CCPA: Worst-Case Scenarios

https://www.flickr.com/photos/oatsy40/34767677374/
“Danger” by oatsy40 from Flickr (Creative Commons License)

The new California Consumer Privacy Act went into effect on January 1, 2020. I’ve received a handful of emails and seen some updates from businesses informing me that their privacy policies have changed, but not as many as I expected. I hope the businesses who are required to comply with this law know the risk they take if opt not to comply with this new privacy law.

What if There’s a Data Breach

Like the General Data Protection Regulation in the European Union (GDPR), you have to notify the impacted people if you have a data breach. If you have a data breach impacting personal information, you must notify the individuals “in the most expedient time possible and without unreasonable delay.” In either case, If the breach causes you to notify at least 500 California residents, you must also notify the California Attorney General’s Office.

If you are in a position where you are entrusted with data that you do not own or license, such as if you are a data storage business, and you have a breach, you must notify the business or person that hired you about the breach.

CCPA Penalties

The CCPA is unique in that it is the first privacy law to allow a private right of action. An individual is allowed to sue a company for failing to comply with the CCPA, $100-$750 per violation or their actual damages, whichever is more. This right is limited, however, to situations where there’s unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information because the business failed to use reasonable security measures. That means if the business did everything right and there was still a data breach, an impacted person can’t sue for their damages.

In addition to individuals suing for damages under the CCPA, the California Attorney General may fine a business for failing to comply with this law, Up to $7,500 per violation.

My CCPA Cheat Sheet

Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

Do You Have to Comply with CCPA?

“Please!” by Josh Hallett from Flickr (Creative Commons License)

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. This will have a substantial impact on companies that collect and use consumers’ personal information.

I would not be surprised if the CCPA was direct response to the Facebook-Cambridge Analytica fiasco. Every time I read a provision of CCPA that seems strange, I consider how the law will impact companies like Facebook, Google, and Amazon, and then the provision makes sense.

Who Must Comply with CCPA

Businesses must comply with the CCPA. According to this law, a business is

  • A for-profit business,
  • That sells goods or services to California (CA) residents or people domiciled in CA (even if the business is not physically in CA), and
  • Fit at least one of the following three criteria:
  1. Get half their annual revenue from selling consumers’ personal information;
  2. Possess the personal information of more than 50,000 California consumers, households, or devices; or
  3. Have $25,000,000 or more in annual revenue.

This may help you determine if you have to comply with this law.

Non-profit businesses are except from CCPA, as are businesses in industries where consumer privacy is regulated by the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, FERPA, and/or HIPPA.

“Consumer”

Under this law, a consumer is a natural person, aka a human, that lives or resides in California.

“Personal Information”

This law has an expansive definition of personal information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular CA resident or household.” This includes a consumer’s real name; alias; address; unique personal identifier; IP address; and email address. It also extends to other identifiers, including account names; social security and/or tax identification number; driver’s license number; passport number; military identification number; unique biometric data; and any unique identification number issued on a government document.

Not just these, it also includes records of personal property or services a person has purchased or considered; purchasing histories or tendencies; browsing history; geolocation data; professional or employment information; and/or education information.

This list is massive. Basically, it’s any information that identifies or could identify a natural person.

There are a few exceptions to this definition: aggregate data, deidentified data, and information that is lawfully made available in federal, state, or local government records are not personal information. Neither is personal information obtained from employees, contractors, and job applicants.

“Sale of Personal Information”

The definition for the sale personal information includes “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.” Essentially, it includes any way a company might share a consumer’s personal information, even if you don’t make money from it.

Data Broker Registration

The CCPA requires any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship to register as a data broker with the CA Attorney General’s (“AG’s”) Office by January 31, 2020 and pay a registration fee. If you don’t register, the penalty could be up to $100/day plus any costs in the action against you brought by the AG’s Office.

