Andrew Leahey

Posts in Privacy
GDPR Special Category Data

If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) of the European Union (EU) has been shaking up the web in terms of privacy policies and procedures for some time now — I have written at some length on the general best practices for a GDPR compliant privacy policy and the potential “loophole” of the legitimate interests exception.

The GDPR requires a heightened level of protection for certain sensitive data categories. The categories are:

  • Health Data (including genetic data);

  • Biometric data;

  • Trade union memberships;

  • Political opinions;

  • Religious or philosophical beliefs;

  • Race and ethnicity; and

  • Data related to sexual preference or orientation.

The directive takes a policy position that these particular data are of a uniquely sensitive nature and, thus, a business must have a specific, legitimate reason for collecting the individual data type.

The GDPR restricts the collection and processing of the data unless one of the following circumstances are met:

  • The data subject has given explicit consent for the collection or processing of that particular data AND the EU or the Member State of the data subject has not explicitly prohibited the collection or processing of that data type;

  • Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment, social security, and social protection law;

  • Processing is necessary to protect the vital interests of the data subject or another natural person;

  • Processing is carried out in the course of the legitimate activities of a foundation, association, or other not-for-profit body with a political, philosophical, religious or trade union aim;

  • Processing relates to personal data which is made public by the data subject — i.e. a published materials exception;

  • Processing is necessary for the exercise or defense of legal claims;

  • There is a substantial public interest in the data;

  • Processing is necessary for public health; AND

  • Processing is necessary for archiving purposes as it relates to subjects with a substantial public interest — i.e. an historical record exception.

Importantly, these special categories are not exhaustive, and act more as a floor than a ceiling — individual member states can define other categories of data as being “special categories” for purposes of data collection and processing. Care must be taken to not only ensure compliance with the EU through the GDPR, but to ensure you are compliant with any individual member state laws, when your business entails handling especially sensitive data.

Please get in touch if you want to discuss any of the ramifications for your business.

GDPR Compliant Privacy Policy Template

The GDPR is complex and can have serious ramifications for your business. If you’d like to discuss the GDPR and how it impacts your business, get in contact.

I have written on privacy policies a bit before and covered in some detail the rise of the General Data Protection Regulation (GDPR) in the European Union (EU) and the various GDPR “loopholes.” It is real, it is here, and any business that may be doing business with a person or entity in the EU needs to comply.

To catch you up, the GDPR is a privacy regulation from the EU that took effect in 2018. It aimed to create a unified data privacy legal framework in the EU and to codify EU resident’s rights to data protection. It broadly applies to people and businesses that interface with EU residents — that is to say, you need not have an office in the EU for the GDPR to apply to you.

What does the GDPR require?

In short, it requires that you have a privacy policy and you abide by that policy. You need to lay out your policy in plain language and make it readily available to anyone you could plausibly collect information from — i.e. visitors to your site, customers on your online store, etc. Your policy should lay out at least the following points:

  • The identity of the data controller and data processor;

  • if you have a data protection officer, the contact information for that officer;

  • for what purpose you are utilizing collected data — legitimate interest;

  • how data is being processed;

  • where consent is required and how it is obtained;

  • data subject rights;

  • any vendors or subsidiaries you share data with and assurances they will comply with the GDPR;

  • whether and where you will transfer data across jurisdictions — especially out of the EU;

  • your data retention policies; and

  • how an individual can request their data be removed.

Generally speaking your GDPR privacy policy will be placed prominently on your website. Best practice now is to request users to read and agree to it using an overlay upon first visiting the site. You should also refer users to it any time they are providing you with new information — e.g. submitting a form, signing up for a mailing list, etc.

Please note, this list is not exhaustive. The GDPR applies in different ways and to different degrees depending on the kind of data collecting and processing you are doing, where you are doing it, and why you are doing it. Simply reading off the above list (or any broad list you find on the internet) and comparing it against your privacy policy is almost certainly not enough.

GDPR Compliant Privacy Policy Template

Download my boilerplate GDPR Compliant Privacy Policy Template (PDF)

Please note, this is a boilerplate — that means it is not tailored at all to your specific needs. It should not be taken and used without thought, nor should sections be lifted from it and used unless you know their meaning and utility. Please get in touch if you want to discuss any of the ramifications for your business.

TCPA Compliance Guide

This is for informational purposes only. If you want to discuss your specific situation, get tailored guidance, or if you have any questions about the TCPA or its effect on your practices, please get in touch.

The Telephone Consumer Protection Act (TCPA) was originall enacted by Congress in 1991. Since its inception the TCPA has authorized the Federal Communications Commission (FCC) to enact and enforce regulations that curtail how telemarketers can make calls to consumers and, later, the type of telephones that can be contacted.

The TCPA was enacted chiefly to restrict the rising use of automatic telephone dialing systems (ATDS) which were capable of calling phone numbers sequentially in perpetuity and around the clock, playing prerecorded messages to consumers or connecting them to live representatives when the receiver was picked up. Similarly, Congress sought to restrict expensive fax machine spamming, which was on the rise.

What does the TCPA cover?

The TCPA regulates the use of ATDS and the playback of recorded messages to consumers and the contacting of landline, wireless or cellular, and fax lines.

