Privacy

Slicker Than a Boiled Onion

What Texas lawyers need to know about data privacy, the GDPR, and the CCPA.

By Kathryne "Kate" M. Morris

Podcast Logo

Texas lawyers and their corporate clients are paying attention to privacy legislation in other jurisdictions. In 2019, risks arising under the EU’s General Data Protection Regulation, or GDPR,1 and the California Consumer Privacy Act, or CCPA,2 have garnered particular focus. Recognizing privacy issues requires knowing that they exist, then peeling back the layers of the metaphorical privacy onion and holding onto this privacy primer.

Recognizing Privacy Issues
Today, 107 countries3 have privacy legislation aimed at protecting individual privacy rights through the regulation of “personal data” or “personal information.” In the U.S., no single law governs “personal information,” but federal laws govern privacy in certain sectors.4 Some states, including California, also recognize constitutional rights to privacy.5 Additionally, states have discrete laws related to, among other things, data breach notifications,6 internet privacy,7 biometrics,8 and identity theft.9

You can help your client address privacy issues in two steps:

(1) Spot “personal data” or “personal information”

First, realize that different laws recognize “personal data” or “personal information” by different names and definitions. The trend is toward broader definitions that include any kind of data that can be traced to an individual’s identity (exceptions usually exist for deidentified and aggregated data).10

For example, the GDPR recognizes “personal data” and defines it as “any information relating to an identified or identifiable natural person.”11 In contrast, the CCPA refers to “personal information,” which means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California] consumer or household.”12 Unlike the GDPR, the CCPA specifically lists various types of information considered “personal information,” including, among many other things, online identifiers (like IP addresses) and “audio, electronic, visual, thermal, olfactory, or similar information.”13

(2) Identify potentially applicable privacy legislation

Second (once the individual in question is identified), identify legislation that may be applicable. You can do this by determining:

(a) where that individual resides,
(b) where the data has flowed, and
(c) where the companies processing that data (including cloud and other service providers) are located or headquartered.

Realize that different laws may apply and that you may need to reach out to a privacy lawyer who has expertise in jurisdictions at issue.

Recognizing Risks—A Look at Enforcement Under the GDPR
Balancing material privacy and data security risks against the high costs of legal compliance presents a challenge, but a good place to start is by understanding those risks.

Since May 25, 2018, the GDPR has commanded headlines with its authorized fines of €20 million or 4% of global turnover, whichever of the two is higher.14 To date, no company has faced the maximum penalties under the GDPR, but there have been over 100 enforcement actions,15 and not all have focused on Big Tech.

Enforcement under the GDPR has occurred in three areas: (1) fines for data breaches resulting from lax security (e.g., British Airways was fined £183.39 million after a data breach affecting 500,000 customers;16 Marriott was fined £99 million after a data breach affecting 339 million Starwood guests);17 (2) fines for lack of transparency into privacy practices (e.g., Google was fined €50 million18 after allegedly failing to explain its data processing practices clearly—Google has appealed; PwC BS €150,000 for, among other things, failing to be transparent about privacy practices related to employee data);19 and (3) lack of valid consent for processing personal data (e.g., Google was also faulted for “lack of valid consent regarding the ads personalization;”20 a municipality in northern Sweden almost €19,000 for using facial recognition technology to monitor the attendance of students in school without parental consent).21

A non-GDPR risk calculus requires recognition that data security and consumer notice are imperatives, whereas consent to process personal data is largely unique to the GDPR since the EU generally maintains an opt-in regime rather than an opt-out regime.

The California Consumer Privacy Act
The CCPA, effective as of January 1, 2020, and set to become enforceable by July 1, is a landmark privacy law that requires covered businesses to follow regulations designed to protect personal information22 and establishes various privacy rights for California residents, including the right to know;23 the right of data portability;24 the right to deletion;25 the right to opt-out;26 the right to not be discriminated against as a user;27 and a private right of action for data breaches with statutory damages—between $100 and $750 per violation, whichever is greater.28 Since it was hastily adopted in 2018,29 the CCPA has been routinely referred as a “dumpster fire,”30 in part, because of its prescriptive requirements and regulations promulgated by California’s attorney general, which, as of this date, have not been finalized.31

Businesses32 covered by the CCPA already face known enforcement risks arising from data breaches and inaccurate privacy notices. Tips to address those risks (and defend against class actions) include confirming that covered personal information is encrypted or redacted and “reasonable security procedures and practices” are maintained,33 that service providers and third parties are obligated by contract to protect security and confidentiality in a manner consistent with the CCPA,34 and that privacy notices are updated and supplemented with the law’s required language.35 TBJ

