State Law Developments in Consumer Privacy

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.

Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA.   Below are some of the highlights of each state legislative proposal:

  • Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
  • Maryland SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
  • Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
  • Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
  • New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).

In addition to the CCPA-like proposals discussed above, other states are also considering unique ways to enhance consumer data privacy for their residents. For example, New York legislators recently introduced at least 4 different consumer privacy related bills, including one on biometric privacy (SB 547) and another that would regulate businesses’ collection and disclosure of personal information (S00224).  And several North Dakota legislators, in mid-January, introduced a consumer privacy bill, HB 1485, exclusively focused on the prohibition of disclosure of an individual’s personal information without “express written consent”.

Finally, a group of senators in Washington State, in January, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

This state level activity could prompt Congress to move more quickly with one of its proposed bills, the latest being the Data Care Act, which proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information. Much of the private sector, including the Internet Association, comprised of the leading tech companies, is pushing for a federal approach to consumer privacy to prevent the “patchwork of state laws” that has arisen in the area of data breach notification law.  Not even three months in, 2019 is already gearing up to be a busy year for consumer privacy law.

 

Why is New Jersey Updating Its Privacy and Data Security Laws?

By Joseph J. Lazzarotti on

The Garden State has been updating its data privacy and security laws and you may be wondering why. On October 28, 2018, Attorney General Gurbir S. Grewal and the New Jersey State Police the New Jersey announced statistics on the effects of data breaches in 2017 on New Jersey residents. Based on that report, here are some interesting data points:

  • Reported breaches affecting NJ residents increased 41% from 2016 to 2017 (676 to 958). Remember, these are only reported breaches. Yes, not all breaches are reported, reported properly, or are even discovered.
  • Business sectors most often involved with breaches include finance/banking, health services followed by business services and retail trade. Other areas include education, restaurant, industrial/manufacturing, hotels, non-profits, non-medical insurance, and telecommunications.
  • Phishing attacks were the most popular method used to breach the security of an organization’s information systems, followed by website malware, employee incident, unauthorized email access and ransomware. It is unclear from the report if these are in any particular order. Importantly, note that with phishing attacks, unauthorized email access, and ransomware, employees very likely play a role in making the attacks successful. That is, employees typically are not intentionally causing these attacks, but they are duped into clicking a link or entering information that helps out the bad guys. Training and awareness are critical.
  • The New Jersey’s Attorney General’s Office enforcement activities resulted in $4.8 million in civil settlements with the State.

The announcement also included some tips individuals can take to better protect sensitive personal and business information. Notably, the announcement states that:

this effort is part of a broader effort by Attorney General Grewal to strengthen the state’s cybersecurity protections, and follows an announcement earlier this year the creation of a Data Privacy & Cybersecurity Section within the Division of Law (DOL) to investigate data privacy cases and advise state agencies on related matters.

The tips offered by the NJ Division of Consumer Affairs are directed at individual consumers, but organizations and businesses certainly could adopt these, and require their employees to follow some or all of these best practices:

  • Avoid clicking on e-mail links or attachments from unknown individuals, financial institutions, computer services or government agencies. To check out the message, go to the sender’s legitimate public website, and use the contact information provided.
  • Choose a strong password containing letters, numbers and symbols. If a website offers two-factor authentication security, use it.
  • Before disposing of any electronic device, wipe the hard drive using specialized software that will overwrite your information.
  • Avoid free Wi-Fi, especially for health, financial, and other personal transactions.

Efforts similar to this are underway in a many states as personal information and confidential business information either continue to be under attack or are maintained without adequate safeguards. Organizations need to monitor these developments and strengthen their administrative, physical, technical, and organizational defenses.

New Jersey on the Forefront of Consumer Privacy and Security Law

By Jason C. Gavejian, Mary T. Costigan and Maya Atrakchi on

Since the start of 2019, New Jersey has shown it is on the forefront of consumer privacy and security law. Last week we reported on Assembly Bill 3245 (AB 3245) that would enhance the state’s data breach notification requirements. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches. This week, we are reporting on other related Assembly bills recently introduced including AB 4902which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data.