My CCPA Cheat Sheet

I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

I Can’t Pre-Guarantee Your Case

https://www.flickr.com/photos/157270154@N05/38470202756/
Photo by CreditDebitPro

I regularly receive emails from prospective clients who explain the gist of the situation they’re in followed by, “Do I have a case?” A variation of this email is the prospective client who sends me a small section of a contract they signed and a short summary of the situation they’re in and then they ask if I can help them obtain a specific outcome. Some prospects specifically say that they don’t want to hire me, not even for a consult, unless I say they have a case.

Here’s the Deal

I can’t give anyone a guarantee about the outcome of a legal matter based on an email. If the law were that easy, we wouldn’t need lawyers.

In any situation, I have to examine:

  • The parties involved,
  • Which law applies – statues and case law, and
  • What actually happened

before I can say whether you have a case.

I can’t give effective legal advice without all the pertinent information. I can’t evaluate a contract based on a single provision. I have to read the whole thing. To not do so would likely be unethical and potentially worthless to you.   

There is one caveat to this. If I’m talking with a person who wants my help, but it sounds like they need someone other than a lawyer, I’ll tell them that. Whenever I deal with someone who’s experiencing online harassment, I tell them that they may have a situation that should be handled by law enforcement. If they still want to meet with me, I warn them that this may still be my recommendation at the end of the hour.

I Don’t Want to Pay to be Told I Don’t Have a Case

I get that people don’t want to take the time or spend the money to meet with a lawyer to be told they don’t have a case. But if you want a lawyer to analyze your situation, part of what we do for a living is that analysis.

Maybe it would make sense to look at this situation using a medical doctor instead of a lawyer. I’ve never heard of anyone going to the doctor with the sniffles and saying they didn’t want an appointment unless the doctor said they could make the person better. That’s ridiculous.  Some illnesses don’t get better, and some are things like the cold virus that just has to run its course.

I don’t like telling my clients that they don’t have a case anymore than they don’t want to hear it, but sometimes that’s the case. The fact that you’re upset does not mean that you have been legally harmed. Until I actually look into the person’s matter, there’s nothing I can tell a prospective client except “Would you like to schedule a consultation?” or something to that effect.

Yes, I Charge People to Talk to Me

If you’ve ever called my office phone, you know my outgoing message says don’t leave me a voicemail, send me an email. I do this for a few reasons:

  1. Unless it’s an expected call, I rarely answer my phone. When I’m working on a client’s matter, I don’t want to be distracted or interrupted. I’ve also turned off the ringer on my office phone. I won’t notice the call coming in unless I happen to be looking at the screen and see it change to the incoming caller’s number.
  2. When you leave a voicemail on my phone, a little red flashy-flashy light goes off until I deal with the message. It annoys the crap out of me. (Pro tip: Don’t annoy your lawyer.) It forces me to divert my attention away from focusing on my client, deal with the message, and then take extra time to pick up where I left off on my client’s matter.
  3. If the call is from a prospective client, they usually want to tell me their whole story before asking for help. This is what the consultation is for, and no, I don’t do free consults.

Sometimes all a person needs is a consultation. I’m happy tell people how they can help themselves in a situation, and I have no problem providing recommendations that are mindful of the person’s budget.

A few years ago, someone called me and they were incredulous when I said that they had to pay to talk to me. Listening to, analyzing, and providing information and advice on a legal situation is what I went to law school to do. This is my profession. If you want to hear my perspective on your legal situation, you have to pay for that privilege. (There are lawyers who do give free consults. I am not one of them.)

 I wish there were more guarantees in the legal profession. Just this week, I reminded a colleague that our job is to present the best case for our client and advocate on their behalf, but the ultimate decision in the matter is left to another authority.

Thanks for reading this post. If you liked this post and want to know more about my work, please subscribe to the Carter Law Firm newsletter where I share behind-the-scenes information and readers get exclusive access to me.

Keep Your Clothes On, Kids!

https://www.flickr.com/photos/120920526@N08/16053219327/
Dark Selfie by www.sebastian.rieger.photos from Flickr (Creative Commons License

I regularly get messages from teens or their parents that say the kid was chatting online with someone they don’t know in real life. The person convinces the child to show their genitals or masturbate for them using their web cam. The person then says that they captured the video and threaten to post it online or send it to the kid’s friends, family, and/or school. Sometimes the person demands money in exchange for not sharing the video with others.

