If your company uses the Internet to reach customers, suppliers, or workers, you’ve probably heard a lot about privacy law in the past few years. Unfortunately, it doesn’t take long for conversations about privacy law to become mired in contradictory recommendations or requirements, or for them to get bogged down in a mess of incomprehensible acronyms – GDPR, CCPA, ICO, SCC! It’s easy to get discouraged. Luckily for you, I’ve written this blog post to help you understand what the GDPR and CCPA are and whether they apply to your business.
What Do These Acronyms Mean?
While an increasing number of countries and states have passed privacy laws in the past few years, the “big” Internet privacy laws are the GDPR and the CCPA. The GDPR is the General Data Protection Regulation of the European Union. It became effective on May 25, 2018. The CCPA is the California Consumer Privacy Act. It became effective on January 1, 2020.
Who Has To Comply With These Laws?
The GDPR is extremely broad. Privacy advocates like to refer to it as the “gold standard of privacy law.” It applies to anyone who handles “personal data” – whether that person collected it from the data subject or not. Thus, the GDPR applies to individuals, for-profit companies, and non-profit organizations.
The CCPA is somewhat narrower. It applies only to “businesses” that pass the following five-pronged test:
- The business must be for-profit.
- The business must collect consumers’ personal information or have the information collected on its behalf.
- The business must determine the “how” or the “why” of the processing (handling, analyzing, storing, etc.) of the consumers’ personal information.
- The business must “do business” in California.
- The business must either:
- Have annual gross revenue over $25 million; or
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50% or more of its annual revenues from selling consumers’ personal information.
If you’re more accustomed to traditional “brick and mortar” businesses, you might be thinking that the GDPR and CCPA surely only apply to businesses that have offices, or warehouses, or stores in Europe or California. But that’s not the case. It doesn’t matter where the business is based or where it has a physical presence for both laws. Just like businesses, legislators and regulators in California and Europe have taken advantage of the Internet to expand their reach. If your business meets the criteria above, then even something as minor as running a website that can be accessed from California or Europe could be enough to subject a company to the requirements of that state or international entity’s Internet privacy laws.
Who And What Is Protected By These Laws?
As I said earlier, the GDPR is extremely broad. It applies to “data subjects.” Data subjects are just people, nothing more or less – the GDPR defines a data subject as an “identified or identifiable natural person.” The only limitation is that the GDPR applies only to data subjects who (1) hold EU residency or citizenship or (2) are located in the EU.
The CCPA is narrower in its protections. As the name suggests, the CCPA only protects “consumers.” A “consumer” is “a natural person who is a California resident.”
The two laws are very similar in the scope of data they protect. While the GDPR refers to it as “personal data” and the CCPA calls it “personal information,” both laws apply to basically the same thing: any information that relates to or could be linked to a protected person. In both cases, it doesn’t matter whether the information was willingly handed over by the data subject or consumer, such as by submitting an order or filling out a form, or whether it was collected automatically, like with Internet “cookies.” Personal data/information could include any of the following:
- Names
- Email addresses
- Phone numbers
- IP address
- Mailing or home addresses
- Geolocation data
- Dates of birth
- Race
- Gender
- Political affiliation
- Credit card information
- Pictures or other physical identifies
- Employment information like employer, job title, or salary
- Religious or political affiliation
- Health data
How Can Venn Law Group Help?
We’ve covered a lot of ground in this blog post, and we’ve just scratched the surface of Internet privacy law. If you think the GDPR, the CCPA, or some other Internet privacy law might apply to your business, contact us here. We’ve helped several businesses determine which Internet privacy laws apply to them, and we’ve worked with them to develop comprehensible, non-disruptive contracts and business practices to bring them into compliance with the law.
Edward B. Woodall is an attorney at Venn Law Group who works incorporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.