Businesses Already Struggle with a Panoply of New Privacy Laws. The CCPA Is Next.

Axel Spies

German attorney-at-law (Rechtsanwalt)

Dr. Axel Spies is a German attorney (Rechtsanwalt) with Morgan Lewis & Bockius (Washington DC) and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).

May 25, 2018, was a milestone for privacy in Europe. The General Data Protection Regulation (GDPR) of 2016 became fully applicable. One of GDPR’s goals is a “consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union; the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States” (Recital 10 of the GDPR).

One year later, this ambitious goal has only been achieved in part. The German Federal Data Protection Act (the “new BDSG”) with its 84 new articles is actually longer than its predecessor, the “old” BDSG. Together with various state data protection acts, the much shorter “old” BDSG was the privacy law of Germany until May 25, 2018. Not only the companies, but also the (mostly understaffed) regulators struggle with the new rules. Germany has one federal and 15 independent state data protection offices. Other EU member states have their own privacy laws and regulations on top of the GDPR. In addition, the various guidelines, templates, and cases decided by the various data protection agencies and courts make it difficult to stay on top of the issues and has led to various “cookie banners,” “consent buttons,” “privacy notices,” etc. Courts, legislators, and regulators in Europe put more workload on the data protection officers and internal privacy compliance teams. They must now determine, for instance, whether they need prior consents from each customer whose personal data their website cookies collect. The management expects them to come up with compliance measures that avoid fines and inspections, but also that they do not blow a hole into their budget.

EU Privacy Rules Become More Complicated.

Ignoring the new rules is not an option. One trend in Europe is that inquiries and penalties for GDPR violations are on the rise. As an example, the Berlin data protection office recently imposed a fine of several million euros on a German company for GDPR violations. However, full compliance with the new rules assumes that the data controllers or processors fully understand what the regulators and courts expect from them. Unfortunately, new rules, guidelines, and decisions keep coming, and the work keeps piling up. The proposed new EU ePrivacy Regulation, for instance, covers various significant issues. As a regulation, it will be a legal act of the EU—immediately enforceable in all member states at the same time. The ePrivacy Regulation takes on board most GDPR definitions and expands the rules for online data processing. In particular, it tackles unsolicited marketing, and “cookies” that track users specifically. The proposal of the ePrivacy Regulation now includes any type of communications, including emails and text messages, to determine whether prior consent is required. Related rulings of the European Court of Justice (ECJ), such as the ECJ’s recent Planet49 judgement rendered on October 1 (case C 673-17) on cookie consents, are helpful to clarify legal uncertainties, but the judgements have also triggered more legal controversy among lawyers and commenters.

Privacy Notices Remain Inconsistent and Inadequate.

Even more than one year after the GDPR, privacy statements of the global industry still vary broadly. A new study of the Internet Society’s Online Trust Alliance (OTA) has analyzed more than 1,200 privacy notices from organizations around the world. The study found that in the cases where organizations share data with third parties, not a single privacy statement explicitly noted that the data subjects would be notified when their data was being either sold or shared. Just over one-half (57%) of organizations specifically noted in their privacy statements that they hold third parties to the same standards as themselves. While 70 percent of organizations had a designated point of contact for users concerned about the use of their personal data, the quality and nature of this contact varies widely.

The New California CCPA Also Impacts Non-U.S. Companies.

With all these European rules to comply with, and new privacy laws outside of the EU (for instance recently in Kenya and Brazil), the spotlight now shifts to the United States: The next privacy milestone will be January 1, 2020, when the California Consumer Privacy Act (CCPA) will become effective. California is the fifth largest economy in the world. Its new laws and regulations have an impact far beyond its borders. Many non-U.S. companies do business in California.  The new law applies broadly, and includes companies that are based outside of the state of California. In short, a “covered business” subject to the CCPA is any for-profit organization or legal entity that:

  • does business in California;
  • collects California residents’ “personal information” either directly or through a third party on its behalf;
  • determines the purposes and means of processing that information; and
  • one of the following applies: (i) has gross revenues in excess of $25 million; or (ii) annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Low Threshold for the CCPA

These thresholds defined in the CCPA and the California Attorney General’s draft Regulations are very low. For instance, the “gross revenue” is not only California revenue, but covers all U.S. revenue (and maybe even the revenue of a corporate group under the same brand worldwide). Moreover, the CCPA itself defines many terms broadly and differently from the GDPR:  For example, the definition of “business” includes any entity that controls or is controlled by a business if they share common branding. This definition includes, for instance, a non-U.S. parent company that does business in California through a branch. All too often, businesses forget that the CCPA applies to brick-and-mortar businesses and not just to the collection of personal information over the internet or to electronic records.

The CCPA may also indirectly apply to non-U.S.-based companies if they are classified as a “service provider” to a business subject to CCPA. A “service provider” is a legal entity that receives information from a business pursuant to a written contract that prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business or as otherwise permitted under the CCPA. For instance, a German game developer working for a company in California that receives the IP address of a gamer in California under a service provider contract may not use that IP address to send marketing emails of its own to the gamer and may not sell the gamer’s personal information.

As the privacy obligations in the CCPA and the GDPR are very different, companies thus struggle with the compliance on many fronts. Privacy policies become more and more lengthy and so complicated that the visitors click away cookie banners and privacy notifications. Other U.S. states may follow the lead of California or may pass their own rules. This will make compliance even more difficult. On top of it, certain personal information of a person may be temporarily exempted from the CCPA requirements, such as certain data from job applicants, employees, owners, directors, staff, officers, and contractors of a business until January 1, 2021. Companies need to understand what this means.  Another problem is that in case a data subject raises an issue (e.g., sends a simple request for “data access” under the CCPA), the receiving entity will have to ensure that that the person sending the request is actually from California and legitimate.

Would a “Layered Approach” by the Businesses Lead to Better Privacy Policies?

One way to deal with the unfortunate situation of being a servant to many masters is that companies start to use layered privacy policies: For instance, when a website visitor clicks on a  privacy policy, the website would ask where their user is located. It will then show the relevant privacy provisions once the user clicks on a link (such as “I am a consumer based in California”). In addition, a company could use icons or other symbols as the European Commission has suggested in its website for Small and Medium Sized Enterprises (SME) to make the privacy policy easier to understand. However, this approach will require that the user takes the extra step to click on such a link and fully understands the link and the meaning of the icon or symbol. Also, asking a website visitor for the location means asking for another piece of personal data. In any event, following the developments on so many fronts will require a lot of time and energy and certainly does not come cheap.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American Institute for Contemporary German Studies.