AMT Lab @ CMU

View Original

Let’s Talk: GDPR, CCPA, and Data Privacy Laws In The News

In episode IV of Let’s Talk, Alyssa and Grace interview Larry Silverman, an attorney in Pittsburgh who specializes in topics like contracts, digital marketing, entertainment law, and nonprofit law. They discuss the General Data Protection Regulation (GDPR) in the E.U. and the recent California Consumer Privacy Act (CCPA), as well as more local data privacy policies, and the effects of these new laws.

Your browser doesn't support HTML5 audio

Let's Talk: GDPR and Data Privacy Laws In the News

[Musical Introduction]

Alyssa: Hello AMT Lab listeners, and welcome to our fourth episode of the Let’s Talk series, brought to you by The Arts Management and Technology Lab. My name is Alyssa and I am the Podcast Producer.

Grace: And I'm Grace, the Technology and Innovative Content Manager.

Alyssa: Each month we bring you trending stories and discussions with topics such as CRM, artificial intelligence, marketing, social media, inclusion, fundraising, and much more. Our goal is to exchange ideas, bring awareness, and stay on top of the trends. Today's episode will be a special edition episode with guest Larry Silverman, a lawyer based here in Pittsburgh. Together we will discuss the GDPR, the new CCPR, recent privacy policy updates, and the future of data privacy.

Grace: Before we get started, we'd like to make a quick disclaimer that the following information is not intended to be official legal advice. All arts organizations, businesses, and nonprofits are unique in their own way. Therefore, these answers provided are general answers found from basic research. If you need official advice, talk to your tech consultant or lawyer to figure out your organization's exact needs.

Let's get amped with AMT Lab!

[musical interlude]

Grace: We are here today with special guest, Larry Silverman, an attorney based here in Pittsburgh who specializes in contracts, digital marketing and advertising law, employment law counse- counseling, sports and entertainment law and nonprofit law. Thank you so much for joining us today, Larry. Would you mind, really quick before we get started, just giving us a little bit about your background?

Larry Silverman: Sure. I graduate-, I've lived in Pittsburgh all my life. I went to Duquesne, Pitt undergrad, Duquesne Law School. I worked for a judge in federal court for a couple years and then I worked for a law firm, Dicky, McCamey & Chilcote, for 20 years doing primarily commercial litigation. I then became, where I really got into the arts and entertainment field was when I became the Pittsburgh Pirates general counsel in 2002.

Alyssa: Oh, nice! [general laughter]

Larry: I had that job for 10 years, uh, went back to my old law firm for a few years, and now I've been practicing on my own for the last four. I also teach at the Law School (University of Pittsburgh) a sports law class and a class on law, social enterprise and entertainment. So that and I've done a lot of work in the data privacy area and sos that's why I'm here.

Grace: Well, again, thank you so much for joining us. We really appreciate you taking some time out of your day to be here with us. So.

Alyssa: So here's a question for everybody in the room today. Are you one of the many users that has recently received multiple emails from multiple companies that mentioned that they're updating their privacy policies?

Larry: I know I have.

Grace: Uh, I'm going to make a little confession here. I've kind of ignored most of those emails…

Alyssa: Oh no! [laughter]

Grace: Simply because-, I know that's a bad thing to do. But it's more just because the holiday craze, moving back into-, getting back on the work grind, I’ve been trying to make that adjustment. So, some of those emails have gone under the radar, but I have-, I do know that I have received them. I just haven't actually looked at them. So… [laughter]

Alyssa: Yes, that's happened to me as well. There's been a couple of emails that I received from companies that I forgot that I was subscribed to a very long time ago.

Grace: Well, there you go! That's a great way to know that you’re, that you have a subscription with them.

Alyssa: Yeah, absolutely. So, as we know, digital technologies are growing quickly and we're now beginning to ask questions on what legal rights we have with our personal data, and how companies can collect or use it. Back in April and May 2018, companies all around the world had to update the privacy policies to make sure that they were all compliant with the GDPR, aka the EU’s “General Data Protection Regulation”. The principles behind the GDPR is that companies must take measures for data transparency, storage, privacy, fairness, security, and accountability. In other words, as an EU citizen, if you use a service, you have the rights to full disclosure and consent of what happens with your personal information and you have the right to revoke this consent at any time. Businesses use large amounts of personal data in their day to day activities must also hire a data protection officer and they must alert users if a data breach occurs within 72 hours of the occurrence.