NOTES

1. EU General Data Protection Regulation (GDPR) 2016/679, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri= CELEX:02016R0679-20160504.
2. California Consumer Privacy Act (CCPA) of 2018, Cal. Civ. Code §§ 1798.100-1798.199 (2018), available at https://leginfo.legislature.ca.gov/faces/codes_display Section.xhtml?lawCode=CIV&sectionNum=1798.100.
3. See Interactive Map, Data Protection and Privacy Laws Worldwide, United Nations Conference on Trade and Development, https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx (last visited Nov. 18, 2019).
4. For example, in the health care sector, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the protection of health data in the hands of covered entities. Further, some state laws expand federal privacy protections. For instance, the Texas Medical Privacy Act extends the application of HIPAA from “covered entities” to “any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting [protected health information].” (Tex. Health & Safety Code § 181.001(b)(2)(A)).
5. Privacy Protections in State Constitutions, National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-protections-in-state-constitutions.aspx (Last visited Nov. 20, 2019).
6. Security Breach Notification Laws, National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (Last visited Nov. 20, 2019).
7. State Laws Related to Internet Privacy, National Conference of State Legislatures, 8. See, e.g., Illinois General Assembly, Biometric Information Privacy Act, 740 ILCS 14, available at http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID =57); Capture or Use of Biometric Identifier, Tex. Bus. & Com. Code § 503.001, available at https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm; Washington State Legislature, Biometric Identifiers, RCW 19.375.010, available at https://app.leg.wa.gov/RCW/default.aspx?cite=19.375&full=true.
9. Identity Theft, National Conference of State Legislatures, http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx (Last visited Nov. 20, 2019); see also, e.g., Identity Theft Enforcement and Protection Act, Tex. Bus. & Com. Code § 521 https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm.
10. See Cal. Civ. Code § 1798.140(a) (defining “Aggregate consumer information.”).
11. See supra, note 1, GDPR, Art. 4(1).
12. See supra, note 2, Cal. Civ. Code § 1778.140(o).
13. Id. at § 1798.140(o)(1)(A)-(K); see also, Alexander B. Wiltschko, Learning to Smell: Using Deep Learning to Predict Olfactory Properties of Molecules, Google AI Blog (Oct. 24, 2019), https://ai.googleblog.com/2019/10/learning-to-smell-using-deep-learning.html.
14. GDPR, Art. 83.
15. GDPR Enforcement Tracker, available at https://enforcementtracker.com/ (Last visited Nov. 25, 2019) (identifying 113 enforcement actions).
16. Intention to fine British Airways £183.39m under GDPR for data breach, Information Commissioner’s Office (July 8, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/.
17. Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, Information Commissioner’s Office (July 9, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/.
18. The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC, CNIL (Jan. 21, 2019), https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
19. Company fined 150,000 euros for infringements of the GDPR, European Data Protection Board (July 31, 2019), https://edpb.europa.eu/news/national-news/2019/company-fined-150000-euros-infringements-gdpr_en.
20. CNIL, supra note 18.
21. GDPR verdict: School may be fined 200,000 SEK after face-recognition tests, IDG (Aug. 21, 2019, 9:43 AM), https://computersweden.idg.se/2.2683/1.722309/gdpr-vite-ansiktsigenkanning.
22. See Cal. Civ. Code § 1798.150(a)(1).
23. See id. §§ 1798.100, 1798.110, 1798.115.
24. See id. § 1798.100(d).
25. See id. § 1798.105.
26. See id. § 1798.120.
27. See id. § 1798.125.
28. See id. § 1798.150(a)(1)(A).
29. See Testimony of Alastair Mactaggart, United States Senate Committee on the Judiciary, at 2-3, https://www.judiciary.senate.gov/imo/media/doc/Mactaggart20 Testimony1.pdf.
30. See Eric Goldman, Recap of the California Assembly Hearing on the California Consumer Privacy Act, Technology & Marketing Law Blog (Feb. 21, 2019), https://blog.ericgoldman.org/archives/2019/02/recap-of-the-california-assembly-hearing-on-the-california-consumer-privacy-act.htm (incorporating Professor Goldman’s “usual . . . dumpster fire visual metaphor” in reviewing a recent CCPA legislative hearing).
31. See State of California Department of Justice, California Consumer Privacy Act, https://www.oag.ca.gov/privacy/ccpa (Last visited Nov. 25, 2019).
32. See Cal. Civ. Code § 1798.140(c) (defining “business” generally as any business that has annual gross revenues of $25 million or more, obtains the personal information of 50,000 or more California residents, households or devices; or derives 50% or more of its revenue from selling California residents’ personal information); see also Privacy Plus+: California Consumer Privacy Act – Who, What, Where, When, Why, and Now, Hosch & Morris (Sept. 21, 2019), https://www.hoschmorris.com/privacy-plus-news/california-consumer-privacy-act-who-what-where-when-why-and-now.
33. Supra id., note 32 §§ 1798.150(a)(1),1798.82 (California’s breach notification statute).
34. See id. § 1798.140(v) and (w).
35. See id. § 1798.135.

KATHRYNE “KATE” M. MORRIS is a co-founding member of Hosch & Morris, a Dallas-based boutique law firm dedicated to data protection, privacy, the internet, and technology. She helps a broad range of organizations with data privacy and data commercialization matters, outsourcing, electronic commerce, and technology transactions. Morris is triple certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional—United States (CIPP/US) and Europe (CIPP/E)—and is a certified Information Privacy Manager (CIPM).

 

{Back to top}