In the last post, I introduced BizConnect, a hypothetical startup software company, who is concerned about privacy law compliance.
BizConnect is in discussion with several prospective EU customers who have been talking about this new law, the General Data Protection Regulation or GDPR, which will become effective very soon – on May 25, 2018.
The next several blog posts will discuss in detail ten privacy law best practices, which were described in the last post.
The first practice I’ll discuss in this post is:
Adopt a US and EU law compliant privacy policy.
In the context of the BizConnect hypothetical, its privacy policy needs to consider the following three areas of legal compliance:
1) US Federal Trade Commission (FTC) – the FTC has jurisdiction over U.S. websites that engage in deceptive and misleading practices;
2) California law (CalOPPA) – CalOPPA applies to any website that collects personal information from California residents; and
3) European Union’s General Data Protection Regulation (GDPR). – the GDPR reaches any U.S. company that collects and/or processes personal information of EU residents.
The detailed requirements of each of these areas of legal compliance can be found here.
In preparing its privacy policy, BizConnect needs to answer the following four questions.
1. What personal information is collected?
Before BizConnect can answer this question, it needs to understand the definition of personal information. In the U.S. the standard term to refer to protected personal information is “personally identifiable data” or “PII” whereas in Europe, “personal data” is the term that is used to refer to legally protectable personal information.
California requires disclosure of the types of personal information collected. CalOPPA’s definition of personal information can be found here.
GDPR has the broadest definition and includes not only typical information like name and email but also web data such as location, IP addresses, cookie data and RFID tags, or any information that could be reasonably combined with other information to identify a person.
BizConnect hypothetical: BizConnect is collecting name and email information. Payment information is being provided to a third party payment processor.
2. What are the uses of the personal information?
Typically the most narrow use is to provide the service or products that the user has contacted the website to obtain.
California does not require disclosure of the uses of the personal information by the website operator unless the information is shared with third parties for marketing purposes. U.S. privacy policies generally include information about the uses of the personal information, as this is included in the FTC’s published best practices.
Best practice: Use double opt-in consent where the user must go to their email and click again on the vendor’s email to “opt-in” to their marketing list or other services not associated with a contract.
GDPR requires the following disclosures about the uses of the personal information (or personal data as used in the EU):
(i) Purpose limitation is designed to place the onus on the data collector, called the data controller in the GDPR, to limit the use of the personal data to the purpose expressly stated in the privacy policy or other applicable documents.
(ii) Legal basis for collecting the information is express, opt-in consent unless there is another basis such as performance of a contract as specified in Article 6 of the GDPR.
If U.S. companies collect personal information of EU residents directly from their websites without adequate consent from those data subjects, this will be a violation of GDPR. The GDPR calls for “freely given, specific, informed, and unambiguous” consent, and “carried out by a statement or by clear affirmative action.” Most experts are recommending an express opt-in consent mechanism.
There is some softening of the opt-in consent for B2B EU residents (in most countries). For example, if a B2B potential customer entered its personal data (name and email) in order to receive a marketing guide, you could continue to provide other materials to them as long as they have clear and conspicuous opportunity to unsubscribe, and there is link to your GDPR compliant privacy practices document.
However, for B2C EU residents, you could not continue to send them other materials without another opt-in consent. Note that some countries like Germany have stricter policies and B2B communications also need clear opt-in consent.
Remember if the data subject (GDPR term for the EU resident giving its personal data) enters into a contract with the U.S. company, then the U.S. company does not need the express opt-in consent to establish the legal basis for collecting the personal data.
(iii) Retention period: GDPR also has a requirement to disclose how long personal data will be retained.
BizConnect:
Where the customers contract directly with BizConnect, the contract serves as the legal basis for collecting the personal information (personal data under the GDPR). This makes sense where the customers are individuals.
Where BizConnect customers are commercial enterprises who are acting as data controllers under the GDPR by collecting the personal information of their employees, like name and email, in order to use the BizConnect software service, then the BizConnect customer needs to obtain the express opt-in consent from their employees.
In this situation, BizConnect acts as a data processor under the GDPR, and will need to ensure that it has contractual protections both under the GDPR – the Privacy Shield and/or model clauses (discussed in later post in detail) -- but also indemnification by the customer for any GDPR liability based on its failure to properly obtain consent (or otherwise not comply with GDPR). This will be discussed in more detail in a future post.
If BizConnect collects user information on its website for general marketing purposes, it needs to ensure that the users opt-in to such marketing services. BizConnect plans to use the best practices of double opt-in and request opt-in for additional materials to be compliant with all EU countries.
BizConnect will hold the personal data no longer than 30 days following expiration or termination of services.
3. What security protections are there for the personal information?
Neither California (nor any U.S. jurisdiction) prescribes specific requirements to disclose security measures used to protect personal information collected by website operator. However, certain categories of personal information such as health or financial data (as discussed in the prior post) can trigger specific requirements including security practices.
