2022 Marcom Trends - Magazine - Page 12
CCPA VERSUS CPRA
EU-US PRIVACY
The Future of Privacy in California
An Uncertain Future for EU-US Data Transfers
Richard S. Eisert, Partner/Co-Chair Advertising + Marketing, reisert@dglaw.com
Gary Kibel, Partner, gkibel@dglaw.com
Oriyan Gitig, Counsel, ogitig@dglaw.com
Gary Kibel, Partner, gkibel@dglaw.com
Oriyan Gitig, Counsel, ogitig@dglaw.com
Zachary N. Klein, Associate, zklein@dglaw.com
The California Privacy Rights Act (CPRA) will replace the California
Consumer Privacy Act (CCPA) on January 1, 2023. With some rights
retroactive to January 1, 2022, businesses should prepare now.
Changes to keep in mind under the CPRA include:
Businesses
A “business” is an entity that conducts business in California forprofit and annually either:
1.
Has gross revenue of $25 million or more,
2.
Buys, receives, sells or shares the personal information of
100,000 or more consumers or households (not devices); or
3.
Derives 50% or more of its revenue from selling or sharing
personal information.
Notice Obligations
The pre-collection notice obligation is revised by requiring
businesses to disclose categories of personal information collected,
purposes for which the information is collected or used, whether it is
sold or shared, and the retention period. These disclosures are also
required for sensitive personal information.
Sensitive Personal Information
A new category of “sensitive personal information” is created
which includes “personal information that reveals” information
such as SSNs, financial information, unique biometric data, precise
geolocation, and the contents of mail, email or texts. Businesses
must provide a new “Limit the Use of My Sensitive Personal
Information” link, if applicable.
Enhanced Contractual Obligations
Additional contractual terms are now required between a
business and:
1.
Any “third parties” with whom it sells or shares personal
information and/or
2.
Any “services providers” or “contractors” (newly defined
under CPRA) it discloses personal information to, that limit
the use of such information, impose security obligations and
grant the business rights to ensure such parties comply with
their obligations.
Cross-Context Behavioral Advertising
The concept of “sharing” is introduced and defined as a business
making available personal information to a third party for “crosscontext behavioral advertising,” meaning targeted advertising based
on personal information obtained from the consumer’s activity
across businesses and different platforms that the consumer did not
intentionally interact with. The same disclosure and opt-out rights
that apply to “sales” also apply to “sharing.”
Enhanced Consumer Rights
Now added are the “right to correct information,” the “right to optout of sharing,” the “right to data portability”; and the “right to limit
the use of sensitive personal information.”
Publicly Available Exception
The definition of publicly available information (which is not
considered personal information) is now expanded to information
that is made available to the public by the consumer or from widely
distributed media.
What Businesses Can Do Now
• Reexamine their personal information processing in light of
CPRA.
• Determine whether they are engaging in “cross-context
behavioral advertising.”
|
12 DAVIS+GILBERT LLP
• Prepare to update contracts and privacy policy to address
CPRA’s requirements once California releases final CPRA
regulations.
In the wake of the Court of Justice of the European Union’s
invalidation of the EU-US Privacy Shield Framework (Privacy
Shield), which was established to allow for the transfer of
personal data from the EU to the United States in compliance with
the EU’s General Data Protection Regulation (GDPR), businesses
are forced to consider other mechanisms to legally execute such
cross-border data transfers.
EU Privacy Law
The EU requires that, in the absence of an “adequacy decision”
by the European Commission (Commission), transfers of personal
data of EU data subjects from the EU to jurisdictions outside the
EU are permitted only if appropriate safeguards are in place.
The EU found that the United States did not fulfill that condition,
based, in part, on the United States’ lack of a comprehensive
federal privacy law. And so, in the hope of creating a reliable
legal mechanism that would allow for the authorized transfer
of personal data from the EU to the United States, the parties
negotiated and established the Privacy Shield.
In its pivotal July 2020 Schrems II decision, however, the Court
of Justice of the European Union (the Court) invalidated the
EU-US Privacy Shield, holding that the Privacy Shield failed to
meet the necessary conditions under the GDPR, highlighting
U.S. surveillance activities as a violation of the EU Charter of
Fundamental Rights. As a result, businesses are required to
consider legal mechanisms other than the Privacy Shield to
legally execute cross-border data transfers.
EU Standard Contractual Clauses
The most widely-accepted method of attempting to satisfy EU
cross-border data transfer law has been the use of EU Standard
Contractual Clauses (SCCs) — contracts pre-approved by the
Commission that establish certain controls to safeguard data as
per the GDPR. The Schrems II decision upheld SCCs as a valid
transfer mechanism in the aftermath of Privacy Shield. In June
2021, the Commission issued updated SCCs, in part, to satisfy
the Schrems II ruling.
The new SCCs require the data exporter and importer to warrant
that they have no reason to believe that the laws and practices
in the recipient country prevent the data importer from fulfilling
its obligations under the SCCs. The revised SCCs also require a
data importer to notify the data exporter (and, where possible,
the data subject) if it “[r]eceives a legally binding request from
a public authority” or “[b]ecomes aware of any direct access by
public authorities to personal data transferred.” The revised SCCs
are already required for new contracts and processing operations
as of September 2021, and the Commission has stated that
all existing contracts and data transfer agreements must be
retrofitted with the new SCCs by December 22, 2022.
For now, the revised SCCs appear to offer a reliable, legal basis
for data transfers in the wake of Schrems II. However, a recent
decision by the Austrian Data Protection Authority (Austrian DPA)
threatens to upend the state of EU-US data transfers yet again, as
the legality of the new SCCs comes under question. In its Google
Analytics decision, the Austrian DPA found that the updated
SCCs used by a website operator and Google did not provide an
adequate level of protection under the GDPR because the SCCs
still subject Google to U.S. intelligence surveillance laws and
did not enable Google’s additional safeguards to eliminate the
possibility of surveillance by U.S. intelligence agencies. These
safeguards included obligations to: (1) notify data subjects about
government access requests; (2) issue transparency reports; (3)
implement a policy on handling government requests; and (4)
carefully evaluate any such request.
The Austrian DPA’s decision is the first of 101 similar complaints
filed by the non-government organization “None of Your
Business.” It remains to be seen whether other European
regulators and courts will echo the reasoning of the Austrian DPA.
However, with additional scrutiny over the new SCCs, businesses
hoping for some consistency in the area of EU-US data transfers
may be disappointed.
What Businesses Can Do Now
• Business should already be using the new SCCs, and
preparing to amend older contracts with the new form.
• A close eye should be kept on the developments in the
EU which could significantly impact cross-border data
transfers.
|
TRENDS IN MARKETING COMMUNICATIONS LAW 13