CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘European Union’

The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

Posted on: July 30th, 2018

By: Jonathan Romvary

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].

California Passes New Comprehensive Data Privacy Law

Posted on: July 16th, 2018

By: Kacie Manisco

California has passed a sweeping data privacy law that will result in dramatic changes to how businesses in the state handle consumer data. AB 375, which will take effect on January 1, 2020, grants consumers more control over and insight into the dissemination of personal information, but imposes significant obligations on certain businesses in order to achieve those goals.

The law will apply to any California business that: (1) has an annual gross revenue over $25 million; or (2) alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

The new legislation is similar in nature to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide residents of California the most comprehensive consumer privacy rights in the country. To that end, AB 375 requires covered businesses to give California residents:

  • The right to seek disclosure of any personal information collected by the business, up to twice a year;
  • The right to be informed of what categories of data will be collected, prior to its collection, and to be informed of any changes to this collection;
  • The right to request deletion of information collected by the business;
  • The right to opt-out of the sale of personal information;
  • Mandated opt-in before the sale of a minor’s information;
  • Protection of consumer data through reasonable security procedures and practices.

Additionally, one of the most significant aspects of the law creates a private right of action for any consumer for data breaches, without the requirement that the consumer prove injury before being awarded damages. The law provides, “any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.

While AB 375 does not take effect until 2020, California businesses should begin the process of reviewing these new complex requirements and evaluating the applicability of the regulations to its operations. Specifically, businesses should begin to assess the types and scope of data it currently collects (and has collected and stored in the past) that may be covered by the law. Moreover, organizations should minimize their exposure in handling personal data, keeping only the data directly necessary for business and legal needs.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Countries Around the World Are Investigating Facebook’s Cambridge Analytica Event

Posted on: April 26th, 2018

By: Allen E. Sattler

On March 18, 2018, news broke of the Cambridge Analytica event where the data of an estimated 87 million Facebook users was disclosed to the UK-based political consulting firm.  The breach of user data resulted in several U.S. investigations, including by Congress and by the Federal Trade Commission (“FTC”).  Facebook entered into a consent decree with the FTC in 2011, where Facebook agreed to never make deceptive claims concerning users’ privacy and to obtain users’ informed consent before changing the way in which it shares their data.  The FTC is investigating whether Facebook violated the terms of this agreement which carries a possible $40,000 per-violation fine.

On April 10 and 11, Mark Zuckerberg appeared before Congress where he testified that Facebook failed to protect its users’ data and that Facebook “didn’t take a broad enough view” of its responsibility in ensuring the privacy of its users following its initial discovery of the Cambridge Analytica event.  He also accepted personal responsibility for the matter as the company’s founder and CEO.

What might have been lost in the flurry of domestic activity is the amount of scrutiny Facebook is receiving by nations around the globe.  This breach involved users from many countries, with over 1 million affected users in each of four different countries.

The European Union launched an investigation into Facebook on March 19, and the United Kingdom and Australia quickly followed.  Under Australian privacy laws, the government has the authority to issue fines against Facebook of up to $1.6 million if it determines that Facebook violated those laws.

Countries of southeast Asia soon followed with investigations of their own.  Indonesia, which is home to over 115 million Facebook users, 1 million of whom were affected by this breach, launched an investigation on April 6.  Under Indonesian law, the government can assess fines against Facebook representatives personally of up to $870,000.  Singapore has opened an investigation as well, where it has already questioned Facebook executives located in their country.

The Philippines announced its investigation into Facebook on April 13.  The county was rated as the biggest user of social media several years running.  Research indicates that Filipinos spend almost four hours per day on various social media platforms.   This breach affected nearly 1.2 million Filipinos, and news reports indicate that Cambridge Analytica might have helped President Rodrigo Duterte in his successful 2016 campaign.  The event therefore has enormous significance to Filipinos.

On Friday, April 20th, Germany became the latest country to open an official investigation into the Facebook.  Germany’s data privacy regulator said fines could be levied against Facebook in the amount of 300,000 euros ($366,000).

Facebook had revenues of more than $40 billion last year, so the fines that each country might assess against the company seem relatively insignificant.  The investigations launched against Facebook can nevertheless have a big impact on the company and on the entire industry.  This event has garnered the attention of countries around the world, and it has already led to a greater awareness of privacy concerns that exist on social media platforms.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].