The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
2. AGENDA
1. U.S. vs. EU – Contrasting approaches to personal data
2. Key GDPR provisions applicable to ad tech and email
3. Pending Legislation
4. Q&A
GDPR is Coming – Are Emailers Ready?1
5. Digital Marketing and Big Data4
QUOTES
You have zero privacy anyway.
Get over it.
Scott McNealy,
CEO, Sun Microsystems
1999 !
“ ”
“ ”
Men lie. Women lie. Children lie.
The only three things
that don't lie are data, pets,
and Spandex workout clothing.
Peter Shankman, PR/Author
6. 5 GDPR & Ad Tech: Examining the IAB Europe Transparency & Consent Framework
U.S. VS EUROPE
7. 6
FTC Section 5
“Unfair methods of competition in or
affecting commerce, and unfair or
deceptive acts or practices in or
affecting commerce, are hereby
declared unlawful.”
Regulation (EU) 2016/679 of the European
Parliament - General Data Protection
Regulation (GDPR)
Directive 2002/58/EC – (ePrivacy Directive)
PRIVACY ENFORCEMENT
GDPR is Coming – Are Emailers Ready?
8. FEDERAL TRADE COMMISSION ACT
SECTION 5
» “Unfair methods of competition in or affecting commerce, and unfair or
deceptive acts or practices in or affecting commerce, are hereby
declared unlawful.”
- Deception = Misrepresentations or omissions likely to mislead
consumers acting reasonably under the circumstances
- Unfairness = causes or is likely to cause substantial consumer injury,
not reasonably avoided by the consumer, and not outweighed by
countervailing benefits to consumers or competition
7 GDPR is Coming – Are Emailers Ready?
9. 8
PII = Personally identifiable
information
» COPPA – “personal information”
» HIPAA – “protected health
information”
» GLB – “nonpublic personal
information”
» State security breach notification
laws
Personal Data = any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one
who can be identified, directly or indirectly, in
particular by reference to an identifier such as a
name, an identification number, location data,
an online identifier or to one or more factors
specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of
that natural person
GDPR is Coming – Are Emailers Ready?
10. EXPANDING SCOPE OF
PERSONAL INFORMATION
» FTC Consent orders – “Persistent identifiers”
» COPPA Amendments 2013 – Definition of personal information
expanded to include any “persistent identifier that can be used to
recognize a user over time and across different websites or online
services”
- Carve out for “support for internal operations”
• Certain internal activities would not be considered a collection of PI,
as long as the information collected is not used or disclosed to
contact a specific individual (e.g., site maintenance and analysis)
9 GDPR is Coming – Are Emailers Ready?
11. FTC – WHAT IS PII ?
Blog post – April 21, 2016
» “… we regard data as ‘personally identifiable,’ and thus warranting privacy
protections, when it can be reasonably linked to a particular person,
computer, or device. In many cases, persistent identifiers such as device
identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
10 GDPR is Coming – Are Emailers Ready?
12. 11 GDPR & Ad Tech: Examining the IAB Europe Transparency & Consent Framework
GDPR APPLICABILITY TO AD TECH
AND EMAIL
13. GDPR FOR AD TECH
» What is the GDPR?
» 173 Recitals. 99 Articles.
- Enforcement begins - May 25, 2018
» Why is this important?
- Penalties = up to 4% of worldwide annual turnover or €20,000,000
12 GDPR is Coming – Are Emailers Ready?
14. GDPR FOR AD TECH
(1) Applicability / Extra-territorial scope
- Applies to controllers / processors not established
in the Union where:
• (i) the processing relates to the offering of goods/services in the EU or
(ii) monitoring of behavior of data subjects who are in the Union
(2) Lawfulness of Processing
- Consent
- Legitimate Interest (Interests and rights and freedoms of the user are not
overriding)
13 GDPR is Coming – Are Emailers Ready?
15. GDPR FOR AD TECH
(3) Personal Data
- Definition of personal data includes:
• Pseudonymous data
• Online identifiers (e.g. cookie IDs)
• Location data
• Child - <16 (vs. <13 in U.S.)
(4) Pseudonymization
- “the processing of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional information.”
(5) Anonymous Data – no connection of data with an individual
14 GDPR is Coming – Are Emailers Ready?
16. GDPR FOR AD TECH
(6) Data Subject Access Rights
- Transparency
- Access / rectification
- Restrict processing
- Right of erasure (a/k/a right to be forgotten)
- Right to restrict processing / Right to object
- Data portability
(7) Client / Vendor Relationships
- Data Processing Agreements
15 GDPR is Coming – Are Emailers Ready?
17. GDPR FOR AD TECH
(8) Lots of Internal / External policies
- Internal – Information Security;
- Privacy Notices
- User flow
(9) Breach notification
- 72 hours to regulatory authorities
(10) Record keeping
- processing activities
- More
16 GDPR is Coming – Are Emailers Ready?
18. HIERARCHY OF EPRIVACY AND GDPR
17 GDPR is Coming – Are Emailers Ready?
Processing
personal data
Consent GDPR Legal Basis
ePrivacy GDPR
Collection of data over the
internet generally requires
under ePrivacy rules
Processing of personal data
requires a
e.g. consent, or legitimate
interest
GDPR Legal Basis
Storing/accessing
data on device
Consent
19. GDPR
» Radically different approach to tracking than in the United States
GDPR is Coming – Are Emailers Ready?18
21. VERMONT – H.467
(DATA BROKER PROTECTION ACT)
» “Data Broker” means a commercial entity that collects, assembles, or maintains
personal information concerning individuals residing in Vermont who are not
customers or employees of that entity for the purpose of selling or offering for
sale, or other consideration, the personal information of a third party.
» “Personal Information” includes information that identifies, relates to, describes
or is capable of being associated with a particular individual. Includes internet
usage history; profile that includes personality / characteristics
» Data brokers must register with the state
» Data brokers must annually report to the state on its activities
» “Know your customer”
» Status: In committee
GDPR is Coming – Are Emailers Ready?20
22. “CONSENT ACT” (2018)
SENS. MARKEY (D-MA) & BLUMENTHAL (D-CT)
» Notice and choice for “personally identifiable information”
» Affirmative, express consent to use, disclose or access “sensitive customer
proprietary information”
- Includes web browsing history and application usage history
» Authorizes FTC to implement regulations
» No re-identification permitted
» Breach notification obligation
» Status: In committee
GDPR is Coming – Are Emailers Ready?21