Remote Working in the Coronavirus Economy Reveals Potential GDPR and CCPA Compliance Issues
Remote Operations/Work from Home
One of the most familiar aspects of how Coronavirus (COVID-19) has changed the economy is the widespread application of work-from-home protocols (WFH). WFH has allowed businesses to maintain operations by enabling employees to perform their duties remotely. Remote operations often involve employers providing a virtual private network (VPN) that allows employees to connect to their employers’ internal networks from home devices.
When navigating to websites through VPN, site visitors will generally appear to be working from the location of the VPN servers. This can cause compliance issues when the individuals utilizing a VPN are residents of California, the European Union, or other jurisdictions with laws governing the protection or use of their citizens’ personal information.
CCPA and GDPR
In the past several years, many jurisdictions have enacted detailed regulatory schemes intended to protect the personal information of its citizens. Most prominently among these are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the State of California. Among other obligations, these laws require that companies which collect and use individuals’ personal information comply with detailed safeguards to protect such information, disclose the types and uses of information collected (including any sale of personal information), and provide certain opt-out rights to individuals whose information is being collected and processed.
In order to comply with privacy regulations such as GDPR and CCPA, many website operators display different information or URLS to visitors depending on the location of the visitors. Website operators direct visitors to the appropriate information by determining the geolocation of each visitor through the IP address of the device the individual is using to access the internet. However, when using VPN, the visitor will appear to be accessing the site from the location of the VPN servers. This means that an employee located in California may appear to be accessing a website or application from another geographic location. (This is why employees located, for example, in Los Angeles may see the weather for New York when they log into their computer and visit a website that reports the “local” weather.) Accordingly, the California resident may not (i) be shown the version of the website displaying the privacy information mandated by CCPA, and (ii) have their personal information sorted into the website operator’s silo of user information processed and retained under the requirements of CCPA. Note that this concern is applicable in a WFH setting, as well as in a multi-office environment where a wide area network (WAN) may cause the IP addresses of devices in the firm’s satellite offices to appear as though they are located in the same city as the primary office or central servers.
Consequences of Non-Compliance
The penalties for noncompliance with CCPA and GDPR can be severe. Both regimes impose significant statutory fines, even for unintentional violations, as well as private rights of action for affected individuals. Under GDPR, member states of the European Union are also allowed to add criminal penalties for violations. More information on the requirements and penalties under CCPA and GPR can be found here.
What Can You Do?
Remote work environments create substantial risks for entities covered by CCPA and GDPR. If you think your company may be impacted by the foregoing considerations, the following activities may be useful for assessing and mitigating risk that can arise from incorrect processing of personal information relating to individuals protected by CCPA, GDPR and similar privacy regulations.
Conduct a CCPA/GPR Assessment. Not all companies are covered by CCPA. Generally, CCPA covers for-profit entities (i) with gross annual revenues in excess of $25,000,000; (ii) which possess the personal information of 50,000 or more consumers, households, or devices; or (iii) which earn more than half of their annual revenue from selling consumers' personal information. GDPR has broader coverage, but may not be a concern for companies that do not target European residents with products and services. We can assist you in determining whether CCPA and GDPR are concerns for your business.
Confirm Treatment of Personal Information. If your business processes the personal information of customers and website visitors from California and Europe differently than other individuals, it may be wise to add some of the protections reserved for such individuals to your general information processing practices. For example, ensuring that similar security measures are applied across all personal information processed by your business, or allowing any individual to access or request the deletion of their information, will minimize certain risks arising under both CCPA and GDPR. If your business displays different privacy policies to residents of California, Europe, or elsewhere, consider consolidating them into a single document that covers the necessary considerations for different jurisdictions. We have a great deal of experience and can assist you with the process.
Review Your Website’s Cookie/Pixel/Analytics Agreements and Settings. CCPA contains additional requirements to which companies must adhere when selling the personal information of covered individuals. A “sale” under CCPA is a broad concept that even includes the disclosure of information for non-financial consideration. For example, even the use of third party tracking and analytics tools may constitute a sale under CCPA. It is possible to avoid this determination if certain contractual conditions are met – several vendors have begun to provide product settings that minimize data processing in an effort to avoid the “sale” designation under CCPA. If your business is impacted by the considerations described in this article, you may want to review your agreements with third parties who receive and process personal information of your website visitors.
In summary, it is important for businesses who may be subject to CCPA and GDPR to take additional steps now in order to mitigate their risk of suffering negative impacts from the coronavirus and from the ongoing risks associated with the use of VPN for remote work. For more information about recommended steps, please contact your Foley relationship partner.
Companies in all sectors of the economy continue to be impacted by COVID-19. Foley is here to help our clients effectively address the short- and long-term impacts on their business interests, operations, and objectives.