This regulation was officially implemented on May 25, 2018. And if you were a company, or an organization that collected the personal data of as little as one person in the EU, then suddenly, you had no choice but to become compliant with the GDPR. Therefore, many companies around the world had to rewrite their privacy policies. According to Natasha Lomas of TechCrunch, some companies could have chosen to fragment how they handle their data from around the world, but instead, some chose to accept the GDPR as a new ‘gold standard’ for how companies use all of their users data. Now, this was almost two years ago since the GDPR was enforced, but back in November and December 2019, we suddenly saw another onslaught of notifications or emails on companies changing their privacy policies. When I personally first saw this, I thought to myself, “Did something happen with the GDPR again?”. But instead, this is actually because of the CCPA, or the “California Consumer Privacy Act”.

The CCPA is a bill that passed on October 11 2019 to enhance data protection of California users. The bill is similar to the GDPR’s principles where users have the rights to know what's happening with their personal data. However, one key takeaway is that companies must provide an opt out option to California residents to not have their personal data sold to third parties. In addition, companies cannot discriminate against the user, regardless of how user sets their data preferences. Even though this is a regulation purely for citizens of the state of California, this is another new regulation that affects companies and their privacy policies on a global level. So, here's my first question for you then Larry: Do all companies have to adjust their policies to become compliant with the CCPA?

Larry: No. There's-, first of all, the act is limited to companies that have annual gross revenues of over $25 million dollars.

Alyssa: Oh!

Larry: Yes. And/or they sell 50,000 or more-, 50,000 more consumers have their personal information sold, where 50% of their gross revenues are derived from the selling of personal data. So, if you're a regular company that doesn't routinely sell personal data, it's not part of your model, your business model, then the act only applies if you are of that sufficient size, $25 million. The other important difference between the two is that the California Act does not apply to nonprofits. It says commercial websites, it's very clear, it's been interpreted, whereas the GDPR, that applies to all websites, regardless of size. So that, while there are certain exceptions, where you're allowed to retain information if you need that information in order to complete a transaction, for example, so if somebody would ask for the deletion of their information, you might have the ability to say no, because we need it so that we can send you those widgets that you ordered online. But in general, the GDPR applies across the board.

The other fact is America is sort of-,  the United States sort of catching up, if you will, with the, with the Europeans who are way ahead of us in terms of being concerned about data privacy. So, California took the lead; however, there's a number of other states now that have enacted statutes. Most of them are modeled California, some may extend a little further, some aren't quite as broad. ut New York has one now, Delaware has one, Nevada, and coming in 2020, I think is Oregon, New Hampshire, Washington State and others. Which-, the effect of which is pretty much that you're going to have to comply with these rules because unless Delaware, for example, has a $25 million limitation, you're, it's, it's- Unless, unless you're sure you have no visitors, or you collect no personal information from anyone that resides in Delaware, then technically you have to comply. And it's one of the reasons why I ask clients all the time, you know, “is there any reason you collect personally identifiable information?”, because it's okay to collect aggregate data, you know, which doesn't Identify anybody. But if you start collecting personal information, if you need that, then you have to comply with these laws. If you don't need it, don't do it because there are a lot of rules and regulations that you have to comply with.

So, and then the final point I'd make too, is that California actually, for a long time, has had a statute, and several others do, that require you to post a privacy policy. It's a different statute called the California Online, it’s got a [inaudible] the title, Cal OPPA, they call it and- uh… [rustling paper] Yeah, the California Online Privacy Protection Act, which has been in place since 2004. And-, but it did not, that  statue did not give all the rights to the people who provide personal information through, through a website or an app, as the new statue does, but it did require you to post and just generally describe what you do with the information, how you collect it, why you collect it, and whether you share it with third parties. So, I've advised my clients for years to have privacy policy, even if you don't really do a whole lot with data because again, you'd be technically violating California’s law because that again- And this is why people hate lawyers, but the-, or hate, or hate the legislators [laughter], because that statute applies to all commercial websites, no matter how big or small you are. So, I'm always amazed at how many companies do not have a posted privacy policy. It really, it's, it's, in this day and age with all the business it's generated you should. Everyone should have it.

Alyssa: Yeah, it's interesting, because upon my research, I found another example, with California specifically, in terms of data privacy laws, where in 201-, [rustling paper] I’m sorry, in 2005, the California “Shine the Light” law was enacted that required companies to disclose what a user's information was shared with a third party, plus which third party the information was shared with. So, there's like-, this is one of the many examples where California has certainly been ahead and done its best to look out for its population and what's done with their data.