The variation of this situation I regularly hear about is from teens who send nudes or partial nudes to someone online, and then the person threatens to post them online. In one email, the teen said the person threatened to post the images if the teen refused to continue sending nude images of herself.

Ugh!! What is wrong with these people who are preying on kids like this? Don’t coerce children into creating and sending child porn.

These situations usually involve 14, 15, and 16 year-old kids – of all genders. When they reach out to me, they are petrified. They’re afraid they’re going to be humiliated. They’re afraid they can’t ask for help from an adult in their life. They’re afraid of what they’re parents are going to say if they find out. They’re afraid they’re going to get into trouble.

I wanted to share a few thoughts so hopefully other teens don’t have to go through this situation.

You’re Not a Bad Person, Kid.

If you’re a kid in this situation, you’re not a bad person. You made a mistake, hopefully one you won’t have to repeat again.

Whenever you send a nude image of yourself, regardless of whether you’re sending it to a stranger on the internet or texting your romantic partner, there’s always a risk that the images could fall into the wrong hands. For the rest of your life, whenever you choose to send nude images of yourself, assume they’re going to be seen by your family and friends and/or end up online.

Ask for Help

No one should have to deal with this type of situation by themselves, especially a kid. Reach out to a trusted adult in your life – a parent, a friend’s parent, a teacher, a coach, even the police. You can always call the non-emergency number for your local police department to discuss your options, or ask a friend to do it for you.

It may be hard to know what the right thing to do is in your situation. You always have the option to wait and see if the person follows through on any threats they’ve made. If you tell them to leave you alone and they comply, that might be the end of it (though they now have nude images and/or video of you).

You also have the right to report the incident to law enforcement, request a restraining order from the court, or file a civil lawsuit depending on your circumstances.

Legal Implications – For Both Sides

Given that these are situations that may involve the creation and sending of child pornography, there are many potential legal implications, including some for you.

Depending on the rules of your state, by taking nude pictures of yourself or performing live on camera, you may have participated in the creation of child porn. The same law would apply to someone who voluntarily sends a nude image of themselves to their significant other. Some states have lower crimes for dealing with the situation where the person in the photo is also the creator.

The perpetrator, the bad actor, could be facing many of legal accusations:

  • Requesting nude images or performance by video: Solicitation
  • If two or more people are in cahoots to get nude images from kids: Conspiracy
  • Creating screenshots or captures from your performance: Creation of Child Pornography
  • Keeping the photos and video you provided: Possession of Child Pornography
  • Threatening to share the images with others: Revenge Porn
  • Demanding money to keep the person from sending the images with others: Blackmail/Extortion
  • Sending the photos and video to others or posting them online: Distribution of Child Pornography

There could be other legal implications in addition to these. As always, check your local laws for information pertinent to your specific situation.

Perpetrators Deserve to be Punished

People who prey on children like this deserve to face the consequences of their actions. If the person is outside the U.S. or if they created a fake account, it may be difficult to pursue the person. You always have to contact the police to file a report. Even if they can’t catch the perpetrator based on your case, the person may do it again to someone else, and the information you provide could help.

I regularly talk with kids who say they don’t want to report the situation to the police; they just want the person to stop. One way these perpetrators try to avoid punishment is by relying on the victim to be too afraid or ashamed to report them. Whether you report this person or not is your decision.

I was pleased recently when I saw that YouTuber Austin Jones pleaded guilty to child porn after he allegedly solicited explicit videos from 14 and 15 year-old girls using Facebook Messenger and Apple’s iMessage services.  He even alleged told them to send these videos to prove that they were his fans.

Eww! Eww eww eww! People like this are disgusting!

He’s scheduled to be sentenced this May and could face at least five years in prison.

Thanks for reading this post. If you liked this post and want to know more about my work, please subscribe to the Carter Law Firm newsletter where I share behind-the-scenes information and readers get exclusive access to me.