New Jersey’s proposed consumer privacy and security bills would create significant compliance obligations for companies that collect, use, or store personal data. Companies should consider assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs) to prepare.

Check out the full update on some of New Jersey’s latest consumer privacy and security law initiatives including AB 4902 and AB 7974, available here on the Jackson Lewis website.

 

 

 

 

NJ Amendment to Data Breach Notification Law, Moves to Governor

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

In light of several large-scale breaches of late, the New Jersey General Assembly is taking steps to enhance the state’s data breach notification requirements. In late February, Assembly Bill 3245 (AB 3245), introduced by Assembly Members Ralph Caputo and Carol Murphy, was unanimously approved by both the Assembly and the Senate, and is now headed to Governor Phil Murphy for signing. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches.

New Jersey’s data breach notification law requires businesses to notify consumers of a breach of their personal information. Currently the law defines personal information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:

  • Social Security number;
  • driver’s license number or State identification card number;
  • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

AB 3245 would add to the above list of data elements:

  • user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. 

This amendment would keep New Jersey in line with other states that have similarly enhanced their data breach notification laws to address online breaches, including Alabama, Arizona, California, Florida, Illinois, Nebraska, Nevada, South Dakota and Wyoming.

“Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and expose consumers to identity theft,” said Caputo (D-Essex). “If an individual’s personal information has become unwillingly available to someone else, they have the right to know as quickly as possible.”

New Jersey is on the forefront of consumer privacy and security law with other related bills recently introduced including AB 4902, which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data.  Be on the look out for our full update on some of New Jersey’s other initiatives, coming later this week.

Should Companies Terminate Third Party Vendors That Cause a Data Breach?

By Joseph J. Lazzarotti on

According to reports, bank customers in Australia (yes, data breach notification requirements exist down under) have been affected by “an industry-wide” data breach experienced by a third-party service provider to the banks – property valuation firm, LandMark White. As expected, the banks are investigating and in some cases notifying customers about the incident. However, there are reports that some of the affected banks are suspending this vendor from the group of valuation firms they use. This is not an unusual reaction by organizations whose third party service providers have or are believed to have caused a data breach affecting the organization’s customers, patients, students, employees, etc. But, it is worth thinking about whether that is the best course of action.

In the United States, there is a growing number of states that require businesses to contractually bind their third party services providers to maintain reasonable safeguards to protect personal information made available to the third parties to perform services. For example, under the Illinois Personal Information Protection Act:

A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

Personal information under this law includes information such as name coupled with Social Security number, drivers license number, medical information, and unique biometric data used to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. In connection with obtaining written assurances from a third party vendor, many companies engage their vendors in an assessment process to get a better sense of the security of the vendor’s environment. Assessments can take many forms including interviewing the vendor’s chief information security officer, reviewing policies and procedures, subjecting the vendor to a detailed security questionnaire, penetration tests, and more. When organizations think of best practices for data security, assessment procedures of some kind certainly should be on the list.

But after the assessments and contract negotiations are completed, data breaches can still happen. In many cases, when a third party vendor experiences a breach affecting personal information, the owners of that information are the vendor’s customers. Uncomfortable as it may be, breach notification laws generally require the vendor maintaining the breached personal information to notify the owner, the vendor’s customer(s). At that point, the parties typically work through the incident response process, which in many cases could be driven by contract, although many agreements are silent on this issue.

In any event, organizations will almost invariably begin to think about whether this is a vendor they want on their team going forward. Of course, there are a number of reasons that might support terminating the relationship, such as:

  • The vendor may not have been protecting the information they way it should have under the contract and applicable law, resulting in the breach.
  • The vendor has not been transparent, responsive, or cooperative with the organization during the incident response process.
  • The vendor has not taken sufficient steps to ensure a similar breach will not happen again.
  • The organization is getting pressure from its customers who are serviced or supported, in part, by the vendor.
  • The organization has been unhappy with the vendor for some time (unrelated to the breach) and this is the last straw.

