The changing face of e-commerce

QUESTION: Our website is becoming increasingly important to our business. I’ve also heard there are some new laws, even laws from other countries, that might now apply. Can that be true? What happens if I don’t comply? I want to make only the changes I absolutely have to.

Answer: This is one of the most rapidly changing areas of the law and mistakes can be enormously expensive. Businesses and consumers around the world have become highly sensitized to the data collection practices of companies with which they interact electronically. However, until recently, the legal requirements applicable to the collection and use of consumer data were patchy and often inconsistent.

All of that is changing. Compliance with the European Union’s General Data Protection Regulation (GDPR) became mandatory as of May 26, 2018, and compliance with the California Consumer Privacy Act (CCPA) will become mandatory on Jan. 1, 2020.

GDPR. As the first sweeping consumer data privacy regulation of its kind, it was passed April 14, 2016, and now is applicable to any organization operating within the European Economic Area (EEA) as well as to organizations located outside the EEA if they offer goods or services to customers or businesses located in the EEA — which currently includes all European Union member countries as well as Iceland, Liechtenstein and Norway.

The term “offer” vastly expands the GDPR’s potential applicability. In fact, any organization offering goods or services for sale anywhere online now can technically be deemed to be offering such goods or services to customers in the EEA unless they have in some way restricted the website access of EEA residents. It is not yet clear whether or how stringently the GDPR might be enforced in non-EEA countries, or by what means, which suggests that more legislation is on the way. It seems more likely, both constitutionally and politically, that the United States and/or the individual states would enact parallel laws, such as the CCPA in California.

This apparent conundrum appears to have been reflected in the efforts of the U.S. Department of Commerce, the European Commission and the Swiss Administration, in their collective development of the Privacy Shield Frameworks — an effort to facilitate U.S. companies’ compliance with GDPR obligations pertaining to porting personal data from the EU to the U.S.

Participation in Privacy Shield Frameworks currently is voluntary and, to date, relevant U.S. enforcement efforts primarily have focused on companies’ misrepresentations of their Privacy Shield certification status, which technically constitute violations of U.S. law rather than GDPR violations. The fact that there now is an enforcement avenue — albeit indirect — with respect to the GDPR in the United States, and with the concepts embodied in the GDPR already appearing to have found their way into California law, means it is time for companies to commence compliance efforts as soon as possible.

The GDPR regulates an organization’s methods of collecting personal data — defined as any information relating to an identified or identifiable natural person — as well as the retention, use and destruction of such data.

Generally, an organization subject to the GDPR must:

Obtain affirmative consent to collect personal data. The terms of such consent must clearly identify the data to be collected and the uses of such data, must be easily given and must be freely withdrawn at any time.

Give users a mechanism for obtaining their existing data profile, including the organization’s use of such data.

Be prepared to provide a detailed electronic report of data collected about an individual user.

The “right to be forgotten.” With certain exceptions, including completion of the purpose for which the authorized data collection was performed, offer a medium for users to request that their data be deleted, be prepared to identify and delete all such data, and confirm such deletion to the user.

Report any breach resulting in unauthorized destruction, loss, alteration, disclosure of or access to personal data transmitted, stored or otherwise processed to its user and data controllers within 72 hours of becoming aware of the breach.

Create a mechanism by which a user may obtain his or her personal data collected by the organization in a structured, commonly used and machine-readable format that enables the user to either store the data for personal use or submit it to another organization.

Design systems with proper security mechanisms to prevent potential data breaches, failing which, the collecting organization will be subject to fines.

Design systems with proper security mechanisms to prevent potential data breaches, failing which, the collecting organization will be subject to fines.

Appoint a representative located in the EU to act on behalf of the organization, and who may be reached by any Data Protection Authority. Essentially, these are independent, nonprofit public authorities within the EEA granted authorization to enforce the terms of the GDPR. This is similar to a registered agent in the United States.

Failures to comply with the GDPR can result in fines and penalties of up to €20 million (US$22.2 million), or 4 percent of a company’s total annual turnover. Such fines can be initiated by governmental authorities or by a Data Protection Authority. Data Protection Authorities generally seek such penalties and/or fines after receiving complaints from individual EEA residents.