How to Legally Use User-Generated Content

https://www.flickr.com/photos/zoidberg72/16243539933
Selfie by dr_zoidberg from Flickr (Creative Commons License)

Here’s a question I get from companies and their marketers: What are the legal dos and don’ts for using user-generated content? These are situations where a company wants to use a photo, video, or text created by one of their fans, usually from a site like Instagram, Facebook, or Trip Advisor. Many companies merely want to approach the person through the platform where they found the content they want to use and ask for permission to use it. While this strategy is convenient, it may not be in the company’s best interest.

Using Content Within a Platform

It’s easiest when a company wants to share someone’s post within the social media platform – e.g., sharing someone’s Instagram photo on the company’s Instagram. Many social media sites build this option into the platform where you don’t even have to ask for permission to share someone’s post on another’s account.  

Of course, I’m a risk-adverse lawyer so I tell my clients to review the terms of service first to see what happens just in case it turns out the person who created the post you shared didn’t have the right to do so and now you have to deal with the fallout. Depending on the circumstances, I might contact the person to ask the person if they took the photo (which would indicate if they’re likely the copyright holder), try to verify that the original poster is complying with the platform’s rules

Using Content Across Different Platforms

Here’s where it gets a little more complicated. These are the situations where you want to take content from someone’s post on one platform and share it on a different social media site, your website, or another third-party platform. For this situation, I recommend you have a contract drafted by a lawyer. You could have them create a template for you if curating user-generated content is part of your marketing plan.

If I were creating a contract template for obtaining permission to use content created by a user or fan, I’d likely include terms such as:

  • The user owns the IP in the content: either they created it or they have permission to use it
  • The user has authority to grant the company permission to use the content
  • The user grants the company a perpetual, irrevocable, worldwide, sublicensable, paid-in-full, royalty-free license to the company to use the content for any purpose without needing the person’s consent or credit, including the creation of derivative works (or in the alternative, that the user grants the company a copyright assignment)
  • The user will reimburse the company’s legal fees and damages if it is accused of wrongdoing because the company used the user’s content

Such a contract would also include boilerplate verbiage, like a dispute resolution provision that states how the company and user will resolve disputes if one occurs.

Always Apply Reality

In any potential legal situation, be sure to apply reality. If a company wants to use a photo with two people in it, whoever posted the image may not be able to speak on behalf of the other person in the photo, and you may need release from identifiable people to avoid being accused of violating their right of publicity.

Additionally, it will likely take longer to get permission if you want to use images and other content across platforms. Be sure to build that into your timeline if your marketing plan involves using user-generated content.

There are also those who may question whether it’s worthwhile to have a lawyer create a contract for these circumstances. When there are no issues, a contract may seem superfluous; however, contracts are imperative in situations where there is a dispute and/or the parties forget the terms of their agreement. When you work with your lawyer to create you contract, make sure it has provisions that will apply to situations that are likely to occur as well as the worst-case scenarios.

If you liked this post and want to know more about my work, please subscribe to the Carter Law Firm newsletter where I share behind-the-scenes information and readers get exclusive access to me.

Side Hustle Contracts

https://www.flickr.com/photos/joybot/6701744493
Do the Hustle! by Joybot from Flickr (Creative Commons License)

Note: The links for Chris Guillebeau’s books are affiliate links.

I admire people like Chris Guillebeau who run with ideas and make stuff happen. He’s written a number of books, including The $100 Startup: Reinvent the Way You Make a Living, Do What You Love, and Create a New Future. The most recent book of his that I wrote was Side Hustle: From Idea to Income in 27 Days where he walks you through, day-by-day what you should do to launch a side hustle business. It’s a good book, but Chris and I disagree about how to approach contracts.

Day 14: Contract

Chris calls Day 14 “Set Up a Way to Get Paid.” This chapter covers selecting a payment system, creating invoices, and using simple contracts. For your contract, he says you only need to specify what you’ll do, how much you’ll get paid, when you’ll get paid, and “any protections you require.” Chris also says that that you can communicate all of this via email without needing a separate agreement document.