Larry: And that's why you'll sometimes see most people don't read the privacy policy where the terms of use, that link on the bottom of the page, but the data privacy junkies who do will often see a paragraph that talks about that “Shine the Light”, and specifically says “if you are a California resident, you have the right to do x, y, and z, but if you're not a California resident, you don't have those rights”. So, you know, having a-, without a, an overall federal law, which we do not have in the United States, we-, there's, there's several that are, have been introduced by Congress. It's all, it becomes sort of a hodgepodge of laws that you have to be aware of and if you are looking to have a reach across the United States, which most people certainly hope people visit their site from everywhere, you're, you're in a position where you almost have to comply with the toughest state law. If you comply with the toughest state law, then you can be comfortable that you're complying. And then of course, you have to see if you have EU users, which, which is very, very tricky. I had a client that collected data in 20 different ways.

Grace: Oh my goodness!

Larry: And we had to figure out how those 20, of those 20, which ones it was possible involved EU residents. I mean, when they when somebody walked into the, into the, in this case, it was a museum, signed up for a class or did something where they were physically there, you knew they weren't located in the EU, because it's where they're located. Even if they were European visiting Pittsburgh, it would not apply if they were, at the time they provided their personal information, they were here in the United States.

Grace: That’s an interesting distinction.

Larry: So, yeah, but if there, but, but typically, if you're online, it's you're, you're, you're sitting somewhere in an EU country and if that's the case, then you have to comply with the law. They were able to determine in which instances, but it's very, it can be very difficult, obviously, to, to determine and I think it's what you said earlier, most companies have just decided to comply with the EU standards or the California standards, which are which are similar.

Alyssa: Absolutely.

Grace: Um, so, just to expand this a little bit, um, the GDPR of course, has been the first major example of government addressing some data privacy rights, such as the Right to be Forgotten, and the Right to be Informed. The CCPA was clearly next in addressing this, as we've sort of talked about now. What do you think this might mean, globally, for the future of privacy? Should we expect many more of these regulations and policies to come into effect around the world? I know you were mentioning some of the upcoming statutes that states are doing, um, but I'm curious expanding out a little bit since they're-

Larry: They're already it are many jurisdictions, countries, have data privacy laws. It would really be impossible, I think in this podcast, to discuss all of them and I'm certainly not familiar with all of them. It's been generally accepted that the GDPR goes the furthest. So, you know that if you comply with it, you can be almost sure you comply with Brazil or Mexico or other countries that, that are also concerned with data privacy. I think that in terms of where it's going, I think that it'll be interesting to see if it, you know, if it works. For example, the California statute requires that on the homepage of your website, you post a statement that says we're-, which basically allows you to opt out from the selling of your personal information, you know. You check it, please don't sell my personal information. I mean, the statute gives you the exact words to use. I'd be curious, and I'm sure somebody is documenting this, but it's so early in the process, I mean, the statute literally just went into effect two weeks ago.

As to whether people are doing that, you know, because you always, when you, as we all know and I'm sure you two know better than me, you're always told that, you know, “if you want to change, if you want to opt out, you're going to lose some of our services”. If you, if you decide-,

Grace: Right, that’s always the caveat.

Larry: You know, so there, there, there-. Many people just sort of close their eyes and, and just plunge ahead, I think, and, but, you know, regulators nevertheless, I think are really trying to give people the choice. And especially in the GDPR, you can't just say it’s so, you have to have all kinds of regimens. You mentioned earlier about having companies of certain size have to have a data person who's in charge of this process. You know, they want it to be “everybody has to have a written internal security policy now”, under that, under the GDPR. And one of the things they do is that they want it to be approved by the board. You have to show it's approved by the board, you have to also show, document your compliance. You can't, again, just say it’s so. And I think that that, that's going to be telling as to whether companies really do comply. I mean, I know that with many of my clients, and I know from reading that when the GDPR became effective, I think I saw something like 40% of companies had made the changes necessary at the time. Now, it's two years later, a year and a half later, I assume that number’s much higher, but, you know, the penalties under that statute are, are-

Grace: They’re extreme.

Larry: Four percent of your worldwide revenues.

Alyssa: Oh, yeah. And with the CCPA, like, fines could range from $2500 to $7500 per violation and depending on like, how many users data you have, like that number can add up extremely quickly.

Larry: Yeah. And that's why even, even nonprofits again, because, because of the application of the GDPR, they're sort of reluctantly, I think, complying with the CCPA as well, because it's, as long as you have to comply with one, you might as well comply with all, but technically they don't have to. I mean, the, you know, it's interesting too, because in the United States, the Federal Trade Commission is the primary federal agency that has jurisdiction. And they're the one, in addition to consumers where the statute gives the right to consumers, it's always been the case that businesses are required not to engage in unfair and deceptive trade practices. And the Federal Trade Commission is the agency that has jurisdiction to enforce that requirement.