The GDPR is extremely complicated. If you think your organization may be subject to the GDPR — it probably is, at least technically — it is strongly recommended to carefully review your Terms and Conditions and Privacy Policy, and contacting qualified legal counsel to ensure compliance.

CCPA. This act was passed on June 18, 2018. Compliance was scheduled to become mandatory as of Jan. 1, 2020. However, the CCPA requires that the California Attorney General issue regulations pertaining to enforcement of a number of elements of the CCPA by July 1, 2020, prior to which, enforcement actions cannot be commenced. Nonetheless, companies technically are required to be compliant with the CCPA as of Jan. 1, 2020, and are subject to private enforcement actions for data breaches from that date forward.

The CCPA was drafted and passed by the California legislature in order to preempt a far more sweeping data privacy ballot measure. Consequently, despite already having been amended several times, the CCPA contains a number of ambiguities.

The CCPA currently is applicable to:

Businesses. This includes any for-profit entity which does business in California; collects personal information of California consumers; alone or jointly with others, determines the purposes and means of processing such personal information; and meets any one or more of the following threshold criteria:

  • Earns gross revenues of more than $25 million annually.
  • Annually buys, sells, receives or shares for commercial purposes the personal information of at least 50,000 California consumers, households or devices.
  • Derives at least 50 percent of its annual revenue from selling California consumers’ personal information.

Service Providers. Any for-profit legal entity to which a business discloses a California consumer’s personal information, and which processes such information on behalf of the business for a business purpose pursuant to a written contract.

Personal information that is subject to the CCPA, and therefore triggers obligations under the CCPA, is defined as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Businesses subject to the CCPA must:

  • Notify consumers at or before the point of collection of the categories of personal information to be collected, the purposes for which the categories of personal information will be used and provide an explanation of the user’s rights under the CCPA.
  • Upon receiving a verifiable request, the business must provide the requesting user with access to specific pieces of personal information collected by the business over the immediately preceding 12 months. The business must provide such information free of charge to the consumer, sometimes in a portable electronic format.
  • Provide users with the right to opt out of the sale of personal information, including providing a clear conspicuous link on its homepage labelled “Do Not Sell My Personal Information” to allow users to exercise their opt-out rights. Some limited forms of data sharing are exempted from such opt-outs, but generally users must be allowed to opt out of all sales of their personal data.
  • Enable users to request deletion of their personal information, unless an exception applies, such as a need to retain information to complete a transaction or comply with applicable law.
  • Not discriminate against users for exercising their CCPA rights. The primary example of such potential discrimination is charging a different price or denying goods or services to California consumers who exercise such rights.
Enable users to request deletion of their personal information, unless an exception applies, such as a need to retain information to complete a transaction or comply with applicable law.

The CCPA creates two mechanisms for enforcement against businesses:

  • Civil action initiated by the California Attorney General.
  • Private suits from individuals for uncured data breaches that are otherwise reportable under California’s security breach notification law.

The California Attorney General cannot commence claims until its publication of regulations under the CCPA, currently scheduled for July 1, 2020, at the latest. Once that occurs, under the law as currently written, penalties for civil claims brought by the California Attorney General will be $2,500 per violation, or up to $7,500 per intentional violation. Individuals who bring claims for failures to cure data breaches will be entitled to recover the greater of actual damages or statutory damages, up to $750 per violation.

Federal Trade Commission (FTC) Act. The FTC in the U.S. has federal authority to prevent unfair competition and unfair or deceptive acts and practices (UDAP), including the authority to impose monetary penalties, and to make reports to Congress and the public regarding the same.

The FTC has taken the approach that any inaccuracy in the privacy policy published on a company’s website constitutes an unfair or deceptive practice, such as broken promises, retroactive privacy policy changes, deceptive data collection or use, inadequate data security, and inadequate disclosure of the amount of data gathering. The enforcement threat is both significant and, to some extent, unpredictable.

The legal landscape surrounding collection, use and dissemination of consumer information is rapidly evolving. Where traditionally, the U.S. legal system only concerned itself with unfair, deceptive or abusive acts and practices in relation to data collection, the GDPR and CCPA represent the tip of the iceberg of an expected barrage of additional privacy laws, and associated liabilities. Even in the rare case where a company might not be subject to the GDPR or the CCPA, it will still be subject to the FTC Act, and new state laws are likely to be modeled after the GDPR and the CCPA.