Remote Working in the Coronavirus Economy Reveals Potential GDPR and CCPA Compliance Issues

Remote Operations/Work from Home

One of the most familiar aspects of how Coronavirus (COVID-19) has changed the economy is the widespread application of work-from-home protocols (WFH). WFH has allowed businesses to maintain operations by enabling employees to perform their duties remotely. Remote operations often involve employers providing a virtual private network (VPN) that allows employees to connect to their employers’ internal networks from home devices.

When navigating to websites through VPN, site visitors will generally appear to be working from the location of the VPN servers. This can cause compliance issues when the individuals utilizing a VPN are residents of California, the European Union, or other jurisdictions with laws governing the protection or use of their citizens’ personal information.

CCPA and GDPR

In the past several years, many jurisdictions have enacted detailed regulatory schemes intended to protect the personal information of its citizens. Most prominently among these are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the State of California. Among other obligations, these laws require that companies which collect and use individuals’ personal information comply with detailed safeguards to protect such information, disclose the types and uses of information collected (including any sale of personal information), and provide certain opt-out rights to individuals whose information is being collected and processed.

In order to comply with privacy regulations such as GDPR and CCPA, many website operators display different information or URLS to visitors depending on the location of the visitors. Website operators direct visitors to the appropriate information by determining the geolocation of each visitor through the IP address of the device the individual is using to access the internet. However, when using VPN, the visitor will appear to be accessing the site from the location of the VPN servers. This means that an employee located in California may appear to be accessing a website or application from another geographic location. (This is why employees located, for example, in Los Angeles may see the weather for New York when they log into their computer and visit a website that reports the “local” weather.) Accordingly, the California resident may not (i) be shown the version of the website displaying the privacy information mandated by CCPA, and (ii) have their personal information sorted into the website operator’s silo of user information processed and retained under the requirements of CCPA. Note that this concern is applicable in a WFH setting, as well as in a multi-office environment where a wide area network (WAN) may cause the IP addresses of devices in the firm’s satellite offices to appear as though they are located in the same city as the primary office or central servers.

Consequences of Non-Compliance

The penalties for noncompliance with CCPA and GDPR can be severe. Both regimes impose significant statutory fines, even for unintentional violations, as well as private rights of action for affected individuals. Under GDPR, member states of the European Union are also allowed to add criminal penalties for violations. More information on the requirements and penalties under CCPA and GDPR can be found here.

What Can You Do?

Remote work environments create substantial risks for entities covered by CCPA and GDPR. If you think your company may be impacted by the foregoing considerations, the following activities may be useful for assessing and mitigating risk that can arise from incorrect processing of personal information relating to individuals protected by CCPA, GDPR and similar privacy regulations.

Conduct a CCPA/GDPR Assessment. Not all companies are covered by CCPA. Generally, CCPA covers for-profit entities (i) with gross annual revenues in excess of $25,000,000; (ii) which possess the personal information of 50,000 or more consumers, households, or devices; or (iii) which earn more than half of their annual revenue from selling consumers’ personal information. GDPR has broader coverage, but may not be a concern for companies that do not target European residents with products and services. We can assist you in determining whether CCPA and GDPR are concerns for your business.
Confirm Treatment of Personal Information. If your business processes the personal information of customers and website visitors from California and Europe differently than other individuals, it may be wise to add some of the protections reserved for such individuals to your general information processing practices. For example, ensuring that similar security measures are applied across all personal information processed by your business, or allowing any individual to access or request the deletion of their information, will minimize certain risks arising under both CCPA and GDPR. If your business displays different privacy policies to residents of California, Europe, or elsewhere, consider consolidating them into a single document that covers the necessary considerations for different jurisdictions. We have a great deal of experience and can assist you with the process.
Review Your Website’s Cookie/Pixel/Analytics Agreements and Settings. CCPA contains additional requirements to which companies must adhere when selling the personal information of covered individuals. A “sale” under CCPA is a broad concept that even includes the disclosure of information for non-financial consideration. For example, even the use of third party tracking and analytics tools may constitute a sale under CCPA. It is possible to avoid this determination if certain contractual conditions are met – several vendors have begun to provide product settings that minimize data processing in an effort to avoid the “sale” designation under CCPA. If your business is impacted by the considerations described in this article, you may want to review your agreements with third parties who receive and process personal information of your website visitors.

In summary, it is important for businesses who may be subject to CCPA and GDPR to take additional steps now in order to mitigate their risk of suffering negative impacts from the coronavirus and from the ongoing risks associated with the use of VPN for remote work. For more information about recommended steps, please contact your Foley relationship partner.

Companies in all sectors of the economy continue to be impacted by COVID-19. Foley is here to help our clients effectively address the short- and long-term impacts on their business interests, operations, and objectives. Foley provides insights and strategies across multiple industries and disciplines to deliver timely perspectives on the wide range of legal and business challenges that companies face conducting business while dealing with the impact of the coronavirus. Click here to stay up to date and ahead of the curve with our key publications addressing today’s challenges and tomorrow’s opportunities. To receive this content directly in your inbox, click here and submit the form.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.