for a business purpose, the business shall disclose that fact.
• Reasonable Security Measures: Businesses must implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the PII from unauthorized disclosure.

The Act provides a private right of action for any consumer suffering a violation of the Act, and permits statutory damages in the amount of $1,000 per violation or actual damages (whichever is greater), or up to $3,000 or actual damages (whichever is greater) per knowing and willful violation.

The Act also permits a number of public entities (including the Attorney General, any district attorney, and certain county counsel, city attorneys, or city prosecutors) to bring an enforcement action and issue a civil penalty of up to $7,500 for each violation.

The Act contains a whistleblower provision allowing any person who becomes aware, based on non-public information, that a person or business has violated the Act to file a civil action for civil penalties, provided that notice is first given to the Attorney General.

* * *

For companies around the country, this California proposition will be one to watch during the November 2018 general election.

You've probably heard of the dreaded four-letter word – GDPR. Companies around the globe had been preparing for the May 25th implementation date for quite some time. But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them. Let’s face it, we have enough federal and state laws here in the U.S. to worry about. But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR. [click here for a primer on GDPR]

If you are a U.S.-based company, you may want to take a second look and ask yourself the below questions:

• Do one or more of your platforms or ecommerce sites follow or track European Economic Area (EEA) users as they browse the Internet (e.g., tracking them over time and across various websites – *think, interest-based advertising*)?
• Does your company have a physical office, subsidiary, or other establishment(s) located in the EEA that collects, receives, transmits, uses, stores, or otherwise processes personal data[1] (even if the processing does not occur in the EEA)?
• Do one or more of your platforms or ecommerce sites offer[2] and/or target goods or services for sale to persons in one or more Member States in the EEA (irrespective of whether the goods or services are paid for or offered for free)?
• Do one or more of your platforms or ecommerce sites offer your services or website in the language of an EEA member state?
• Do one or more of your platforms or ecommerce sites accept currency that is generally used in one or more EEA Member States?
• Do one or more of your platforms or ecommerce sites offer to ship products to buyers in one or more EEA Member States?
• Do one or more of your platforms or ecommerce sites hold events in the EEA and/or target registration to persons in one or more Member States in the EEA?
• Do one or more of your platforms or ecommerce sites monitor[3] the online activity of persons in one or more Member States in the EEA (in so far as their online behavior takes place within the EEA)?
• Do one or more of your platforms or ecommerce sites collect geolocation information (either general or precise geolocation) about users in one or more Member States in the EEA?

Stay tuned for more installments of GDPR SIDEBAR.

***

[1] “Personal data” is defined in Article 4 of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

[2] Under Recital 23 of GDPR, the offer has to be more than “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established.”

[3] Under Recital 24 of GDPR, the term “monitor” generally refers to tracking individuals on the internet and any subsequent use of the data to profile an individual.

[4] Even if your company is a small or medium-sized business that processes personal data as described above, you must comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer).

As reported in our Ad Law News and Views newsletter, Kelley Drye’s Advertising Law practice posted 106 updates on consumer protection trends, issues, and developments to this blog in 2017. Here are some of the most popular:

• New Lawsuit Highlights Risks of Using User-Generated Content
• FTC Announces $1.3 Million Settlement in Negative Option Case
• Read This Before Scanning A Driver's License In New Jersey
• FTC Staff Reminds Brands and Influencers About Disclosure Requirements
• "OK, Google. Send a Letter to the CPSC”: Privacy Groups Request Recall of Google Home Mini
• New NAD Decision Addresses Product Reviews
• Judge Upholds FTC Staff Opinion that Avatar Calls are Prerecorded Messages under TSR
• Instagram Announces a New Tool for Influencers
• EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.
• Don’t Like Negative Reviews? Read This Before You Delete Them
• More Regulators Focus on Price Comparisons
• CIT Adds New Requirements for ‘Assembled in USA’ Claims Analysis
• How Not to Get Burned by “First” Claims
• NAD Gives Bill of Good Health to Dietary Supplement Immunity Claims
• Court Relies on Due Process Argument to Dismiss Website Accessibility Suit

2018 Advertising and Privacy Law Webinar Series

Please join Kelley Drye in 2018 as we continue our well attended Advertising and Privacy Law Webinar Series. Like our in-person events, this series gives key updates and provides practical tips to address issues faced by counsel as well as CLE credit. This webinar series will start again in February 2018. Please revisit the 2017 webinars here.

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global scope?

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact US companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

Processing information?

If your group of companies has one EU-based employee, and it processes (i.e., collect, use, transfer or electronically store) personal data of this employee the GDPR may apply. ‘Personal data’ includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other ‘unique identifiers.’ Even if you as an employer offer certain services which give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What do I need to do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the US and US companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require US based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.

Sanctions?

The global reach of the GDPR calls into question the enforceability on US-based employers. Violating the GDPR can result in penalties of up to € 20 million or 4% of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line?

The GDPR will not apply until 25 May 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities, this in order to implement the necessary changes in time.

If you need additional guidance, an employment attorney will be able to provide guidance both on US and EU aspects of data protection law.