As we have previously covered, Wisconsin businesses may be subject to the requirements of the European Union General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Additionally, many states, including Wisconsin, and the federal government are considering similar data protection bills that may impact Wisconsin businesses. With overlapping obligations, compliance with data protection laws is an increasingly tricky business for most companies. To ensure that your company doesn’t inadvertently violate any current or future laws, consider the following six steps:
Step 1: Consider the Applicability of Data Privacy Laws
Companies should determine whether existing consumer data privacy laws apply to them. The GDPR applies to companies (1) established in the EU and conducting data processing in the context of that business’s activities; or (2) either: (a) offering goods or services, for free or for a fee, to individuals in the EU or (b) monitoring the behavior of individuals within the EU.
Wisconsin companies with a physical presence in the EU will almost certainly be subject to the GDPR. Without a physical presence, a Wisconsin company will nonetheless likely fall within the GDPR’s scope if it offers products or services to EU individuals or businesses or if it monitors the online behavior of EU individuals or businesses.
On the other hand, the CCPA will apply to your business if it is a for-profit business that does business in the state of California and collects California consumers’ personal information (or such information is collected on its behalf) and determines the purposes and means of processing California consumers’ personal information, AND if it meets one of the following criteria:
- It has at least $25 million in annual gross revenues;
- It buys, sells, shares, or receives the personal information of at least 50,000 California consumers, households, or devices per year; or
- It derives at least 50 percent of its annual revenue from selling California consumers’ personal information.
Most companies should be able to determine whether they meet the above criteria. Some businesses may struggle to determine whether or not they buy, sell, share, or receive the personal information of at least 50,000 California consumers, households, or devices per year. Still, companies with even a small or moderate online presence will likely meet this threshold due to the broad scope of the CCPA’s definition of personally identifiable information (PII).
Once you have determined that the GDPR or CCPA applies, take affirmative steps to ensure that you are in compliance.
Step 2: Map Your Company’s Data
Once you have determined that the GDPR or the CCPA applies to your company, you must map the data that your company collects. Mapping will include knowing the type of data you are collecting, its source, and what happens to the data after it has been collected. You should also identify where the data is kept, what encryption or other security your company uses to protect that data, who has access to the data, and whether there are any security risks.
This step is necessary and must be taken to understand what data your company collects and where and how it is stored so that you can take appropriate steps to ensure efficient compliance with applicable data protection rules.
Step 3: Clean Up Your Company’s Data
Companies should be disciplined and strict about data collection. Determine what information is necessary and what information is superfluous. Moreover, think about why certain PII is retained, rather than deleted, in view of the company’s data collection goals. You may find a greater financial gain in deleting troves of PII as opposed to investing in storage and encryption. Moreover, deleting unnecessary files can help reduce the risk of inadvertently committing data protection violations.
This step will not only help ensure compliance, but it will also allow you to develop an effective and potentially financially valuable strategy for data collection.
Step 4: Create Privacy Protection Procedures and Policy
To ensure that consumers may exercise the rights to their PII granted to them under the GDPR and the CCPA, your company must have efficient processes. In crafting a privacy protection policy, consider:
- how individuals can give consent for data collection and transfer;
- the process for a consumer to request data deletion or to opt-out of data collection;
- how the company can ensure complete, effective data deletion or tagging across all platforms;
- the process for responding to a hypothetical data breach; and
- how the company can ensure that minors give proper consent.
When creating privacy procedures and policies for your company, it is important to understand that the relevant consumer data privacy laws require transparency in matters concerning PII. Therefore, your company’s privacy procedures and policies must be drafted carefully and with the complex obligations of the GDPR or the CCPA in mind.
Step 5: Update Your Company’s Online Privacy Policy
Under the GDPR or the CCPA, your company must have an easily accessible and understandable privacy policy. To ensure that your company’s privacy policies comply with the GDPR and the CCPA, you must ensure that it contains the following:
- A statement to residents of California or the EU that they have the right to opt-out of the sale of their data;
- An explanation that indicates how the company will inform consumers of future privacy policy updates; and
- A description of how the consumer’s data will be used, including all possible uses that involve a transfer of that data.
Furthermore, you must update your company’s privacy policy at least once every 12 months and notify consumers of each such update. As discussed, every privacy policy must be easily accessible and transparent. Even unintentionally complex policies may expose your company to liability.
Step 6: Update Your Company’s Website
Finally, to comply with the GDPR and the CCPA, a company must include a link on its website that says “Do Not Sell My Personal Information.” The link must use that specific phrasing and bring users to a page that allows them to opt-out of any sale of their data. This link must be separate from the general privacy agreement and cannot require the consumer to create a profile or account to access the opt-out. The CCPA also requires companies to create a toll-free number for consumers wanting to opt-out of the sale of their data.
After a consumer opts out, a company has two options under the CCPA: (1) it can retain the consumer’s PII but exclude that PII from any sale, or (2) it can delete the consumer’s data entirely. However, the GDPR requires the company to delete the consumer’s data entirely. Thus, it is very important to understand whether the CCPA or GDPR (or both) applies and to have specific procedures in place to respond to a consumer’s request to opt out.
What to Expect in Wisconsin
Because the GDPR and the CCPA are intentionally extraterritorial, their obligations may easily reach Wisconsin businesses. Furthermore, because of the steep fines for violating these data protection laws, Wisconsin businesses must either confirm that they are not subject to these strict requirements or take proactive steps to ensure compliance.
Even if the GDPR and the CCPA currently do not apply to your company, it may not be long until Wisconsin or the federal government implements a consumer data protection law that does. Consequently, regardless of whether you do business in the European Union or in California, beginning to implement better data collection practices now may help your companies online reputation and reduce future risks.
O’Neil, Cannon, Hollman, DeJong and Laing remains open and ready to help you.