Slicker Than a Boiled Onion
What Texas lawyers need to know about data privacy, the GDPR, and the CCPA.
By Kathryne "Kate" M. Morris
Texas lawyers and their corporate clients are paying attention to privacy legislation in other jurisdictions. In 2019, risks arising under the EU’s General Data Protection Regulation, or GDPR,1 and the California Consumer Privacy Act, or CCPA,2 have garnered particular focus. Recognizing privacy issues requires knowing that they exist, then peeling back the layers of the metaphorical privacy onion and holding onto this privacy primer.
Recognizing Privacy Issues
Today, 107 countries3 have privacy legislation aimed at protecting individual privacy rights through the regulation of “personal data” or “personal information.” In the U.S., no single law governs “personal information,” but federal laws govern privacy in certain sectors.4 Some states, including California, also recognize constitutional rights to privacy.5 Additionally, states have discrete laws related to, among other things, data breach notifications,6 internet privacy,7 biometrics,8 and identity theft.9
You can help your client address privacy issues in two steps:
(1) Spot “personal data” or “personal information”
First, realize that different laws recognize “personal data” or “personal information” by different names and definitions. The trend is toward broader definitions that include any kind of data that can be traced to an individual’s identity (exceptions usually exist for deidentified and aggregated data).10
For example, the GDPR recognizes “personal data” and defines it as “any information relating to an identified or identifiable natural person.”11 In contrast, the CCPA refers to “personal information,” which means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California] consumer or household.”12 Unlike the GDPR, the CCPA specifically lists various types of information considered “personal information,” including, among many other things, online identifiers (like IP addresses) and “audio, electronic, visual, thermal, olfactory, or similar information.”13
(2) Identify potentially applicable privacy legislation
Second (once the individual in question is identified), identify legislation that may be applicable. You can do this by determining:
(a) where that individual resides,
(b) where the data has flowed, and
(c) where the companies processing that data (including cloud and other service providers) are located or headquartered.
Realize that different laws may apply and that you may need to reach out to a privacy lawyer who has expertise in jurisdictions at issue.
Recognizing Risks—A Look at Enforcement Under the
Balancing material privacy and data security risks against the high costs of legal compliance presents a challenge, but a good place to start is by understanding those risks.
Since May 25, 2018, the GDPR has commanded headlines with its authorized fines of €20 million or 4% of global turnover, whichever of the two is higher.14 To date, no company has faced the maximum penalties under the GDPR, but there have been over 100 enforcement actions,15 and not all have focused on Big Tech.
Enforcement under the GDPR has occurred in three areas: (1) fines for data breaches resulting from lax security (e.g., British Airways was fined £183.39 million after a data breach affecting 500,000 customers;16 Marriott was fined £99 million after a data breach affecting 339 million Starwood guests);17 (2) fines for lack of transparency into privacy practices (e.g., Google was fined €50 million18 after allegedly failing to explain its data processing practices clearly—Google has appealed; PwC BS €150,000 for, among other things, failing to be transparent about privacy practices related to employee data);19 and (3) lack of valid consent for processing personal data (e.g., Google was also faulted for “lack of valid consent regarding the ads personalization;”20 a municipality in northern Sweden almost €19,000 for using facial recognition technology to monitor the attendance of students in school without parental consent).21
A non-GDPR risk calculus requires recognition that data security and consumer notice are imperatives, whereas consent to process personal data is largely unique to the GDPR since the EU generally maintains an opt-in regime rather than an opt-out regime.
The California Consumer Privacy Act
The CCPA, effective as of January 1, 2020, and set to become enforceable by July 1, is a landmark privacy law that requires covered businesses to follow regulations designed to protect personal information22 and establishes various privacy rights for California residents, including the right to know;23 the right of data portability;24 the right to deletion;25 the right to opt-out;26 the right to not be discriminated against as a user;27 and a private right of action for data breaches with statutory damages—between $100 and $750 per violation, whichever is greater.28 Since it was hastily adopted in 2018,29 the CCPA has been routinely referred as a “dumpster fire,”30 in part, because of its prescriptive requirements and regulations promulgated by California’s attorney general, which, as of this date, have not been finalized.31
Businesses32 covered by the CCPA already face known
enforcement risks arising from data breaches and inaccurate privacy
notices. Tips to address those risks (and defend against class actions)
include confirming that covered personal information is encrypted or
redacted and “reasonable security procedures and practices” are
maintained,33 that service providers and third parties are
obligated by contract to protect security and confidentiality in a
manner consistent with the CCPA,34 and that privacy notices
are updated and supplemented with the law’s required
KATHRYNE “KATE” M. MORRIS is a co-founding member of Hosch & Morris, a Dallas-based boutique law firm dedicated to data protection, privacy, the internet, and technology. She helps a broad range of organizations with data privacy and data commercialization matters, outsourcing, electronic commerce, and technology transactions. Morris is triple certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional—United States (CIPP/US) and Europe (CIPP/E)—and is a certified Information Privacy Manager (CIPM).