<cringe><shudder>

While Chris is technically right, I would never advise a client to operate their business this way. This is the type of contract that works when nothing goes wrong; however, contracts exist to save you in two situations:

  1. When there’s confusion about the parties’ obligations, and
  2. When there’s a problem or dispute.

Always Have a Separate Written Contract

If there is situation where lawyers are needed to resolve a dispute, the first thing I ask my client is “Where’s your contract?” If it’s a series of emails, and perhaps some text messages, and phone calls or conversations you claim occurred, the first part of my job will be compiling the terms of the agreement.

When there’s a single agreement, all the terms are in one place. And when the contract requires that all changes must be in writing and signed by both parties, it minimizes the risk of confusion or a he-said-she-said situation.

When you don’t have the terms of the contract in a single document, it opens the door for complications in the future. In many cases, it’s more cost-effective to have a lawyer create a contract template for your side hustle than to have to hire one to piece together the terms from the parties’ communications and actions. 

Minimum Contract Terms

In general, I don’t advise people to write their own contracts (unless they have a law degree or sufficient contract experience), but here are the basic terms I’d expect to find a side hustle contract:

  • Parties to the contract
  • Purpose of the contract
  • Payment terms, including what happens if the customer doesn’t pay (e.g. entrepreneurs who require ½ the fee up front and ½ upon completion)
  • Intellectual property terms – related to creation, assignment, and/or license
  • Where and how problems will be resolved, including the venue, jurisdiction, and which state law will govern
  • If/how the parties can make changes to the contract
  • “Entire agreement” – all the terms in the contract are in the agreement
  • “Severability” – if the contract has any invalid terms then the parties will throw those out and the rest of the contract will remain
  • A provision that states if a party chooses not to use a right granted by the contract, they don’t waive their right to use it in the future

When I approach a new contract for a client, I try to mentally walk through the customer’s journey and address the problems that the client is trying to avoid and pre-plan how you want to deal with problems when they occur.

Using a Lawyer for your Side Hustle

If you’re going to have a side hustle, I recommend you sit down with a lawyer for an hour. Tell them your goals and your budget. An understanding lawyer will tell you about the legal issues you need to be aware of, can do a quick trademark search to see if the name(s) you want to use are already registered, and they can tell you want you can do yourself and what tasks you should hire a lawyer to do for you.

A Few Final Thoughts

Thinking about what missteps I’ve seen companies inadvertently commit, here are a few extra tidbits of information:

  • The terms of service for a website, online course, or mobile app are contracts. Write them or have them created with care.
  • Please don’t rip of another company’s terms of service and just change out the company and product names. That’s a recipe for trouble. You don’t want to represent that you do things that you don’t. I’ve also seen situations where the company’s terms of service says that it’s governed by New Jersey law and the company has no connection to that state. (The company they stole the terms from was in New Jersey.)

If you liked this post and want to know more about my work, please subscribe to the Carter Law Firm newsletter where I share behind-the-scenes information and readers get exclusive access to me.

Legal Checklist to Protect Online Entrepreneurs

Labib Ittihadul from Flickr (Public Domain)

I was recently asked to create a list of what legal steps an entrepreneur should take if they operate solely online to protect their business. The person who asked appears to be primarily a YouTuber. Here’s the list I created for him: 

1. Consider having Two LLCs. One is a holding company for the intellectual property and licenses the IP to the other LLC to use it. This way if the holding company is sued for infringement, there are no assets to be collected if the holding company loses the lawsuit. We recommend this tactic for many businesses, not just online entrepreneurs.

2. Create an Operating Agreement if the LLC has more than One Owner.  Yes, this includes if you go into business with relatives, best friend, or romantic partner. This is a master document that lays out how the company will operate, each person’s obligations and responsibilities, and how the owners will address problems when they occur.

3. Move your Website to a Server Outside the U.S. The reason for doing is if there is ever a court order against the website, it will be more difficult to enforce if the website is house by a company outside the U.S. and not bound by U.S. law.

