Tag Archives: Protection

GDPR One Year Later: Has Your Company Sorted Through The Confusion And Risks – What U.S. Companies Need To Remember

It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.


Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.


Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.


Among other things, GDPR requires a company to include specific disclosures in its website’s privacy policy, to have in place consent rights and disclosures with respect to the use of cookies, and to formulate various technical and operational policies and procedures with respect to the treatment and use of data.

Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.


Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.

What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!


As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team

Click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

Lurking in the Shadows – Is Your Business Affected By The California Consumer Privacy Act?

Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA.  As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.

The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:

  • With annual gross revenue greater than $25 million (not just in California),
  • That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
  • That get 50% or more of their revenue from selling or sharing the personal information of California residents. 

Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA. 

The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.

In the meantime, it is useful to look at what the law, in its current form, will require. From a practical perspective, for businesses already following California’s existing privacy laws, some of the main differences under the new law will be: (1) allowing California residents to opt out of the sale of their personal information to third parties, (2) getting opt in consent before selling the personal information of California residents under the age of 16, (3) advising California residents, upon request and in privacy notices, what personal information the business has collected about them, how it was collected, why, and if it has been shared or sold, (4) the introduction of personal information “portability” and deletion requirements for businesses that maintain covered personal information; and (5) having a privacy policy that includes both online and offline personal information collection. 

Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.

While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business.  Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information. 

Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures.  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.  From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.

If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button