By: Ian Brinkman
The most recent EU General Data Protection Regulation (“GDPR”) penalty assessed against Google provides a reminder to all businesses that the data protection landscape is changing, fast.[1] Not only can data protection regulations cross international borders, but similar schemes are popping up in the United States at the state level. Furthermore, data protection requirements no longer just apply to a business’s customers’ data. The Pennsylvania Supreme Court made this fact known in its most recent decision requiring employers to protect their employees’ data as well.
State Mirrors the Global Model: California Copies Europe
In mid-2018, California enacted AB 375, the California Consumer Privacy Act of 2018 (“CCPA”).[2] This new, sweeping data privacy law will take effect January 1, 2020. Just like with the GDPR, businesses need to start thinking about the steps that need to be taken to be in compliance with the CCPA. The CCPA has similar tenets as the GDPR, but its finer points differ to benefit both businesses and consumers.
What is the CCPA?
The California Legislature enacted the CCPA in response to the rampant political and commercial misuse of consumers’ personal data. Like the GDPR, the CCPA provides consumers the right:
(1) to know what information is being collected, (2) to know whether their information is sold or disclosed, (3) to opt out of sale or disclosure, (4) to access their information, (5) to non-discrimination on price and service for exercising their privacy rights.[3]
Businesses must implement policies and procedures to make sure customers may reasonably exercise these rights. The CCPA extends a private cause of action to consumers, providing them with the option of either statutory damages ($100-$750) or actual damages, whichever is greater, for each violation. Furthermore, the California Attorney General can levy fines from $2,500-$7,500 for each violation.[4]
What are the differences between the CCPA and the GDPR?
While the general contours of the CCPA may appear to heavily favor consumers, the law is balanced in its application. First, unlike the GDPR (see more on the GDPR here), only personal data of California residents in California fall under the new law. Thus, businesses servicing only out-of-state travelers do not need to worry about complying with the law. The CCPA is also less broad in application in that only certain businesses need to comply, those that:
(1) earn $25 million in revenue; (2) sell or share, for profit, personal information of 50,000 consumers, households, or devices; or (3) derive 50 percent of revenue from selling personal information.[5]
There is more good news for businesses. The private cause of action is only triggered upon an unauthorized data breach. Also, statutory damages are unavailable if the business cures its violation within 30 days after it receives notice.[6] Finally, the California Attorney General has yet to release the mandated regulations that the law requires, which may offer further clarification and amendment on some of the law’s more burdensome provisions.
Right Here at Home Too: Pennsylvania Supreme Court Brings Employees’ Data into the Foray in Dittman v. UPMC.
On November 21, 2018, the Pennsylvania Supreme Court left its own mark on the cybersecurity landscape affecting businesses. Before November 21, two things were true: (1) an employer owed no special duty regarding employees’ data, and (2) employees needed to show more than a mere economic loss, from the misuse of their data, to recover damages from their employer.
However, the Supreme Court of Pennsylvania recently made it clear that employers have an independent legal duty to use reasonable care to protect employees’ data that are stored electronically and accessible via the internet. [7] Furthermore, if an employee can show the employer breached its legal duty, rather than an action based on a contractual relationship, he or she can sue for purely economic damages.[8]
Dittman v. UPMC also sets forth a nightmare scenario for an employer. The employees, as a condition of their employment, were required to provide their Pittsburgh based medical employer with certain data. When 62,000 employees’ data was stolen in a breach, and then used to file fraudulent tax returns, those employees commenced a class action lawsuit against their employer. In addition, the court held that the duty extended to former employees, along with those currently on the payroll.[9]
Taking Action and What is Ahead
- Once new entrepreneurs have concluded that their companies need to comply with the growing regime of data protection laws, they can be proactive without risking unnecessary expenditures due to fear-driven over compliance. Most of these laws require, or at least encourage, creating a data protection plan. Part of this planning forces a business to know the extent of the data they collect and what they intend to do with it. Businesses can get a head start by sitting down with their IT department, third-party vendors, and management teams to outline detailed goals, deliverables, and implementation strategies. Once these items are in place, companies can implement other measures new laws might require or ones that the companies find useful. Here is a blog post that elaborates.
- Companies can also help themselves by understanding that these types of data protection laws are a sign of a wider trend stemming from governments and regulators trying to get a handle on the interconnectedness between businesses, data, and consumers. What is apparent is that the number, scope, and reach of these laws is only increasing. 2019 will usher in not only new data protection standards, but also new laws affecting businesses that traditionally did not need to worry about the laws outside of their state.
Ian R. Brinkman, at the time of this post, is a third-year law student at Penn State’s Dickinson Law. He is originally from Central Pennsylvania and will start his legal career at Gibbel, Kraybill and Hess in Lancaster, PA as an associate in their Corporate practice group. He also helps coordinate the Volunteer Income Tax Assistance clinic at the law school.
Sources:
[1]Matt Jeweler, Massive GDPR Fine Is a Wake-Up Call to Get Compliance and Cyber Insurance Squared Away, Pillsbury-Policyholder Pulse Blog (Feb. 5, 2019), https://www.jdsupra.com/legalnews/massive-gdpr-fine-is-a-wake-up-call-to-34398/
[2]A.B. 375
[3]A.B. 375, Section 2(i)
[4]A.B. 375, Section 3, Subsection 1798.150
[5]A.B. 375, Section 3, Subsection 1798.140
[6]A.B. 375, Section 3, Subsection 1798.150
[7]Dittman v. UPMC, 196 A.3d 1036, 1056 (Pa. 2018)
[8]Id.
[9]Id. at 1038
