Thursday, July 12, 2018

Comparing GDPR "Privacy by Design" and California Consumer Privacy Act of 2018

Most business people know that data protection, cybersecurity, “safe” profiling and ethical marketing are compliance obligations under the European Union’s General Data Protection Regulation (effective May 25, 2018, the “GDPR”). Echoing the GDPR, on June 28, 2018, effective January 1, 2020, California’s Consumer Privacy Act of 2018 ("CCPA") adopted substantially the same protections for California residents as GDPR does for EU (and EEA) residents. This article compares the EU’s GDPR and the California Consumer Privacy Act and offers some focus for business strategies.

Hidden Profiling. Both GDPR and CCPA focus on unauthorized “profiling” of consumer information that would enable online marketers, using metadata collected without the individual’s knowledge or consent, to draw conclusions about a consumer’s purchasing habits and preferences. The CCPA attacks unauthorized profiling for drawing inferences on “the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligences, abilities and aptitudes.” Sounds like Marketing Segmentation 101.

Privacy Policies. Both GDPR and CCPA require privacy policies and procedures to give an individual notice about the categories of personal information being collected, the categories of sources, the business or commercial purposes for collection or use and the categories of third parties with whom personal data are shared or sold. Both require “informed consent” (or other justified need). Given the similarities, your privacy practices and corresponding privacy policies can probably be “synchronized” to meet the goals of both California Consumer Privacy Act and the General Data Protection Regulation.

Rights of the Individual. Both GDPR and CCPA give the individual the right to access, correct and even request the deletion of personal data, and to receive their personal information in “portable” data formats. Both permit website operators to refuse to delete data where necessary to fulfill a contract and for compliance with law enforcement. GDPR permits retention for “legitimate interests” of the data controller or data process. The CCPA permits retention “to enable solely internal uses [by the data controller or processor] that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Both exceptions leave a lot of wiggle room for legal interpretations and litigation.

Enforcement. Each law creates legal rights for individuals whose personal information has been collected, processed or stored without consent (or other “legitimate” purpose). Such rights can be enforced individually or by class action, so the larger the class, the higher the cost. Each permits government officials to sue on behalf of an injured class of consumers. The GDPR permits imposition of fines up to 4% of the worldwide revenues of affiliated groups. The CCPA specifies minimum penalties of at least $100 (up to $750, or greater, for actual damages) per violation per individual. Given the U.S. Supreme Court’s June 21, 2018 Wayfair decision (allowing states to impose sales taxes on out-of-state Internet sales, as a reasonable and non-discriminatory burden on interstate commerce, , the extraterritorial application of California and EU laws will likely be enforceable as a matter of U.S. constitutional law, too.

          Differences between California Consumer Privacy Act and EU General Data Protection Regulation. Discrimination. The California Consumer Privacy Act of 2018 has several features that differ from the GDPR:
  • Who Must Comply. The GDPR applies to any personal data of any resident of the European Union and the European Economic Area that are processed outside such zones. The CCPA applies to data collectors that meet one of three conditions: (1) gross annual revenues of $25 million, (2) collects, shares or sells personal information from 50,000 or more persons per year, or (3) derives 50% or more of annual revenues from “selling” (sharing) consumers’ personal information. Thus, California law applies to any mid-market enterprise, one with CRM data on over 50,000 people or any search-engine optimization digital media business.

  • No Discrimination against Individuals Asserting Privacy Rights. California grants a right to California residents to equal service and price, even if they exercise their privacy rights (for example, by refusing to trade their personal information for a sweepstakes entry or free limited subscription). Online marketers cannot charge “different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.” Nor can online marketers “provide a different level or quality of goods or services to the consumer, if the consumer exercise the consumer’s rights” to privacy. But a business may offer a different price, rate, level or quality of goods or services if the price or other difference is “directly related to the value provided to the consumer by the consumer’s data.” So this invites price discrimination on the basis of a consumer’s income level or net worth.

  • No Vicarious Liability of Data Controller for Breach of Privacy by Data Processor. While the GDPR requires data controllers (who collect personal information) to impose “data processing agreements” on data processors, the California Consumer Protection Act does not. Instead, the CCPA holds the data controller liable only if it is aware of the data processor’s breach of privacy and does nothing to stop it.
          Actions to Limit Potential Liability. Business managers can avoid liability for privacy breaches by making a small investment in privacy design, policy, procedures and emergency management planning.
  • Your New “Customer Relationship Management”: Personal Attention, not Just CRM. Your website privacy policy (and terms and conditions of use) should be revised to align your business model with privacy laws. You can get more credibility, customer loyalty and greater legal protection if you carefully disclose, and obtain individual “informed consent” to your stated business purposes, intended uses and possible future disclosures as to all personal information. This transparency is especially important under the California Consumer Privacy Act because its definition of “personal information” is exceptionally broad. Transparency is likewise essential to avoid Federal Trade Commission claims of deceptive practices.

  • Business Model Review. The GDPR and CCPA, and new laws likely to be adopted by U.S. federal and state legislators, require all business owners, marketing departments and sales managers to review their business models. “Digital transformation” of the business from Main Street to Internet, and Search engine optimization and social media tools generate huge data sets. Your business model should be based on disclosing your value proposition and inducing your clientele to place trust in the legitimacy of your uses of their personal information and your value proposition. You should give great attention to why there is some value for both you and the customer for doing business with you. If you follow the California model, you can redesign your business to offer financial incentives for collection of personal information.

  • Managing your Data Supply Chain and Value Chain: Updating Your Data Processing Agreements. It’s time to re-examine the ecosystem in which you collect and process, directly or through outsourced service providers, personal data and transactions with customers.
    • Maybe you should localize in Europe your data processing for European residents.
    • Or you might focus on trusted data processors who adopt the U.S. “Privacy Shield” self-certification program that is enforced by the U.S. Department of Commerce in support of the EU’s GDPR.
    • Or you might just rely upon your service provider’s contractual assurance not to use or disclose the personal information other than for the contractual processing requirements.
    • Or adopt the “model clauses” under the EU’s data protection regime.

  • Using “Good” Technology to Defeat “Bad” Technology. Encryption, pseudonymization, de-personalization technologies can relieve the stress of possible privacy violations. If you have the right tools, compliance should be easier, and your business owners might relax more.
In short, it’s time to rethink your relationship with your customer and the impact of these privacy laws on your business model and your business operations. Having done this process for our clients, I have found this a rewarding opportunity for compliance functions to support marketing functions.