The impact of Europe and California’s new data protection laws on northern Michigan

In the course of business, no matter the size or type, companies acquire and store personal customer data. Recently enacted laws in the U.S. and the European Union will have an impact on the storage and use of these data. These new laws have a global reach and the penalties for violations are designed to be severe.
Last March, the European Union enacted the General Data Protection Regulation (GDPR). California recently followed suit with the California Consumer Privacy Act (CCPR), which goes into effect in 2020. Both laws impose penalties on businesses for failure to protect the privacy of personal data provided to businesses by individuals.

For the EU, Individual Consent is Key
The European Union is an economic behemoth, boasting the second largest economy in the world with a population of roughly 500 million people. In an attempt to protect EU citizens’ personal data from privacy and data breaches, the EU enacted the GDPR, which imposes a wide-ranging definition of personal data, including basic identifying information including name, address, web data, like location, IP address, stored cookies and RFID tags, health and genetic data, biometric data, ethnicity, political opinions and sexual orientation.

The GDPR mandates that businesses receive customer consent prior to processing or storing customer data. The request for consent must explain the purposes and basis for processing personal information, identify who receives personal data, state how long personal data will be stored, explain the right to access, rectify or erase personal information as well as the right to object to data processing. EU consumers have the right to withdraw consent, which requires a business to respond and act upon the request in a reasonable time frame.

The GDPR requires companies to notify a customer or client of a breach within 72 hours of discovery. Data breaches are an increasingly common occurrence; the GDPR requires companies to not only take steps to protect the personal data being stored but to sound the alarm in the event of a data breach.
Additionally, the GDPR gives consumers the right to request their data to be deleted. When that occurs, companies must remove all traces of the consumer’s data from its systems as well as other third party repositories where the data may have been shared or stored.

New California Law Embraces Data Protection
California enacted a law that bears a striking resemblance to the GDPR. The California Consumer Privacy Act (CCPA) was quickly introduced into the California legislature this past June and was signed by Gov. Jerry Brown that same month. California’s economy is large – estimated to be the fifth largest in the world. With 40 million people, it is likely that local businesses are coming into contact with consumers in California.

The CCPA provides California consumers four basic rights relating to their personal information:

1. A resident in California has the right to know what personal information a business has collected about them, where it was sourced from, what the data is being used for and whether it is being disclosed or sold to third parties.

2. California residents have the right to opt out of permitting a business to sell their personal information to third parties. Additionally, consumers under the age of 16 have the right to have their personal information not be sold without their, or their parent’s, opt-in.

3. There is the right to have a business delete personal information. Under this provision, a consumer may request a business remove personal information from its storage.

4. A California resident has the right to receive equal service and pricing from a business, even if that resident exercised their privacy rights under the CCPA. In effect, this protects California residents from discrimination.

Less is More With Personal Data
Both laws mandate the importance of taking steps to protect data collected from consumers. As a starting point for compliance, businesses should review what personal data is collected from individuals. In this review, make sure data is processed for authorized purposes; do not collect personal data just for the sake of having it or because it could be useful in the future.

Next, businesses should create a privacy policy that outlines disclosures on how data is used. The privacy policy should detail all types of data collected, how the data is being used, how a user can delete the data and objections a consumer may make on the use of their data. The privacy policy should be reviewed and updated every 12 months to ensure the policy is up to date.

A best practice is to adopt a policy of data minimalization, storing personal data required for a specified time for a stated purpose. The data should be destroyed if it is no longer needed for the intended purpose or is outside the expressed duration. Holding on to personal data without an intended purpose may create liabilities for businesses and, in the event of a breach, erode the confidence of consumers whose data was accessed.

Personal data carry new risks for northern Michigan companies. As businesses from our community continue to expand to the global market, proactive steps to protect personal data will help comply with the changing landscape of the law. Most importantly, steps taken now to transparently collect and store personal data will help companies earn the trust of consumers across the world.

Michael Naughton is an attorney and partner at North Coast Legal, PLC. Michael is currently the president of the GTLA Bar Association and serves as the treasurer of the Grand Traverse County Economic Development Corp.; is on the board of the 20 Fathoms incubator; and is an officer of