However, there also are reasons for maintaining the relationship, which include:

  • “The grass is always greener on the other side” – it may not be. There is no guarantee that a new vendor will have greater data security, be able to avoid a sophisticated attack, or be willing to work with the owner of the data as transparently as the current vendor.
  • The current vendor arguably is “battle-tested” with data security and incident response more top of mind.
  • There is a long-standing, trusted relationship with the vendor whose products and/or services are too important to the organization.
  • Both the organization and the vendor may be more inclined following a breach to collaborate on enhanced security measures and incident response planning.

The author takes no position here on whether to stay or go, as such a decision requires consideration of a number of factors. Third party service providers play important roles for many organizations, and their selection and continued utilization are decisions that should be made following an appropriate level of due diligence and analysis.

 

Rapid Increase in Biometric Data in Airports Raises Privacy Concerns

By Catherine Tucciarello on

In 2018, Delta paved the way in airport terminal development, by introducing the first biometric terminal at the Hartsfield-Jackson Atlanta International Airport where passengers can use facial recognition technology from curb to gate. Delta now offers members of its Sky Club airport lounges to enter using fingerprints rather than a membership card or boarding pass. Other airlines use biometric data to verify travelers during the boarding process with a photo-capture. The photograph is then matched through biometric facial recognition technology to photos that were previously taken of the passengers for their passports, visas, or other government documentation.

Though the use of a fingerprint or facial scan aims to streamline and expedite the travel process and strengthen the security of air travel, it also presents heightened security risks for biometric data on a larger sale. As the use of biometric data increases, the more expansive the effects of the data breach becomes. While it’s possible to change a financial account number, a driver’s license number or even your social security number, you can’t change your fingerprint or your face, easily anyway. Furthermore, in the past, facial recognition software had not been able to accurately identify people of color, raising concerns that individuals may be racially profiled.

Yet, many argue that biometric-based technologies can be used to help solve vexing security and logistics challenges concerning travel. For example, in 2016, Congress authorized up to $1 billion collected from certain visa fees to fund implementation of biometric-based exit technology. That was followed by President Trump’s executive order signed in March 2017 directing the Department of Homeland Security to expedite implementation of biometric entry-exit tracking system for all travelers to the United States. As it stands, we are likely to see a rapid expansion of biometric technology used by airlines and other businesses in the travel industry, so prepare your picture perfect travel face!

Notably, the use of biometric data is growing across all industries and in a variety of different applications – e.g., premises security, time management, systems access management. But, so is the number of state laws intending to protect that data. States such as Illinois, Texas, and Washington are leading the way with others sure to follow. Regulations include notice and consent requirements, mandates to safeguard biometric information, and obligations notify individuals in the event biometric information is breached. And, litigation is increasing. The Illinois Supreme Court recently handed down a significant decision, for example, concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA. The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.

Companies, regardless of industry, should be reevaluating their biometric use practices, and taking steps to comply with a growing body of law surrounding this sensitive information.

California AG Announces Amendment to the CCPA

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA), which was enacted in June of 2018. If enacted, this would be the second amendment to the CCPA, following an earlier amendment in September of 2018 that Governor Jerry Brown signed into law Senate Bill 1121, which also clarified and strengthened the original version of the law.

As we reported previously, the CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under the CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business and prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB 561’s amendments include:

  • Expands a consumer’s right to bring a private cause of action. Currently, the CCPA provides consumer a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
  • Removes language that allows businesses the opportunity to cure an alleged violation within 30-days after being notified of alleged noncompliance.
  • Removes language allowing a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the law. Instead, the amendment specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the law.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published. Last month, the California Attorney General’s Office began the CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law.

SB 561 comes just days after the AG Becerra together with Assemblymember Mark Levine announced Assembly Bill 1130 to strengthen California’s existing data breach notification law. No doubt, California is leading the way in U.S. data privacy and security law.

