January 10, 2020
With the California Consumer Privacy Act (CCPA) due to take effect in January, many Virginia business owners are debating whether it’s time to alter their data protection policies. Some may be hesitating, as these new regulations don’t seem so far-reaching, but understanding the origins of the CCPA and its meaning for the future of United States data privacy laws is essential for protecting even Virginia businesses from expensive data privacy litigation.
The CCPA was derived from the European Union’s (EU) stringent data protection legislation known as the General Data Protection Regulation (GDPR) , which is why it’s sometimes referred to as the “GDPR-lite.” California may be the first state to adopt the GDPR, but experts are certain it won’t be the last. Virginia has already adapted its data privacy laws on the heels of the GDPR, and getting ahead of the data privacy game can mean bigger benefits and greater protection for your Virginia business.
Whether you’re expanding to Europe, offering international products, or simply curious about recent data privacy changes, schedule your data privacy and GDPR compliance consultation with one of the experienced Virginia and D.C. corporate attorneys at McClanahan Powers, PLLC today by calling (703) 520-1326 or contacting us online.
Passed in 2018, the GDPR sets forth EU regulations protecting the personal data of private persons from misuse and mismanagement. It reiterates that private persons are the ultimate owners of their personal data and, as such, are entitled to regulate its use. Some of the private rights established by the GDPR include the right:
These rights are not absolute, but they do form the basis for GDPR data protection laws.
Entities doing business in the EU are further required to protect personal data gathered by automated means and/or stored in the regular course of business. Personal data is defined broadly by the GDPR as “any information relating to an identified or identifiable natural person.” Examples include, but are not limited to:
If the personal data collected and stored by a business can be used (alone or on the whole) to trace and identify a subject or steal an identity, it likely qualifies as personal data under the GDPR.
Importantly, IP addresses are considered personal data by the GDPR. An IP address is a unique identifier that can allow others to identify a particular computer that is connected to the internet. As they fall within the regulation’s definition of personal data, it is critical for business owners that do business in Europe to handle IP addresses in way that is compliant with the GDPR. In addition, domestic companies should take this opportunity to review their own practices and consider whether they would be compliant with any future federal or state regulations modeled on the GDPR.
The GDPR is a complex regulation, but there are seven key principles member nations advise data processors to contemplate when collecting and storing qualifying personal data:
While not guaranteed, processing personal data in accordance with these principles is the first step in protecting Virginia businesses from GDPR liability.
The GDPR “applies to the processing of personal data . . . regardless of whether the processing takes place in the Union or not.” It also “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union provided the processor offers goods and services (even free goods or services). This means businesses outside the EU who process and/or store the personal information of EU residents through the offering of goods or services are subject to the GDPR. For example, Virginia businesses offering international shipping through their website are subject to the GDPR. Penalties for violating GDPR provisions include fines set by the victim’s member nation, but data processing violations by major corporations (such as Google) may be as high as $20 million Euro or up to 4% of the corporation’s entire global turnover. In 2018, Google was fined 50 million euros for GDPR violations.
With the adoption of the “GDPR-lite” in California and the fact California is the most populated sub-national entity in North America, many states are following suit. Nearly every state passed certain data privacy amendments on the heels of the GDPR, and experts anticipate this is only the beginning of United States data privacy changes mirroring the GDPR.
Don’t get blindsided by sudden stringent changes to U.S. data privacy regulations in the coming years. The GDPR sets the standard for first-world data privacy, and structuring your Virginia business to comply with stringent GDPR standards now provides businesses with blanket protection in the years to come.
The experienced Virginia GDPR attorneys at McClanahan Powers, PLLC, actively monitor for changes to relevant data privacy legislation in the United States impacting your business. Hardworking Virginia small business owners can have a profitable online presence without worrying about the legal implications inherent in every transaction with the help of McClanahan Powers, PLLC’s data privacy lawyers. Our top-rated Vienna corporate and small business attorneys can review your business plan, data privacy policies, and online presence to ensure compliance with the GDPR and bulletproof your procedures for the future. Schedule your GDPR compliance consultation today by calling (703) 520-1326 or contacting us online.