With the California Consumer Privacy Act (CCPA) due to take effect in January, many Virginia business owners are debating whether it’s time to alter their data protection policies. Some may be hesitating, as these new regulations don’t seem so far-reaching, but understanding the origins of the CCPA and its meaning for the future of United States data privacy laws is essential for protecting even Virginia businesses from expensive data privacy litigation.
The CCPA was derived from the European Union’s (EU) stringent data protection legislation known as the General Data Protection Regulation (GDPR), which is why it’s sometimes referred to as the “GDPR-lite.” California may be the first state to adopt the GDPR, but experts are certain it won’t be the last. Virginia has already adapted its data privacy laws on the heels of the GDPR, and getting ahead of the data privacy game can mean bigger benefits and greater protection for your Virginia business.
Whether you’re expanding to Europe, offering international products, or simply curious about recent data privacy changes, schedule your data privacy and GDPR compliance consultation with one of the experienced Virginia and D.C. corporate attorneys at McClanahan Powers, PLLC today by calling (703) 520-1326 or contacting us online.
Overview of the GDPR
Passed in 2018, the GDPR sets forth EU regulations protecting the personal data of private persons from misuse and mismanagement. It reiterates that private persons are the ultimate owners of their personal data and, as such, are entitled to regulate its use. Some of the private rights established by the GDPR include the right:
- To be informed how your data is being collected and used
- To access your personal data
- To have inaccurate personal data corrected
- To have personal data deleted or erased upon request
- To suppress personal data and restrict its use
- To obtain and use personal data from one platform for transference to another, including to find better deals on products
- To object to certain uses of personal data, such as direct marketing, and be informed of this right to object to its use
- To limit “cookies” and other automated systems from utilizing personal data
These rights are not absolute, but they do form the basis for GDPR data protection laws.
Entities doing business in the EU are further required to protect personal data gathered by automated means and/or stored in the regular course of business. Personal data is defined broadly by the GDPR as “any information relating to an identified or identifiable natural person.” Examples include, but are not limited to:
- Identification numbers (passport, license)
- Location data
- Online handles or identifiers
- Any information specific to a natural person’s physiological, genetic, mental, economic, cultural, physical, or social identity (fingerprints, race, religion, facial I.D., DNA test results)
If the personal data collected and stored by a business can be used (alone or on the whole) to trace and identify a subject or steal an identity, it likely qualifies as personal data under the GDPR.
Importantly, IP addresses are considered personal data by the GDPR. An IP address is a unique identifier that can allow others to identify a particular computer that is connected to the internet. As they fall within the regulation’s definition of personal data, it is critical for business owners that do business in Europe to handle IP addresses in a way that is compliant with the GDPR. In addition, domestic companies should take this opportunity to review their own practices and consider whether they would be compliant with any future federal or state regulations modeled on the GDPR.
The Seven Key Principles of the GDPR
The GDPR is a complex regulation, but there are seven key principles member nations advise data processors to contemplate when collecting and storing qualifying personal data:
- Integrity and confidentiality – personal data must be collected and processed in a way that protects the data from breach, unauthorized use, theft, destruction, damage, or loss
- Temporal storage limitation – personal data should only be stored for so long as necessary to accomplish its narrow purpose
- Data minimization – businesses should limit the personal data collected to only the information needed to process a transaction
- Lawfulness, fairness, and transparency – businesses should inform data owners why and for what legitimate purpose their personal data is being collected
- Accuracy – processors must erase or correct inaccurate personal data without delay
- Purpose limitation – Personal data should only be collected for legitimate, specific purposes and not used or processed for reasons outside the purpose of collection (i.e., selling personal data to marketing agencies)
- Accountability – the processor must be able to demonstrate, on-demand, that it is complying with the above principles
While not guaranteed, processing personal data in accordance with these principles is the first step in protecting Virginia businesses from GDPR liability.
GDPR Penalties & The Future of United States Data Privacy Laws
The GDPR “applies to the processing of personal data . . . regardless of whether the processing takes place in the Union or not.” It also “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union provided the processor offers goods and services (even free goods or services). This means businesses outside the EU that process and/or store the personal information of EU residents through the offering of goods or services are subject to the GDPR. For example, Virginia businesses offering international shipping through their website are subject to the GDPR. Penalties for violating GDPR provisions include fines set by the victim’s member nation, but data processing violations by major corporations (such as Google) may be as high as $20 million Euro or up to 4% of the corporation’s entire global turnover. In 2018, Google was fined 50 million euros for GDPR violations.
With the adoption of the “GDPR-lite” in California and the fact California is the most populated sub-national entity in North America, many states are following suit. Nearly every state passed certain data privacy amendments on the heels of the GDPR, and experts anticipate this is only the beginning of United States data privacy changes mirroring the GDPR.
Get Ahead of the Data Privacy Curve & Bullet Proof Your Data Protection Policies with the Help of McClanahan Powers, PLLC
Don’t get blindsided by sudden stringent changes to U.S. data privacy regulations in the coming years. The GDPR sets the standard for first-world data privacy, and structuring your Virginia business to comply with stringent GDPR standards now provides businesses with blanket protection in the years to come.
The experienced Virginia GDPR attorneys at McClanahan Powers, PLLC, actively monitor for changes to relevant data privacy legislation in the United States impacting your business. Hardworking Virginia small business owners can have a profitable online presence without worrying about the legal implications inherent in every transaction with the help of McClanahan Powers, PLLC’s data privacy lawyers. Our top-rated Vienna corporate and small business attorneys can review your business plan, data privacy policies, and online presence to ensure compliance with the GDPR and bulletproof your procedures for the future. Schedule your GDPR compliance consultation today by calling (703) 520-1326 or contacting us online.