By Jennifer L. Sheridan, Esq.
In the last post, I introduced BizConnect, a hypothetical startup software company concerned about privacy law compliance.
BizConnect is in discussion with several prospective EU customers who have been talking about this new law, the General Data Protection Regulation or GDPR, which became effective on May 25, 2018.
The next several blog posts will discuss ten privacy law best practices, listed in the last post.
- US Federal Trade Commission (FTC): The FTC has jurisdiction over U.S. websites that engage in deceptive and misleading practices.
- California law (CalOPPA): CalOPPA applies to any website that collects personal information from California residents.
- EU General Data Protection Regulation (GDPR): The GDPR reaches any U.S. company that collects and/or processes personal information of EU residents.
The detailed requirements for each can be found here.
1. What personal information is collected?
To answer this question, BizConnect needs to understand the definition of “personal information.” In the U.S., the standard term is “personally identifiable information” or “PII,” WHILE in Europe, “personal data” is the common term.
CalOPPA’s definition of personal information can be found here.
GDPR has the broadest definition and includes not only typical information, like name and email, but also web data, such as location, IP addresses, cookie information, and RFID tags, as well as any information that could be reasonably combined with other information to identify a person.
BizConnect: BizConnect is collecting name and email information. Payment information is being provided to a third party payment processor.
2. What are the uses of the personal information?
Typically, the narrowest use is to provide the service or products in question.
California does not require disclosure of the uses of the personal information,unless the information is shared with third parties for marketing purposes. U.S. privacy policies generally include information about uses of the personal information, as this is included in the FTC’s published best practices.
Best practice: Use double opt-in consent. The user must go to his or her email and click again on a message from the vendor to “opt-in” to the marketing list or other services not associated with a contract.
GDPR requires the following disclosures about the uses of the personal information (or personal data as used in the EU):
- Legal basis for collecting the information is express, opt-in consent, unless is the data controller has another basis, such as performance of a contract (as specified in Article 6 of the GDPR).
If U.S. companies collect personal information of EU residents without adequate consent, they violate GDPR. The GDPR calls for “freely given, specific, informed, and unambiguous” consent, and “carried out by a statement or by clear affirmative action.” Most experts are recommending an express opt-in consent mechanism.
There is some softening of the opt-in consent for B2B EU residents (in most countries). For example, if a B2B potential customer entered its personal data (name and email) to receive a marketing guide, the data controller could continue to provide other materials, as long as the data subjects have a clear and conspicuous opportunity to unsubscribe, and so long as the data controller provides a link to its GDPR compliant privacy practices document.
But to send B2C EU residentsadditional materials, the controller would need another opt-in consent. Note that some countries (e.g., Germany) have stricter policies, and B2B communications also need opt-in consent.
Remember if the data subject contracts with the U.S. company, that company does not need the express opt-in consent to establish the legal basis for collecting the personal data.
- Retention period: GDPR also has a requirement to disclose how long personal data will be retained.
Where the customers contract directly with BizConnect, the contract serves as the legal basis for collecting the personal information (personal data under the GDPR). This makes sense where the customers are individuals.
Where BizConnect customers are commercial enterprises acting as data controllers under the GDPR (e.g., by collecting the personal information of their employees to use the BizConnect software service), then the BizConnect customers need express opt-in consent from their employees.
In this situation, BizConnect acts as a “data processor” under the GDPR: as a company processing personal information on behalf of a data controller. BizConnect will still need contractual protections under the GDPR: the Privacy Shield and/or model clauses (discussed in later post in detail). BizConnect should also consider indemnification from the customer for any GDPR liability based on its failure to obtain consent (or GDPR violation). We’ll discuss this in more detail in a future post.
If BizConnect collects user information on its website for general marketing purposes, it needs to ensure that the users opt-in.
BizConnect plans to use the best practices of double opt-in and request opt-in for additional materials to be compliant with all EU countries. It will hold the personal data no longer than 30 days following expiration or termination of services.
3. What security protections are there for the personal information?
Neither California (nor any U.S. jurisdiction) requires disclosure of security measures. However, certain categories of personal information, such as health or financial data (discussed in the prior post), can trigger specific security obligations.
That said, California and 48 other states have data breach notification statutes. (Facebook likely violated them when it failed to disclose Cambridge Analytica’s unauthorized use of users’ data in 2015.)
Also, many U.S. companies’ privacy policies do describe to some degree their security practices to protect personal information.
Word of Caution: This disclosure of security protections has triggered FTC investigations, consent decrees, and possible fines. Companies have promised more security then they delivered. For example, the FTC held that Snapchat users did not receive the privacy that they were promised, leading to a consent decree requiring better security.
GDPR has very robust measures for ensuring data controllers and data processors take security measures seriously. Many companies will be required to implement a data protection impact assessment (DPIA), addressing data mapping, gap identification, and remediation steps, as well as security procedures and training. And depending on the company’s operations, it may need to appoint a Data Protection Officer to monitor compliance. We’ll discuss this in more detail in a future post.
BizConnect, a small company, is still trying to understand its responsibilities for disclosure about security practices. For instance, howdoes BizConnect protect personal data in transit and data at rest? Does it use encryption for personal data in transit? Does it have password protocols and training for employees that handle the personal data?
As a small company, BizConnect would likely emphasize that the users’ data is hosted on Amazon Web Services and direct users to the AWS descriptions of its security practices. SSAE 16 (SOC I and II) is a common protocol that demonstrates compliance with a high level of security practices. AWS has been certified as SSAE 16 compliant. BizConnect needs to look carefully at its own practices for handling personal data before it is received by AWS and again in transit to AWS. We’ll discuss this in more detail in a future post.
4. What notification(s) are required to users of privacy practices?
Best Practice: Companies should notify users directly of material changes to their privacy policies and provide an opportunity to withdraw if the user does not agree to the change.
GDPR requires notification to data subjects about their rights under the GDPR including:
- Data Subject’s right to amend or delete its information.
- Data Subject’s right to withdraw consent at any time.
- Data Subject’s right to lodge a complaint with a supervisory authority (in the applicable EU country).
As its internal policy, BizConnect intends to notify current users directly of changes materially affecting their users’ privacy rights, and in those cases, to notify users of the opportunity to withdraw if they do not agree to the changes.
Also, if it shares any personal information with third parties for marketing purposes, the company must make other disclosures.
BizConnect will add a statement that it does not respond to Do Not Track requests.
It will also add an effective date to the policy and revise that date when changes are made. BizConnect does not share users’ information with third parties for marketing purposes.
GDPR’s additional requirements include disclosing whether there is automatic profiling and notifying users of the right to lodge a complaint with a supervisory authority.
BizConnect does not conduct automatic profiling.
US Privacy Shield:
The US Privacy Shield is a vehicle for a US company to be considered by the EU to provide adequate protection for the transfer (or export) of EU residents’ personal data.
For privacy policies to be considered US Privacy Shield compliant, they will also require (a) a link to the US Privacy Shield website and (b) appointment of a third party dispute resolution provider or a commitment to cooperate with the European Data Protection Authorities. We will cover this in a later post.
The next post will describe and discuss #2 best practice:
Self-certify compliance with the U.S. Privacy Shield
All 10 best practices can be found here .
Jennifer Sheridan is an attorney. She serves as Of Counsel with Sycamore Legal, P.C., a San Francisco IT and IP boutique law firm founded by David Tollen, who also founded Tech Contracts Academy. Jenny specializes in technology contracts and privacy.
© 2018 by Tech Contracts Academy. All rights reserved.