By Alexander Konetzki
We live in a data-driven world. In just over a decade, data has arguably become the most important currency in global commerce. Many companies collect as much personal data as possible about the individuals who interact with them through the online digital platforms those companies provide. They use that data to advertise with precision and to make their operations more efficient. They also repackage and sell their data to other companies.
All this personal-data collection has occurred largely in the absence of strict government regulation specifying what kinds of personal data can be collected and how personal data, once collected, must be protected. As a result, data breaches have become fairly commonplace, and some such breaches, including the 2013 Yahoo breach (3 billion accounts), the 2018 Marriott breach (500 million accounts), and the 2017 Equifax breach (143 million accounts), have been massive.
Governments took notice. Now, they’ve taken action. The European Union has enacted the General Data Protection Regulation (GDPR), which protects the personal data of all EU citizens. It took effect in 2018. The State of California has adopted the California Consumer Privacy Act of 2018 (CCPA), which protects the personal data of all California residents. It takes effect January 1, 2020.
The GDPR and CCPA are groundbreaking. Because they govern the personal-data collection of more than 550 million individuals in two of the world’s largest markets, and impose significant financial penalties for non-compliance, they have the potential to set the governing standard for collecting and protecting personal data throughout the world. (It would likely be far too onerous for companies to maintain two different standards for data collection -- one for EU citizens and California residents and another for everyone else.)
For that reason, it’s critical that any organization that collects individuals’ personal data through a digital platform take action to determine 1) whether it is subject to the GDPR and CCPA’s requirements and, if so, 2) whether it needs to update the manner in which it collects and protects personal data to comply with said requirements.
The GDPR applies both to businesses and to non-profit organizations. If your business or non-profit organization collects personal data from EU citizens (regardless of where they are in the world) either by selling goods or services to them or monitoring their activity, the GDPR likely applies. The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier.” An identifier could be a name, photo, email address, bank details, social media post, medical information, or a computer’s Internet Protocol address. (This list is not exhaustive.)
Companies and non-profit organizations found to have violated GDPR requirements can be fined up to the greater of €20 million ($22 million) or 4% of their worldwide revenue from the prior financial year. In 2019, UK authorities fined British Airways ￡183 million ($228 million) for leaking the personal data of 500,000 of its customers. They also fined Marriott International ￡99 million ($124 million) for the data breach mentioned above. Also in 2019, French authorities fined Google €50 million ($57 million) for failing to comply with the GDPR’s transparency and consent requirements.
It should be noted that the GDPR also creates for EU citizens a private cause of action for damages resulting from GDPR violations. The GDPR establishes neither a minimum amount nor a maximum amount of damages that an EU citizen can claim.
The scope of the CCPA is less expansive than the GDPR. The CCPA applies to businesses (but not non-profit organizations) that do business in the State of California; and
The CCPA also applies to companies that control, are controlled by, or have common branding with a company that satisfies the aforementioned criteria.
Businesses found by the California Attorney General to have intentionally violated the CCPA face penalties of up to $7,500 for each violation. Also, if their personal data is compromised through a data breach, California residents can sue companies for $100 to $750 per breach. But in both cases, businesses on notice of their violation of the CCPA can avoid any financial penalties by curing the violation within 30 days.
There can be no doubt that personal-data collection has changed significantly under the GDPR and CCPA. Businesses and non-profit organizations must determine whether they are subject to the requirements of each and, if so, whether they are currently in compliance with those requirements. Both of these determinations should be made in short order. Since the GDPR has been in effect since 2018, and the CCPA takes effect January 1, 2020. A failure to act could result in significant fines from government authorities and money damages (plus litigation expenses) in actions brought by EU citizens and California residents.
We stand ready to help you and your business or non-profit organization determine whether you’re subject to the GDPR and/or CCPA and, if you are, to help you comply.
Alexander Konetzki is an Associate Attorney with The Law Offices of Marc J. Lane. He earned his B.A., Phi Beta Kappa, from the University of Illinois at Chicago; his M.Phil from the University of Cambridge; and his J.D. from De Paul University College of Law.
|The Law Offices of Marc J. Lane, A Professional Corporation
70 West Madison Street, Suite 2050
Chicago, Illinois 60602-4256
Nationwide: (800) 372-1040
Facsimile (312) 346-1040