How to Comply with the TCPA

First, and foremost, businesses can create a formal, written, and abided-by compliance policy. The policy should lay out, in detail, the procedures that employees, independent contractors acting on behalf of the business, and vendors and contractors, will adhere to when using the telephone system to market to consumers. Here is an example of a very broad, very basic TCPA compliance policy template that can give you an idea of starting points.

To be sure, the TCPA compliance policy must be drafted with care, but equally important is adherence. The business should train employees where possible, disseminate the policy to independent contractors and vendors, and keep the policy updated as the law changes. Most of the movement in TCPA compliance comes from the circuit courts and FCC guidance materials. Staying on top of these changes is vital to avoiding liability.

Second, a business needs to create a distinct and separate database of consumers based on the type of telephone line they have contact information for — in short, make a separate list for all the wireless phone numbers, or numbers you suspect might be tied to wireless phones. The restrictions against contacting wireless consumers are significantly higher than landline telephones - most importantly, you need to receive “prior express consent” before you can call a wireless number using an ATDS or use a pre-recorded voice.

This is good practice in general — express written or verbal consent following a “clear and conspicuous disclosure” should be obtained wherever possible. The consent may be provided electronically in compliance with the E-SIGN act, but it must be obtained following a clear statement to the consumer that they will be authorizing the business to contact them in the future. With number portability and the decline of the landline telephone, many consumers will port their landline number to a wireless account. They may have provided you with their number presenting it as a landline number, and it may have been one when they did, but this will be no bar to your liability — and fines are steep.

Third, a business needs to strictly adhere to the National Do Not Call Registry (DNC) and maintain their own do not call list. A business is said to have notice of a number being added to the DNC after it has been listed for thirty-one (31) days. Additionally, a business should maintain their own list of consumers that have requested to be placed on the business’ do not call list, as those consumers may not be on the DNC.

Other Materials

See also, the manual put out by the FCC for TCPA compliance.

My TCPA compliance policy template (PDF).

GDPR and the "Legitimate Interests" Loophole

If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation outlining new policies for data privacy and protection for individuals within the EU. The regulation's stated aim is to protect a natural person's "fundamental right" of protection in relation to processing of personal data. In sum, the GDPR applies broadly to any entity controlling, collecting or processing data containing personal information regarding a person in the EU -- they need not be a resident of the EU or any member country. "Personal information" is defined broadly as well and includes names, photographs, addresses, email addresses, social media handles and posts and even an IP address. In essence, if you have a web presence or in any way process any data and you aren't explicitly excluding the EU from it, the GDPR applies to you.

However, as broad as the GDPR is, it contains a potential rule-swallowed exception:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. ... The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Regulation (EU) 2016/679 (47)

In essence, processing of personal information for a "legitimate interest," as long as it does not explicitly contravene the interests or expectations of the owner of the personal information, is permissible. The regulation explicitly calls out direct marketing as a potential legitimate interest of the data processor (note the "may be regarded" language). 

In addition to direct marketing, the GDPR outlines several more "legitimate interests" for processing, including: processing and transmitting data between affiliated data controllers for internal administrative purposes; processing data to the extent strictly necessary for the purposes of ensuring network and information security; and processing personal data for purposes compatible with those purposes for which the personal data were initially collected. Compatible purposes include archiving, processing for purposes in the public interest, and scientific, historic or statistical research. Additional potential compatible purposes should be evaluated by the data controller by balancing "any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations."

In sum, the GDPR is almost certain to upend the balance of power between consumers and corporations the world over. While the GDPR largely does away with the "disclaim game" in privacy policies, its scope is undercut by its exceptions. As businesses scramble to comply by the May 25, 2018 enforceability deadline, time will tell how much of a game changer this latest move by the EU will be. 

Telephone Consumer Protection Act (TCPA) -- New Decisions, Changes on the Horizon

The Telephone Consumer Protection Act 47 U.S.C. 227 (TCPA) has, for some time, been steadily increasing in inscrutability. In 2017 it appears set to continue this trend with new case law, even as FCC chairman and expansive-TCPA-interpreter Tom Wheeler cedes the agency's reins on January 20th, leaving the future of the act in new hands.

On the case law front, wasting no time in the new year, the Northern District of Ohio rendered a decision on January 3rd that, in effect, ensures manufacturers of products are not held liable for unsolicited (in this case, faxes) sent by third party entities, merely because the advertisement, if heeded by a consumer, would benefit the manufacturer's bottom line. To hold otherwise, the court was concerned, would give rise to "sabotage liability."

"By way of illustration, it would allow a rabid Tampa Bay Buccaneers fan – with a rhino helmet, red face paint, and an undying devotion to the organization – to trigger per se liability for the organization under the TCPA by gratuitously, and without directive from or notice to the organization, promoting season ticket sales via fax.  The same could be true of a random individual in Boston, mind brewing with scienter, who works to implicate the New York Yankees by advertising their season tickets.  Universal liability for complete inaction was not contemplated by Congress in passing the TCPA and does not appear to have been contemplated by the FCC in crafting and interpreting its regulations."

Thus, the pendulum that is the TCPA swings back, the definition of "sender" contracts -- if only in Ohio, if only for now. 

PrivacyAndrew Leaheytcpa, ohio