How the European Union and California are Changing the Way Personal Data are Collected Online (and What That Means for You)

By Alexander Konetzki

We live in a data-driven world. In just over a decade, data has arguably become the most important currency in global commerce. Many companies collect as much personal data as possible about the individuals who interact with them through the online digital platforms those companies provide. They use that data to advertise with precision and to make their operations more efficient. They also repackage and sell their data to other companies.

All this personal-data collection has occurred largely in the absence of strict government regulation specifying what kinds of personal data can be collected and how personal data, once collected, must be protected. As a result, data breaches have become fairly commonplace, and some such breaches, including the 2013 Yahoo breach (3 billion accounts), the 2018 Marriott breach (500 million accounts), and the 2017 Equifax breach (143 million accounts), have been massive.

Governments took notice. Now, they’ve taken action. The European Union has enacted the General Data Protection Regulation (GDPR), which protects the personal data of all EU citizens. It took effect in 2018. The State of California has adopted the California Consumer Privacy Act of 2018 (CCPA), which protects the personal data of all California residents. It takes effect January 1, 2020.

The GDPR and CCPA are groundbreaking. Because they govern the personal-data collection of more than 550 million individuals in two of the world’s largest markets, and impose significant financial penalties for non-compliance, they have the potential to set the governing standard for collecting and protecting personal data throughout the world. (It would likely be far too onerous for companies to maintain two different standards for data collection -- one for EU citizens and California residents and another for everyone else.)

For that reason, it’s critical that any organization that collects individuals’ personal data through a digital platform take action to determine 1) whether it is subject to the GDPR and CCPA’s requirements and, if so, 2) whether it needs to update the manner in which it collects and protects personal data to comply with said requirements.

GDPR

Does the GDPR apply?

The GDPR applies both to businesses and to non-profit organizations. If your business or non-profit organization collects personal data from EU citizens (regardless of where they are in the world) either by selling goods or services to them or monitoring their activity, the GDPR likely applies. The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier.” An identifier could be a name, photo, email address, bank details, social media post, medical information, or a computer’s Internet Protocol address. (This list is not exhaustive.)

What does the GDPR require?

1. Before collecting any personal data from an EU citizen, a business or non-profit organization must ask for the EU citizen’s permission to do so. The request for permission must use plain language, not legalese, and must be kept separate and distinct from the Terms and Conditions of Use and any other policy statement on the digital platform.
2. EU citizens whose personal data is collected and stored must be notified if a data breach has occurred. The notification must be made not more than 72 hours after it is discovered and by as many methods as necessary (such as email, phone, and public announcement).
3. Businesses and non-profit organizations must provide, at an EU citizen’s request, confirmation as to whether the EU citizen’s personal data is being collected, categories of the personal data collected, where the data is being stored, and for what purpose. (This list is not exhaustive.) Upon request, a copy of any and all of the personal data (without time limitation) must also be provided free of charge.
4. When requested by an EU citizen, businesses and non-profit organizations must correct any errors in that citizen’s personal data.
5. Perhaps most important, businesses and non-profit organizations must erase all of an EU citizen’s personal data when requested to do so by the EU citizen. This provision is how EU citizens can vindicate their “right to be forgotten”, recognized by the GDPR.

What are the penalties for non-compliance?

Companies and non-profit organizations found to have violated GDPR requirements can be fined up to the greater of €20 million ($22 million) or 4% of their worldwide revenue from the prior financial year. In 2019, UK authorities fined British Airways ￡183 million ($228 million) for leaking the personal data of 500,000 of its customers. They also fined Marriott International ￡99 million ($124 million) for the data breach mentioned above. Also in 2019, French authorities fined Google €50 million ($57 million) for failing to comply with the GDPR’s transparency and consent requirements.

It should be noted that the GDPR also creates for EU citizens a private cause of action for damages resulting from GDPR violations. The GDPR establishes neither a minimum amount nor a maximum amount of damages that an EU citizen can claim.

CCPA

Does the CCPA apply?

The scope of the CCPA is less expansive than the GDPR. The CCPA applies to businesses (but not non-profit organizations) that do business in the State of California; and

• have annual gross revenue in excess of $25 million;
• handle the personal data of more than 50,000 people or devices; or
• make 50% or more of their revenue from the sale of personal data.

The CCPA also applies to companies that control, are controlled by, or have common branding with a company that satisfies the aforementioned criteria.

What does the CCPA require?

1. At or before the time of collecting a California resident’s personal data, businesses must provide notice of the categories of personal data to be collected and the purposes for which the data will be used. The CCPA defines personal data as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal data includes but is not limited to the following: “real name, alias, postal address, ... Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
2. Upon the request of a California resident, businesses must disclose the following to that resident free of charge:
   • categories and specific pieces of the California resident’s personal data that the company has collected;
   • categories of sources from which the personal data is collected;
   • the company’s purpose for collecting the personal data; and
   • categories of third parties with which the company shares personal data.
3. Upon a California resident’s request, companies must deliver to the resident all of his or her personal data collected within the 12-month period leading up to the request. The CCPA permits California residents to make not more than two such requests annually.
4. Like EU citizens, California residents now have a right to be forgotten, recognized by the CCPA. Companies must delete all of a California resident’s personal data collected when that California resident requests deletion. Companies must also notify California residents of the fact that they can request the deletion of all personal data collected from them.
5. Companies cannot discriminate against a California resident in retaliation for the exercise of any rights under the CCPA, for example, by denying goods or services, charging different prices, or providing a different level of quality of goods or services.

What are the penalties for non-compliance?

Businesses found by the California Attorney General to have intentionally violated the CCPA face penalties of up to $7,500 for each violation. Also, if their personal data is compromised through a data breach, California residents can sue companies for $100 to $750 per breach. But in both cases, businesses on notice of their violation of the CCPA can avoid any financial penalties by curing the violation within 30 days.

Conclusion

There can be no doubt that personal-data collection has changed significantly under the GDPR and CCPA. Businesses and non-profit organizations must determine whether they are subject to the requirements of each and, if so, whether they are currently in compliance with those requirements. Both of these determinations should be made in short order. Since the GDPR has been in effect since 2018, and the CCPA takes effect January 1, 2020. A failure to act could result in significant fines from government authorities and money damages (plus litigation expenses) in actions brought by EU citizens and California residents.

We stand ready to help you and your business or non-profit organization determine whether you’re subject to the GDPR and/or CCPA and, if you are, to help you comply.

_______________________
Alexander Konetzki is an Associate Attorney with The Law Offices of Marc J. Lane. He earned his B.A., Phi Beta Kappa, from the University of Illinois at Chicago; his M.Phil from the University of Cambridge; and his J.D. from De Paul University College of Law.