That said, California and 48 other states have data breach notification statutes that Facebook likely violated when it failed to disclose the unauthorized use of users’ data by Cambridge Analytica in 2015.
Also like the question of describing uses of the personal information, many U.S. companies’ privacy policies do describe to some degree their security practices to protect personal information.
Word of Caution: This is an area that has triggered FTC investigations, consent decrees, and possible fines. Companies have promised a greater degree of security practices then they delivered. For example, Snapchat agreed to strengthen their privacy and security practices in a consent decree with the FTC after it was found that users did not receive the privacy that they were promised.
GDPR has very robust measures for ensuring that companies that collect personal information (data controllers) and process personal information on behalf of data controllers (data processors) take security measures seriously.
Many companies will be required under the GDPR to implement a data protection impact assessment (DPIA), which will include data mapping, gap identification, remediation steps, as well as security procedures and training. Also depending on the nature of the company’s operations, the company may need to appoint a Data Protection Officer who is knowledgeable about the GDPR and monitors the company’s compliance with it. This will be discussed in more detail in a future post.
BizConnect, a small company, is still trying to understand its responsibilities for disclosure about security practices. Here are questions it is working through.
How does it protect personal data in transit and data at rest? Does it use encryption for personal data in transit? Does it have password protocols and training for employees that handle the personal data?
As a small company, BizConnect would likely emphasize that the users’ data is hosted on Amazon Web Services and direct users to the AWS descriptions of its security practices. SSAE 16 (SOC I and II) is a common protocol that demonstrates compliance with a high level of security practices. AWS has been certified as SSAE 16 compliant. BizConnect needs to look carefully at its own practices for handling personal data before it is received by AWS and in transit to AWS. This will be discussed in more detail in a future post.
4. What notification(s) are required to users of privacy practices?
California (CalOPPA) requires website operators to provide information regarding how users can notify website operator to amend their information and about how website operators will notify users of changes.
A California compliant website will include an email contact for users to contact the company, and the website operator regularly checks that it is active.
Best Practice: Companies should make stronger efforts to notify current users directly of material changes to their privacy policy and allow users an opportunity to withdraw from the services if they do not agree to the changes.
The FTC will bring actions against companies who retroactively make changes to their privacy policy without appropriate notice to users. Google and Facebook have found themselves subject to consent decrees arising in part out of retroactive changes to their privacy policies.
GDPR requires notification to users (called “data subjects” in the GDPR) about their rights under the GDPR including:
a) Data Subject’s right to amend or delete its information.
b) Data Subject’s right to withdraw consent at any time.
c) Data Subject’s right to lodge a complaint with a supervisory authority (in the applicable EU country).
BizConnect’s privacy policy will include information about how users can contact the company to amend or delete their information BizConnect will also notify users that they may withdraw consent to company’s use of their information but such withdrawal of consent means that the company can no longer provide them with the services.
BizConnect will also notify EU users of their right to lodge a complaint with a supervisory authority. Finally BizConnect will state that it will notify users of changes to the privacy policy by amending it and revising the effective date of the policy.
As its internal policy, BizConnect intends to notify current users directly of changes materially affecting their users privacy rights, and in those cases, to notify users of the opportunity to withdraw from the services if they do not agree to the changes.
Special Requirements
Now that BizConnect has answered the main questions, it still needs to be sure its privacy policy complies with a few other special requirements of California and EU’s GDPR.
California (CalOPPA):
The privacy policy must state how it responds to Do Not Track requests. The California law does not require that a company respond to the requests but they need to disclose whether or not they do.
Also if it shares any personal information with third parties for marketing purposes, there are other disclosures required.
BizConnect will add a statement that it does not respond to Do Not Track requests.
BizConnect will also add an effective date of the policy, and revise that date when changes are made. BizConnect does not share users’ information with third parties for marketing purposes.
GDPR:
Other requirements, in addition to those listed above, include disclosing whether there is automatic profiling, and notifying users of the right to lodge a complaint with a supervisory authority.
BizConnect does not conduct automatic profiling.
US Privacy Shield:
The US Privacy Shield requires that US companies certifying as compliant with the Privacy Shield have a privacy policy that complies with certain principles largely drawn from the GDPR.
The US Privacy Shield is a vehicle for a US company to be considered by the EU to provide adequate protection for the transfer (or export) of EU residents’ personal data.
For privacy policies to be considered US Privacy Shield compliant they will also require a) a link to the US Privacy Shield website; and b) an appointment of a third party dispute resolution provider or a commitment to cooperate with the European Data Protection Authorities. This will be covered in a later post.
The next post will describe and discuss #2 best practice:
Self-certify compliance with the U.S. Privacy Shield
All 10 best practices can be found here.