New Year, New Privacy Laws—Are You Compliant?

As we head into the new year, the CDAS Digital Media and Technology group would like to remind you about new developments in privacy law that might affect your business.

Greater Transparency and Access Under New California Consumer Privacy Act (CCPA)

Taking effect on January 1, 2020, the new California Consumer Privacy Protection Act requires businesses, both inside and outside California, to provide increased transparency and access regarding their collection and monetization of personal data from California residents. Companies that, on an annual basis, have gross revenues of at least $25 million, obtain personal information of at least 50,000 California residents, households, and/or devices, or generate at least half of its revenue from selling California residents’ personal information must disclose data collection practices to Californians upon both request and collection, delete personal information about a consumer upon request, provide consumers the opportunity to opt out of the sale of personal information, and comply with certain data security procedures or else face lawsuits from those consumers subject to a data breach. Non-compliant companies are subject to fines of $2,500 per violation and up to $7,500 for each “intentional violation,” as well as damages in a possible consumer data breach lawsuit. If you believe CCPA might apply to your business now or at any point in the future, contact our team for a briefing on compliance.

EU Court of Justice: Active Consent Required for Cookie Collection from EU Citizens

If your business is subject to the European Union’s General Data Protection Regulation (GDPR), a new ruling from the EU Court of Justice could affect how you disclose your use of cookies and similar technology to your customers or website visitors in the European Union Member States and European Economic Area. A website that tracks and stores its users’ website activities must obtain those users’ active consent, meaning a pre-checked box is insufficient for a user to intentionally opt-in to the website’s use and storage of cookies, regardless of whether the tracking data being collected is personally identifiable. The court also reiterated GDPR’s disclosure requirements around the use and storage of, and third-parties’ access to, cookie data. Specifically, a website should not have a popup banner stating cookies are already being stored when a user lands on the site; these types of banners are common on US websites and usually have a box to click “ok” or “dismiss,” but that is not considered active consent in the EU even if a user clicks the “ok” or “dismiss” box. Regardless of whether GDPR applies to your business, the changing landscape of privacy law suggests that inclusion of clear options for users to accept or reject the use of cookies is a best practice across the board.

New York is Next

This summer, New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which requires companies that buy or license New York residents’ private information to develop, implement, and maintain reasonable physical, technical, and administrative safeguards to better protect the security, confidentiality, and integrity of personal information. Based on the passage of the SHIELD Act, privacy lawyers and policy experts alike anticipate a robust data privacy law will be enacted in New York similar to CCPA. The New York State Senate is currently considering the New York Privacy Act (SB S5642), which would regulate the storage, use, disclosure, and sale of consumer personal data by businesses operating or marketing products and services in New York by requiring companies to “act in the best interests of the consumer without regard to the interest of the entity, controller or data broker” and provide their consumers with a “clear, meaningful privacy notice” and an opportunity to opt in or out opt of providing personal data. Companies that fail to comply would be subject to enforcement actions by the New York Attorney General under deceptive trade practices and unfair competition laws. Most recently, the bill was discussed in committee; stay tuned for further updates from CDAS as this legislation progresses.

***

CDAS counsels businesses on data privacy regulations and best practices and can provide guidance and strategy on how to comply with CCPA or GDPR. Contact our Digital Media and Technology group for a compliance evaluation and advice on best practices.