And they've brought lawsuits, they brought claims against companies that, for example, represented that they had certain security measures for the data in place when they in fact didn’t, they overstated. In other words, in their privacy policy what they actually did. Or, they misrepresented what they did with the data, who they shared it with, they shared with third persons and they didn't actually. There was nothing wrong with sharing it with third persons, they were, they were caught if you will, or challenged, if you will, by the, by the Federal Trade Commission because they, they were doing something that they didn't explain to the consumer. So, it's a long answer to a short question, but I think what's coming is, is really the enforcement because if people need to know it's real. I mean, I've had so many clients say to me, “I'm just so little arts or sports company, nobody's gonna bother”, and to some degree they're right. I mean, but it will gradually build, you know, for example, that it used to be- This is a little off topic, but, but you couldn't-, influencers need to state-, a company that is using an influencer needs to have some statement on their website saying that that influencer is being paid or compensated in some way if they are.

Alyssa: Oh, of course.

Larry: And it used to be, and companies have been hit with a lot of claims by again, the Federal Trade Commission, for a long time, the influencer themselves, they were leaving them alone, b,ut now they're going after them. So if Kim Kardashian is getting paid, and she doesn't have that statement, where she's holding those shoes up on the website, then you know, the, the, she herself could be liable. And I think the same thing’s going to happen in the privacy area, because I think that it will start with the big companies. They'll bring claims against the big companies, and then they'll, they'll move along. So, that I think is really going to be the interesting thing – whether, whether it changes behavior is really going to be I think the big question.

Grace: Yeah, and I think as the, just general world, starts to adjust to the expansion of digital connection that we've been seeing as a trend over the last five years, maybe even last year, even, because it moves that quickly. I think you're hitting on a really good point that just because you think you're tiny enough, you shouldn't necessarily think that you're…not necessarily not safe, but considering compliance seriously is probably a best practice.

Larry: And it's data breaches that seem to get the most publicity and as they should. But, but what, what the publicity over data breaches just sort of filters into the whole digital space and causes people to start thinking about privacy and- It was a story the other day about two dating apps that apparently had been hacked and a lot of bl-, a lot of personal information- [light laughter] Yeah, yeah it’s terrible. [laughter] All those embarrassing things you say?

Grace: Oh, no!

Larry: But you know, so it's, and those things get people thinking about it. And so, that, that's going to be telling moving forward.

Alyssa: Yeah, I imagine that for a lot of our arts managers that are listening, they have a lot of questions on what these new regulations could possibly mean for them. I was wondering, what can arts managers do to protect their organizations from violating any of these privacy regulations?

Larry: Well, I think that their starting point is to post a privacy policy. And to-, in order to do that, you really almost need to do an internal audit, is the term I use, where you say, “Okay, what personal information do we collect? Okay, how do we use it? Why do we collect it? And do we share it with third parties?” If you ask yourself and understand all those questions, then you can write a privacy policy that tells the user, okay, this is what we're going to do. And most, some nonprofits, I'm learning myself as I am in this space, will, they share with other nonprofits, they, they share mailing lists, donor lists and the like, especially if, you know, they're not technically in competition with them, which everybody, to some degree is. And, and again, there's nothing wrong with that as long as you tell people. It's all about disclosure. So, I think if, if arts managers think about it that way, understand what they're doing, what their needs are, you know, what they're doing on their own websites and apps, whatever they have, and understand whether they need those things or not, and what they're doing with the information and make sure they have a privacy policy posted – has to be a link on every single page, as I tell my clients, you can't just bury it – then I think that's the that's the best they can do.

But I also tell them don't collect information you don't need. If you, if, if you don't really need – I mean, obviously, if somebody's buying tickets online, you need that information, destroy it afterward. Now, a lot of people obviously like to create a database because they want those customers to return. Okay, that's a reason for keeping it. Tell people that's why you're keeping it. Unless you really need to share it with third parties, don't, because that seems to be the one-. I think people expect that when they provide information through the contact page, or whatever it is, or when they purchase something through a site they understand they're giving some personal information to that website operator, but I don't necessarily think they expect that it's going to be shared with others and particularly don't expect that it will be sold to others. So, unless you really need to do that, there's a business need to do that, then don't. If there is a business need, a legitimate business need, then disclose it. That's that's the key. Disclosure is really the key thing.

Alyssa: Absolutely.

