By: Stephen Anderson

Data privacy has recently been a hot topic for businesses and lawyers alike due to several worldwide statutory developments. While data privacy regulation is still developing and growing at a rapid pace, it is critical for early-stage companies interacting (or planning to interact) with personal information from individuals to have an understanding of what it means to be compliant with the most prominent data privacy laws. To help facilitate a basic understanding of how businesses collecting or using personal data are affected by these obligations, this blog post provides a basic overview of the major statutory and regulatory data privacy regimes in place, what those regimes require, and under what circumstances they might impact your business.

The European Union’s General Data Protection Regulation (“GDPR”)

The GDPR, enacted in 2018, is the primary data privacy regulation protecting residents in the European Union. The obligations imposed by the GDPR extend to organizations that target or collect personal data from individuals in the European Union.[1] The primary functions of the GDPR are to grant data privacy rights to individuals and make sure that those rights are respected by organizations that hold their personal information.

More specifically, the GDPR grants the following rights to all covered individuals with respect to their personal information:

  • The right to be informed;[2]
  • The right to access their personal data;[3]
  • The right to rectification of inaccurate data held by an organization;[4]
  • The right to erasure of their personal data;[5]
  • The right to restrict processing of their personal data;[6]
  • The right to data portability;[7]
  • The right to object to the processing of their data;[8] and
  • The right to not be subject to automated decision making with legal effects.[9]

The GDPR also outlines the exclusive circumstances under which the personal data of a European Union resident can be processed:

  • When the individual gives their unambiguous consent to do so;
  • When the processing is necessary to execute or prepare to enter a contract to which the individual is a party;
  • When processing is necessary to comply with a legal obligation;
  • When processing is necessary to save someone’s life;
  • When processing is necessary to perform a task in the public interest; or
  • When an organization has a “legitimate interest” to process personal data.

Because the GDPR grants these rights and limits the permissible reasons for collecting personal data, it is important for businesses collecting this information to be ready to both facilitate individuals’ exercise of their rights and proactively establish their legitimate purposes for collecting the data.

The California Consumer Privacy Act (“CCPA”)

The CCPA is the most comprehensive state data privacy law enacted in United States to date, which became formally enforceable on July 2020. The CCPA governs data privacy rights and regulations related to the personal information of California residents collected by businesses, regardless of where a business may be located.

Like the GDPR, the CCPA grants certain rights to California residents:

  • The right to know what type of personal information a business has collected about them;[10]
  • The right to know how their personal information is being used;[11]
  • The right, with a few exceptions, to have their personal information deleted;[12]
  • The right to opt-out of the sale of their personal information;[13] and
  • The right to not be discriminated against for exercising their rights under the CCPA.[14]

In addition to these rights, the CCPA requires qualified businesses to take additional steps beyond mere responsiveness to consumer requests, such as:

  • Making certain information available to consumers such as methods for submitting requests for information or deletion;[15]
  • Disclosing and delivering information to requesting consumers free of charge within 45 days of the request;[16]
  • Disclosing in the business’ online privacy policy a description of consumers’ rights, the categories of personal information collected about consumers in the preceding year, the categories of personal information the business has sold to third parties in the preceding year, and a list of the categories disclosed about consumers for business purposes within the preceding year.[17]

Although the CCPA only applies to companies that have at least $25 million in gross revenues, collect, maintain or buy the personal information of at least 50,000 individuals, or derive at least 50% of its income from the sale of personal information, it is important for startups handling personal information to understand whether the statute applies to them and what steps they need to take to be in compliance.[18]

Pending Federal Legislation

In addition to the regulatory schemes discussed above, there have been several recent federal legislative proposals that, if enacted into law, would create a generally applicable data privacy regulations in the United States. One example is the SAFE DATA Act, introduced just last month, which includes provisions granting Americans rights to access, correct, and delete their personal data, limiting the scope of what businesses can do with data without prior consent, and requiring covered businesses to publish privacy policies with certain content.[19] While it is unclear what exactly the finished product of a comprehensive data privacy statute at the federal level will look like, it is highly likely that one is on its way in the foreseeable future. Further, if the legislation ultimately enacted into law looks anything like the bill proposals in 2020, like the SAFE DATA Act, businesses can also expect that federal law will have two major components in common with the GDPR and CCPA: first, its endowment of individuals residing in the U.S. with exclusive rights related to personal data of theirs held by business entities and, second, requirements for businesses collecting or storing personal data to take steps to be responsive to consumers’ rights, keep whatever personal information they maintain secure, and make certain disclosures related to what they do with it.

Conclusion

In sum, the web of existing and developing regulatory schemes makes determining what requirements are applicable to your company a difficult task. However, it is important to understand that if your company is collecting personal information from users, customers, or other individuals, it is important to evaluate whether those individuals reside in jurisdictions with comprehensive data privacy laws and examine your procedures to make sure you are compliant with any that are applicable.

Even if the most restrictive existing data privacy laws do not impact your company’s data collection activities right now, it is important to plan ahead by taking a proactive approach to ensuring your legal compliance. Not only could existing regulations and statutes begin to apply to your company as you scale and expand, but new schemes (like a federal data privacy bill) could impose similar or additional requirements to existing regulatory schemes. Consequently, taking measures to comply with the some of the most comprehensive schemes out there is a prudent strategy to be ready when new data privacy regulations become applicable to your business operations.

[1] European Union, What is the GDPR, the EU’s new data protection law? https://gdpr.eu/what-is-gdpr/.

[2] Regulation (EU) 2016/679, of the European Parliament and the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 14, 2016 O.J. (L 119) 1.

[3] Id. art. 15.

[4] Id. art. 16.

[5] Id. art. 17.

[6] Id. art. 18.

[7] Id. art. 20.

[8] Id. art. 21.

[9] Id. art. 22.

[10] California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.100 (2018).

[11] Id.

[12] Id. § 1798.105.

[13] Id. § 1798.120.

[14] Id. § 1798.125.

[15] Id. § 1798.130(a)(1)(a).

[16] Id. § 1798.130(a)(2).

[17] Id. § 1798.130(a)(5).

[18] Id. § 1798.140(c)(1).

[19] U.S. Senate Committee on Commerce, Science, & Transportation, Wicker, Thune, Fischer, Blackburn Introduce Consumer Data Privacy Legislation (2020),

https://www.commerce.senate.gov/2020/9/wicker-thune-fischer-blackburn-introduce-consumer-data-privacy-legislation; Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act, S.4626, 116th Cong. § 102, 103(a)(1), 104(a) (2020).