Below are some of our helpful resources on the CCPA and other key California privacy and security law developments:

 

The Circuit Split Over the Definition of ATDS Under the TCPA Continues

By Jason C. Gavejian and Maya Atrakchi on

When the Telephone Consumer Protection Act (TCPA) was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The TCPA defines Automatic Telephone Dialing System” (ATDS) as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a)(1).  In 2015, the Federal Communications Commission (FCC) issued its 2015 Declaratory Ruling & Order (2015 Order), concerning clarifications on the TCPA for the mobile era, including the definition of “Automatic Telephone Dialing System” (ATDS) and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years.

Consequently, several FCC-regulated entities appealed the 2015 FCC Order to the D.C. Circuit Court of Appeals, in ACA International v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). The D.C. Court concluded the FCC’s opinion that all equipment that has the potential capacity for autodialing is subject to the TCPA, is too broad. Although the FCC did say in its 2015 Order “there must be more than a theoretical potential that the equipment could be modified to satisfy the ‘autodialer’ definition”, the Court held that this “ostensible limitation affords no ground for distinguishing between a smartphone and a Firefox browser”. The Court determined that the FCC’s interpretation of ATDS was “an unreasonably expansive interpretation of the statute”.

Since the decision in ACA Int’l, courts have weighed in on the D.C. circuit court ruling and the status of the 2015 Order, sparking a circuit split over what constitutes an ATDS. The Second and Third Circuit have both narrowly interpreted the definition of an ATDS. In late June 2018, the Third Circuit held that, in light of ACA Intl’l, the TCPA should be interpreted as it was prior to the 2015 Order, limiting ATDS to a device with “present” capacity to function as an autodialer. The Third Circuit found that the plaintiff provided no evidence to show that an Email SMS Service had the present capacity to function as an autodialer.

Only a week later, the Second Circuit issued a similar opinion, narrowly interpreting the definition of ATDS, and rejecting a TCPA claim on grounds that the defendant could not point to any evidence that creates a genuine dispute of fact “as to whether the Email SMS Service had the present capacity to function as an autodialer by generating random or sequential telephone numbers and dialing those numbers.” It seemed like some consistency had begun to emerge in the courts post-ACA Int’l.

But then, in September, the Ninth Circuit stirred things up, with a sharp departure from the Second and Third Circuit decisions. The Ninth Circuit concluded that the “Textmunication System”, a “web-based” platform that sends text messages (a system of comparable nature to the Email SMS Service analyzed by the other circuit courts), created a “genuine issue of material fact” as to whether it qualified as an ATDS. The Court, thus, did not weigh in on whether the definition of ATDS was limited to devices with present capacity. Earlier this month a petition of writ of certiorari was filed with the U.S. Supreme Court, to the review the Ninth Circuit panel’s decision, but shortly after the parties reached a settlement agreement.

Given the circuit split over the definition of ATDS under the TCPA, the issue is ripe for the Supreme Court to address, but due to the recent settlement, we will have to wait a bit longer to hear from the Court. Just after, the Ninth Circuit ruling, the FCC sought comments from the public on the scope of the TCPA, including the ATDS definition. In the meantime organizations are advised to implement and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

California AG Seeks to Further Amend State’s Data Breach Notification Law

By Joseph J. Lazzarotti on

Yesterday, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael)announced Assembly Bill 1130 which is intended to strengthen California’s existing data breach notification law. In short, AB 1130 would amend the existing law to include passport numbers and biometric information (e.g., fingerprint and retina scan data) in the definition of personal information, so that, if breached under the law, notification to consumers would be required.

Currently, similar to most breach notification laws in other states, California’s data breach notification law defines personal information to include a covered person’s first name (or first initial) and last name coupled with sensitive information such as Social Security numbers, driver’s license numbers, financial account numbers and health information. The changes under AB 1130 would keep California out in front of other states, although a number of other states, such as Illinois, already include data such as biometric information as personal information under their breach notification laws. As many have observed, these state by state changes only add to the complexity businesses face when they experience a data breach affecting individuals in multiple states.

