Are You Liable for the Data Shenanigans of Others? (Part 1 – A Brief Introduction to the Legal Framework)
Re-posted from intothecyberbreach.com, originally published on August 10, 2019.
Yes. The end. Ok, it’s not quite that cut and dry, but it is somewhat of a scary proposition. I had initially envisioned discussing vendor management in the context of “controllers” and “processors”, when it occurred to me that a lot of people don’t really know what that means or even what the GDPR is and whether they need to worry about it. The actual answer is, of course, it depends.
The question came up recently for me in a conversation with a couple of attorneys who had gone to a data privacy event for the purpose of figuring out what they had to do themselves to become GDPR compliant. They were shocked to learn that as a “controller” of data, they were potentially liable for the actions, or inactions, of the “processor”. This is all Greek to the solo practitioner, working with personal injury or family law cases, who just wants to know whether Google Analytics is going to cause them to be fined by the European Union. But, I think it is an opportunity to break down what some of these concepts mean, and to say something regarding vendor management under the GDPR in Part 2. I guess we’ve got our first “two part series” on our hands.
Bear in mind, these are really broad strokes, and depending on your own situation, may be an oversimplification. As always, I recommend you retain counsel for the purpose of establishing and maintaining compliance with data privacy laws.
Before we jump right into the GDPR, it is helpful to start at the beginning. I am going to assume for starters that your business is located in the United States. It may seem like, in the privacy world, all anyone ever talks about is the GDPR and the CCPA. For the uninitiated, it is not even clear what those acronyms mean.
The GDPR stands for General Data Protection Regulation. It is a set of regulations established by the European Commission on behalf of the European Union to update existing data privacy laws in recognition of changing technology and social norms which have put people’s personal information at risk.
The CCPA is the California Consumer Privacy Act, which is a state law enacted by the state of California to ensure that California residents have a right to know what companies are doing with their personal information, as well as to ensure that companies collecting that data are taking all reasonable steps to act responsibly with the information they gather.
The reason data privacy conversations so often refer to the E.U. and California law are that these are two of the strictest rulesets in the world regarding how to handle data collected from individuals. Further, because of the nature of the internet, the relevant query here isn’t necessarily where your business is located, it is where your business is reaching others. For instance, if you are a New York-based business but you have customers on your website from Germany, the GDPR applies to you. The query is as much about the location of the consumer as it is about the location of the business. And in an interconnected world you have far less control over who your customers really are than you would in a brick-and-mortar operation.
Today, 48 of the 50 states in the U.S. have data privacy laws. And all 50 states have some form of consumer protection and tort system. Further, there are laws and regulations regarding other contexts in which personal information can arise (for instance, the Health Insurance Portability and Accountability Act, i.e., HIPAA, or the Securities and Exchange Commission’s regulations about reporting financial information). I am going to put HIPAA and SEC regulations aside for now, to avoid muddying the waters. For the sake of context, if you are handling patient medical information, you need to be HIPAA compliant, which is a separate universe of rules, and if you are a publicly traded company, you need to follow SEC regulations. The majority of issues related to data breach in the SEC context have to do with making public, misleading statements about the nature of the breach. If you are dealing with data about children, that’s a different set of rules as well.
Just as importantly, you have to be aware of your local state laws to see what anomalies may apply to you. That said, as a VERY general rule of thumb, i.e., not-legal-advice and not true in all cases, if you are in compliance with the GDPR and the CCPA, you are very likely in compliance with other states’ privacy laws. However, these laws do not apply to every business.
The CCPA is set to go into effect in January 2020, although there are rumors this will be extended by several months. The law is targeted to businesses with “annual gross revenues in excess of twenty-five million dollars ($25,000,000)”, or who “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices”, or “derives 50 percent or more of its annual revenues from selling consumers’ personal information”. If you don’t meet that criteria, the CCPA does not apply to you. However, my advice would be that even if the CCPA does not apply, you should consider the feasibility of building CCPA compliance into your business process, for several reasons. First is that other states are changing their privacy laws all the time and may encompass some or all of these measures in the near future. Second is that it allows you to grow your business to fit the CCPA, rather than have to take remedial (pronounced: e-x-p-e-n-s-i-v-e) measures in the future. Third, the CCPA offers a set of “best practices” that are likely to keep you out of trouble in most state jurisdictions.
The language of the CCPA also raises the interesting question of what a business is, but I hope to address that at some point in a future post. If you are unsure whether your outfit is a “business”, go talk to a lawyer. If you can afford to hire said lawyer, chances are good that what you are doing is a business.
The GDPR casts a far more ambitious net. First, dispel with the idea that the law does not apply to you because you are a U.S.-based business. That’s so 2017! The GDPR applies even to U.S.-based businesses that never step foot in the E.U., if they find themselves handling the “personal data” of E.U. citizens, or even people located in the E.U. (cue puzzling questions about whether we’ll see a cottage industry of “data privacy tourism” for Americans who want to fly to France, eat their fill of cheese, and claim E.U.-style privacy rights before returning home.)
How “personal data” is defined must be discussed before we can decide whether the GDPR applies, and here the boldness of the law really comes into focus. “Personal data” can be any information relating to an identified or identifiable natural person, including name, ID number, location, online identifier, physical traits, physiological, genetic, mental, economic, cultural or social data about that person. That also covers IP address, cookies, social media posts, contact lists, and mobile device data. Probably also includes dessert recipes and favorite color. So… yeah, we are talking about nearly anything.
It is very hard to collect any information about your customers or website visitors without triggering the protections of the GDPR. The crazy thing here is that it is unclear what personal information will be identifiable from future technologies, which could also be problematic. Is asking “how are you?” over the telephone a GDPR triggerable event? Maybe…
If we are still wondering whether the GDPR applies to you, I think we can distill it down a little further. Do you have a website? Does the website have any cookies? Does the website keep a log of IP addresses visiting your site? Do you use a third-party service to contact your customers or track website visitors (like Google Analytics or MailChimp)? If your answers tend to be yes, then the GDPR is likely to apply. Now, if you have less than 250 employees, not only are you my target audience for this blog, but the GDPR recognizes that you are a smaller data risk than the larger big corps out in the world. The rules apply to you, but the requirements are somewhat different.
I am going to have to write about what these laws actually require in a separate post (I will put a link here once I’ve done that). But that last question about third-party vendors is really the issue that I wanted to try to tackle in this series. What are your responsibilities when a company that you use to track your website traffic, or to manage your contact list, experiences a data breach of your data?
To answer that question, we have to understand and discuss the concepts laid out by the GDPR of “data controller” (the people with a website), and “data processors” (the people who are given third-party access to information about that website). As you can see, this is a big topic, and you’ll have to wait for Part 2 to really dive in (or, you can discover this post months later and by then I hope to have a link to Part 2 right here on the page).
Stay Tuned!