Data Protection Laws Are Here, but What Do They Mean for California Businesses?

• Publication year: 2018
• Author: Jordan Yallen and Kevin D. DeBré

Data Protection Laws Are Here, But What Do They Mean for California Businesses?

Jordan Yallen and Kevin D. DeBré

Jordan Yallen is a second-year Juris Doctor candidate at Loyola Law School Los Angeles. Jordan is a Staff Editor of the Loyola of Los Angeles Law Review and the Social Events Chair of Loyola's Innovation, Entrepreneurship, and Startups Club. In the summer of 2018, Jordan interned for Ashley Boardman at Silicon Beach Legal, PLC, where he focused on researching the GDPR and analyzing organizational policies and protocols regarding compliance with the regulation.

Kevin D. DeBre is a partner with Stubbs Alderton & Markiles, LLP in Los Angeles, California, where he is the chair of the firm's Intellectual Property and Technology Transactions Practice Group.

If information is the lifeblood of every business, then data is the oxygen enabling businesses to thrive. Digital technologies have simplified the collection, analysis, storage, sharing, and manipulation of data. Along with these improvements, digital technologies have also brought a surge of new regulations governing how companies may use collected data. Recent laws enacted to protect consumer privacy and address data security risks are just the first wave of a vast regulatory regime within which most businesses must soon operate. These companies will rely upon their counsel to ensure that they are in compliance with this fluid landscape of privacy laws. This article highlights the responsibilities associated with collecting and using personal data through an analysis of two significant, recently adopted privacy laws: the European Union's General Data Protection Regulation ("GDPR") and the California Legislature's recent passage of Assembly Bill No. 375, the California Consumer Privacy Act of 2018 ("CCPA").

I. GDPR: This Year's Import from the European Union

The GDPR, effective on May 25, 2018, reflects some of the most significant reforms of consumer data protection laws to date. The GDPR's coverage of "data subjects" includes "any information relating to an identified or identifiable natural person" residing in the European Union ("EU").¹ However, the GDPR's reach extends beyond the EU if a business (1) processes the personal data of EU residents in connection with offering goods or services or (2) monitors behaviors of data subjects within the EU.² A company need not be located in the EU to be subject to the GDPR.

A. GDPR Compliance

California-based businesses that process personal data or monitor behaviors of EU residents must comply with the GDPR's stringent consent requirements and expanded individual rights in controlling the use of personal data, implement new data storage systems and policies, and potentially appoint a specific GDPR representative.

Processing consists of storing, organizing, retrieving, transmitting, or any other action, automated or not, performed on personal data.³ Businesses outside of the EU are subject to GDPR compliance as either a "data processor," if they actually process this data, or as a "data controller," if they direct "the purposes and means of the processing."⁴ Monitoring behaviors of EU residents "includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes."⁵

Before collecting any data, controllers must inform data subjects of the legal basis and purposes for processing personal data, contact information for the controller or a representative, "the legitimate interests pursued by the controller ... or third party," the types of personal data being collected, and to whom the controller will provide this data.⁶ This information must be presented "in a concise, transparent, intelligible and easily accessible form," often as a privacy policy, "using clear and plain language."⁷

[Page 14]

Consent to collecting data from a data subject should be evidenced by "a clear affirmative act."⁸ Usually, this consent is sought when a data subject is required to complete a registration form to access a website's services. Consent is provided when the data subject checks a box accompanied by a statement disclosing the purposes for which the data subject's information will be processed and the data subject submits the completed registration form. A data subject must provide additional consent when (1) there is more than one agreement— such as a terms of use and a privacy policy—and (2) "the processing has multiple purposes."⁹ In addition, parental consent is required for children under the age of sixteen; however, EU Member States may lower the age threshold to as low as thirteen years old.¹⁰ It is the controller's responsibility to "make reasonable efforts to verify . that consent is given or authorised by" a child's parent or guardian, "taking into consideration available technology."¹¹

After consent is given, the consenting data subjects have rights to control the use of their personal data when a data controller processes or collects their personal data. Data subjects have the right to revoke "consent at any time," which would require the data controller to stop using their data.¹² In addition, data subjects have the "right to be forgotten": upon a data subject's request, the data controller must delete the personal data collected from the data subject.¹³ Further, data subjects may require data controllers to correct information in collected data, and may restrict what data controllers can do with their collected data.¹⁴ To fulfill a data subject's request to correct their information, controllers must store data in a manner that enables personal data to be easily transmitted to the data subject and in a form that is viewable.¹⁵ A data controller must comply with a request within one month of receipt.¹⁶ Businesses that are not prepared to fulfill such requests should start putting these procedures in place.

Depending on the amount of EU resident data that is processed or monitored, a business may be required to designate a data protection officer or EU-based representative. Data protection officers are generally needed only for California businesses that monitor data subjects on a "regular and systematic" basis, which includes all forms of online tracking and profiling (such as those conducted for behavioral advertising and email retargeting),¹⁷ or whose "core activities ... consist of processing on a large scale of special categories," such as race, religion, sexual orientation, and genetic information.¹⁸ If a company is required to designate a data protection officer, there is no need to establish a dedicated position within the organization. As long as the data protection officer can fulfill the obligations to inform, advise, and monitor a company's compliance with the GDPR, the position may be contracted to an outside party serving on behalf of multiple businesses, or this responsibility may be assigned to an existing staff member.¹⁹

Further, businesses that fall within the GDPR's scope, but are located outside of the EU, must appoint a representative in the EU, unless the "processing . . . is occasional" and does not consist of any sensitive "special categories of data."²⁰ The regulation does not provide a threshold for what constitutes "occasional" processing, and it is too soon to know how regulators will interpret this requirement.

Finally, the controller is responsible for creating guidelines "to ensure that the personal data [is] not kept longer than necessary."²¹ As long as data subjects are identifiable by the collected data, the data may only be used and stored in accordance with the duration required for the purposes for which it was collected.²²The processing of anonymous information is not within the scope of the GDPR, but personal data that has undergone pseudonymization—a process after which additional information is necessary to identify the data subject—is still considered personally identifiable data.²³ Businesses must delete personal data when it is no longer necessary for processing or legal purposes or when a data subject objects to or withdraws consent for processing.²⁴

B. GDPR Interpretation and Enforcement

With time, enforcement actions will provide guidance as to how regulators will interpret the GDPR's requirements, and application of these requirements should become more certain and predictable. For now, however, attorneys can offer their clients little insight concerning the risks of violating the GDPR. The regulation states that any business that fails to comply may be subject to fines, judicial remedies, and liability for damages.²⁵ "Each [EU] Member State" is responsible for establishing "one or more independent public [supervisory authorities] to be responsible for monitoring," enforcing, and imposing fines for violations of the GDPR.²⁶ These supervisory authorities may levy fines of up to €20 million or 4% of "worldwide annual turnover of the preceding financial year, whichever is higher."²⁷ On September 28, 2018, Facebook announced a data breach affecting approximately thirty million accounts. This breach, along with three recent cases discussed below, may soon offer clues as to how regulatory authorities will apply the GDPR's penalties.²⁸

[Page 15]

Recent reports of the first GDPR enforcement notice indicate that AggregateIQ may face the maximum allowable fines under the regulation.²⁹ The Information Commissioner's Office ("ICO"), the UK body enforcing...