Grace: So, going off of that, let's say my arts organization does use this data, specifically for marketing or development, and my data is with at least one person who's in the EU, or within those metrics that we were speaking of earlier with California’s law of, I think it was up to 50,000 people or more than 50,000 people or more. How will the methods that I might use to collect this data and also use this data be affected either via the EU’s GDPR or California’s CCPR? Or CCPA, excuse me.

Larry: Well, first of all that, that, you know, it, if, if- For example, let's just say that the arts company is smaller, doesn't have gross revenues of-, annual gross revenues of $25 million, but again, because- and even if there were 501(c) and not all or its companies are, some are for-profit, but either way they, if they're concerned and they believe they have you users, the first thing to do, is to on your privacy policy, tell EU users. Specifically address a paragraph to EU users telling them what their rights are and then you have to then, you know, you're not going to have to have a data compliance officer because you don't have enough people and etc. So, but you do have to give people the right to opt out, you have to let them know that if you don't want us to keep your data, you know, write us at the following address, make it very clear, don't make it difficult. And you know, give people that choice.

We haven't even talked about the rules dealing with minors, which are even more complex you have, you know, the, if they're 13 and under, you have to have opt-in consent. You can't collect personal information at children under 13 unless you have verifiable parental consent where they actually opt-in. So, you can't just have an unsubscribe button, that won't work. The Ca-, the California law breaks it down even further, they have 13 to 16, they have one set of rules, and then 16 and above. I don't know- [inaudible] they make it difficult in California.

But again, I think that, that, that the key is understanding. And obviously, if you're not sure, and there are a lot of resources out there that people can go online and get, but if you're not sure, ask a lawyer, you know. Writing a privacy policy is, while it, it is, it needs to be tailored, as I always say to my clients, to with whoever the client is, and whatever they do, and you need to understand as lawyer how they collect data, what they do with the data, etc., 80% of its what we lawyers call “boilerplate”. It's just a lot of language that's required, that needs to be put in there so that if a lawyer has written policies for other-, especially in the arts community before, they can do it for you relatively inexpensively. Yeah, having that peace of mind, I think, is worthwhile but as a lawyer, you would expect me to say that the best advice I can give is to give up is to get a lawyer. [light laughter] But I do think it is the, the wisest course. Don't overpay though! Don't overpay.

Alyssa: Alright, before we end this episode, do you have any final words of advice?

Larry: No. You know, I think that the…the only real final words are probably things that to some degree I've said before. I think is, like any business, whether you're in the arts – nonprofit sector, for-profit sector – understanding your own business, understanding, in this case, what you do with data and why you collect it is key. You know, using that as the starting point, you can then figure out okay, because I do this, because I'm a certain size, because I'm a for profit or not a for profit, what laws do I need to comply with? And once you know that, it's all about disclosure. If you just keep that in mind that It is not illegal in any- anywhere I know of to collect personal information – sometimes there's specific laws dealing with medical information, which we’ll put aside – but other than that it's not illegal. But it's when you don't tell people how you're going to use it. If you think about what you do with it, and the best way to disclose it, you know, and then, of course, have security systems in place, which we have not talked about very much, but you know, encryption and the like, to protect data using whatever standards are out there – if you do that you should be in good shape.

Alyssa: Alright, sounds good.

Grace: Well, thank you once again, Larry, for joining us here today.

Just once again, for our listening audience, if you have concerns regarding your organization, it would be wise to talk to a tech consultant or with a lawyer, as Larry said, to take a look at your organization's privacy policy and figure out if it needs updating.

Alyssa: Coming up on the AMT Lab website: First, we'll have Part One and Part Two of a Master of Entertainment Industry Management Capstone paper on the future of the unscripted television content audience. The paper will feature demographics and psychographics of audiences who watch unscripted television, plus interviews with industry professionals, a survey analysis of the unscripted audience and more. Next, we'll have a review by contributor Helen Boo regarding the 2018 Global NGO Technology Report. The review will go over how NGOs, or non-governmental organizations, are using technology, such as online fundraising, social media, mobile technology, data management, and security. And finally, we'll have a joint article from AMT Lab’s Technology and Innovative Content Manager, Grace Puckett, in collaboration with AMT Lab’s Social Media and Marketing Manager, Mikayla Dimick. The article will discuss digital mapping and fandom, with insider topics on tools to map fandom communities, such as web scraping and network mapping.

--------------

Thanks for listening to the Arts and Management and Technology Lab Podcast Series. You can read more on the intersection between the arts and technology at www.amt-lab.org. Or, you can listen to more interviews and discussions in our Podcast Series on iTunes, Spotify, Google Play or Stitcher. Thank you for joining us.

[Musical Outro]

Audio transcription for AMT Lab’s Podcast Series is supported by Otter.ai.