On a commercial level, the GDPR can be seen to be implemented across businesses in the countries where it applies, and in fact to businesses who sell to customers based in countries where the GDPR applies. There are still a few websites that have chosen to take the route of banning entry by any user whose IP address shows them to be in an EU country, and a notice will show that states the related business to the website has taken the step due to the data protection issues. Essentially, businesses globally are deciding whether or not their trade is affected by banning sales or interest from EU countries, or if they are better off aligning to the requirements. Businesses that are based in areas where their data protection law holds the same level of stringent requirements that the GDPR does, such as in California, have been seen to align faster and facilitate EU trade to continue. There have been over 500 cross-border cases of data protection rights seen since the GDPR was incepted. A report on these cases and other rules enforcement subjects must be compiled by the European Commission for review by May 25th.

GDPR and Brexit

The most meaningful change within the GDPR is how it will play out in the UK, with laws being set to be taken into review post Brexit. There are several issues relating to Brexit that will have a bearing on the GDPR and its impact, but the UK is set to adhere to all EU standard rules throughout 2020. At that time, they will be considering how their internal laws will align with the GDPR, as there has been a commitment made by the UK to adhere to the standards created by the GDPR after they pull out of EU regulatory oversight post-Brexit. It remains to be seen how this will affect businesses that trade with UK consumers, and it is a good example of why it has become important.

GDPR and the World

In a global context for all jurisdictions to have comparable data protection laws. When there are stipulations made by laws that transcend jurisdictions, such as the GDPR does with non-EU businesses that hold information on residents of EU countries, there is a good reason to ensure on a national level that all data protection laws adhere. This acts to further the ability for consumers and businesses to trade globally, and even for social and news media-related information to be shared. While certain data protection laws can differ from the GDPR, such as the California Consumer Protection Act, the spirit of the laws aligns and that makes going the extra bit further to ensure data protection alignment to the GDPR or other global data laws much easier.

Conclusion

2020 will see the interpretation of data protection requirements that were set out by the GDPR reviewed for enforcement and adherence. This includes on a national level in all EU member states, but also for companies globally that store information of EU residents, even with their knowledge and consent. Businesses globally have been seen to be generally conducive to aligning their practices to the GDPR standard where they have an EU consumer base, but that has been seen to not be the case across the board. Some companies have chosen instead to block access to their sites by an EU resident whose IP address indicates their residence in a GDPR compliant country. Those companies will likely align in the future, but that remains to be seen.

1. Notice to Consumers

When a business is collecting information directly from consumers, that business must provide a notice to the consumer at the point of collection. That notice must inform the consumer what personal information is being collected, what the purpose of collection is, and whether there is any financial incentive being offered in exchange for the business using that data. This notice needs to be visible or accessible before any personal information is collected. The proposed regulations note that if a business collects personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the applicable section of the business’ privacy policy.

2. Notice of Right to Opt-Out

If your business sells its consumers’ personal data, it is time to read the proposed regulations thoroughly. There is some great guidance on how to comply with the “opt-out” requirements. Specifically, it is noted a business shall post the notice of right to opt-out on the webpage the consumer is directed to after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or landing page on a mobile app. The proposed regulations even go so far as to give an example of what the opt-out button or logo should look like. This opt-out option needs to be addressed for offline methods of collection as well.

3. Request to Delete

For those of us already GDPR compliant, we are all too familiar with the “right to be forgotten.” With CCPA, consumers have a similar option which is entitled “request to delete.” This allows a consumer the right to request any personal information collected about the consumer to be erased. The business needs to have two methods for placing these types of requests – whether it be email, telephone, interactive webform, or US mail. The proposed regulations indicate that when a business receives a “request to delete,” they must confirm receipt of the request in 10 days and respond within 45 days. The company must also log any “requests to delete.” There are exceptions that allow a business to not delete information in certain situations. Those include when the information is necessary to:

• Complete a transaction.
• Provide a good/service the consumer has requested.
• Perform a contract.
• Detect security incidents.
• Protect against “malicious, deceptive, fraudulent, or illegal” activities.
• Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities.
• “Debug to identify and repair errors that impair existing intended functionality.”
• Ensure the exercise of free speech.
• Ensure the business can exercise “another right provided for by law.”
• Comply with a legal obligation.

4. Service Provider Contracts

Businesses may also need to update service-level agreements with any third-party provider where data processing is at issue. CCPA defines the term “sell” in a broad manner that does implicate arrangements where there is an exchange of value between the business and another party for the consumer’s personal information. The Proposed Regulations indicate that Service Providers should not use personal information collected from one business to provide services to another business. Specifically, it is indicated “A Service Provider shall not use personal information received either from a person or entity it services or from a consumer’s direct interaction with the Service Provider for the purpose of providing services to another person or entity. A Service Provider may, however, combine personal information received from one or more entities to which it is a Service Provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” It also becomes critical that businesses utilizing service providers are contractually addressing the data processing relationship and providing clear instructions on how to respond to a consumer request that is received by a Service Provider on behalf of a business it services.

5. Employees Excluded from the Definition of Consumer until 1/1/2021

AB 25 has modified the definition of “consumer” under the CCPA to exclude for one year “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of that business.” As long as an employer is collecting the data of its candidates and employees for purposes solely relating to employment, the CCPA generally does not apply to the collection of that personal information. This exemption will remain in effect only until January 1, 2021. It is anticipated that we will see a separate employee privacy bill proposed prior to the one-year deadline.

TargetCW takes data privacy seriously and believes it is best to take a transparent approach to how we handle personal information. Check out our policies at https://www.tcwprivacy.com/policies.