News reports concerning the announcement of AB 1130 note that Attorney General Xavier Becerra “has promised to crack down on companies that try to hide data breaches from the public.” And soon individuals in California affected by a data breach likely will have expanded rights to sue under the California Consumer Privacy Act (CCPA). As we reported earlier, the CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The CCPA incorporates much of the definition of personal information under the California breach notification law. What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include passport and biometric data only increases these risks.

The Status of the GDPR As the One-Year Mark Gets Closer

By Joseph J. Lazzarotti, Maya Atrakchi and Mary T. Costigan on

In honor of Data Privacy Day (Data Protection Day in Europe), the European Commission (“the Commission”) released a statement on the status of the EU’s General Data Protection Regulation (“GDPR”) which took effect on May 25, 2018. The joint statement by the Commission’s First Vice-President Timmermans, Vice-President Ansip, Commissioners Jourová and Gabriel stressed the importance of the GDPR in light of recent large-scale data breaches, and the positive effect the law has had in raising awareness on data protection and rights available to citizens.

The Commission noted that national Data Protection Authorities (DPAs) across the EU have received more than 95,000 complaints from citizens since May. Moreover, the DPAs have been active in guiding organizations, in particular small and mid-sized businesses, on their obligations under the GDPR. This will be bolstered by a “raising awareness” campaign soon-to-be launched by the Commission, to help organizations and individuals better understand their GDPR rights and requirements.

Although the GDPR is a regulation, not a directive, which makes it directly binding and applicable, there are still areas within the regulation that require EU member states to supplement the GDPR with local legislation. The Commission’s statement called on five EU member states that have not passed such legislation “to adapt their legal frameworks to the new EU-wide rules as soon as possible”. EU member states yet to enact GDPR implementation laws include, Bulgaria, Czech Republic, Greece, Portugal and Slovenia.

Together with the joint statement, the EU Commission released an info-graph, tracking GDPR developments over the past eight months. Key statistics include:

  • Most common types of complaints reported to the DPAs: telemarketing, • promotional emails and • video surveillance/CCTV.
  • 40,000 data breach notifications reported to DPAs across the EU.
  • 255 ongoing investigations by DPAs of cross-border GDPR violations.
  • Three fines issued by DPAs for GDPR violations– the largest fine issued was in the sum of €50,000,000 for lack of consent to processing personal data.

Investigations into potential infringements of the GDPR can be initiated by a Supervisory Authority or triggered by a data subject complaint. Sanctions for violations range from reprimands to fines. However, depending on the sensitivity of the data, the nature of the violation, the risk of harm to the data subjects, and the egregiousness of the violation, the fines can be significant. Fines, which are calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. In addition, the GDPR permits data subjects certain legal recourse for processing violations that affect their rights. These include the right to bring a private cause of action for material or non-material damages resulting from a violation or the right to pursue “collective actions,” which are similar to US class actions.

In other recent GDPR developments, in late 2018, the European Data Protection Board published draft Guidelines on the territorial scope of the GDPR (Article 3) for public consultation. Once finalized, this guidance will be particularly relevant for U.S.-based companies when assessing whether employee or customer data they process falls under the scope of the GDPR (See also Does the GDPR Apply to Your US-Based Company?). Most notably for non-EU data controllers and data processors, the guidelines address the processing of personal data in the context of offering goods or services to an individual in the EU, or the monitoring of their behavior in the EU, under Article 3(2). The Guidelines provide that individuals “targeted” in the EU includes “natural persons, whatever their nationality or place of residence.” In other words, the targeting criteria will apply regardless of the “citizenship, residence, or other type of legal status of the data subject” as long as the data subject is in the EU at the time of processing. With respect to the monitoring of a data subjects behavior in the EU, the Guidelines note the European Data Protection Board (EDPB) “considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioral monitoring, for example, through wearable and other smart devices.” The public consultation period for the Guidelines ended January 18, 2019 and the final version should be instructive, particularly for non-EU organizations.

The GDPR has brought new and enhanced privacy and security obligations for organizations around the globe, including U.S.-based companies. Compliance with GDPR is not optional and as of December 2018, more than 50% of regulated organizations are still not fully GDPR compliant.

Below are some of our helpful GDPR resources:

LexBlog