4. Register your Trademarks with the USPTO. So many legal issues could be minimized or avoided if every company properly registered their trademarks. This could include company names, product names, event names, logos, and slogans. When you have a registered trademark, you can stop a competitor from entering the marketplace while using a trademark that is confusingly similar to yours. If you have a strong international presence, it may be wise to register your trademarks in multiple countries.

5. Create a Copyright Strategy. Many professional content creators do guest posts for and collaborations with others and allow guest posts on their sites. It’s best to have contract templates for these situations that include clarification about who owns the copyright, what the other person gets, any limitations regarding the content, and an indemnification clause if appropriate.

Additionally, your copyright strategy should address when and how you can use others’ materials. You should have an understanding about fair use and where to look for materials that come with a license to modify the original as well as a license to use it for commercial purposes.

6. Consider Registering your Copyrights. You do not have to register your copyright to get your copyright rights, and you do not have to register everything you create; however, it’s beneficial to have the discussion about what you might want to register. You are required to register your copyright if you want to sue for infringement. Additionally, I frequently recommend registration to people who want to license or sell their copyrights.

7. Create an Action Plan for Addressing Suspected IP Infringement. Decide how you want to respond to suspected infringement before it occurs, so that you or your lawyer can be prepared to respond based on your desired outcome when it happens. Depending on how you want to respond, there may be things you need to do before the infringement occurs to best protect your rights.

8. Have a Contributor Contract Template. This is the contract you will use with people who contribute content to you, your site, your channel, or a social media account. It will state what rights each party has to use the content – most likely that they own it, and they grant you a license to use for certain purposes. It should also have an indemnification clause to protect you in the event you’re accused of violating another person’s IP rights or other legal wrong by using what the contributor provided to you.

9. Have an Influencer Contract Template. This is the contract to use when brands hire you so that the expectations on both sides are clear, and you state that you comply with FTC regulations. (You should probably have internal documents about FTC compliance as well.) Companies that hire influencers may have their own contracts that they want to use, but having your own template will help you analyze their contract to see how well it addresses your needs and concerns.

10. Create Website Terms and a Privacy Policy. These documents may need to comply with U.S. privacy laws, the Canadian Anti-Spam Legislation (CASL), and the General Data Protection Regulation (GDPR), and manage the expectations of visitors to your website. Many of the new privacy laws interfere with how many companies collect and use others’ personal information. These issues are complicated. Many people copy another content creator’s terms and privacy policy, but that could be a recipe for disaster if what you use is insufficient for your needs.

This may not be a complete or comprehensive list of legal steps to take to protect your business. It’s always best to consult a lawyer who understands the legal implications related to your business, preferably someone to specializes in business, intellectual property, and internet law. Hopefully this list gives you a place to start to evaluate your legal needs as a professional content creator or online entrepreneur.

If you liked this post and want to know more about my work, please subscribe to the Carter Law Firm newsletter where I share behind-the-scenes information and readers get exclusive access to me.

GDPR: How to Handle a Data Breach

Photo by Christoph Scholz from Flickr (Creative Commons License)

Every company that sends commercial emails to people who reside in the EU or process their data has to comply with the new privacy law, the General Data Protection Regulation (GDPR). This law has specific rules about how companies have to respond when a data breach occurs. It’s so much better than the current rules in the U.S.

Report the Breach to Supervisor within 72 Hours

When a data breach occurs, the employee must report the breach to their supervisory authority without undue delay, and where feasible, within 72 hours of learning of the breach. This notice must include the likely consequences of the breach and the measures the company is taking to mitigate the potential adverse effects.

The only exception to this rule is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company doesn’t have to report the breach if it’s will not likely cause harm to those impacted.

Report the Breach to Consumers

In addition to reporting the breach up the chain of command, the company, without undue delay, must notify the people’s whose data was compromised if the breach is likely to result in a high risk to their rights and freedoms. The law doesn’t specify a number of days or a rubric to determine what is notification “without undue delay.”

Companies should notify the effected persons unless it would require a disproportionate effort. In that case, notification may be made by public communication.

There is an exception to this requirement. The company does not have to disclose that the data breach occurred if the personal data would be unintelligible (e.g. encrypted) to whomever stole it or if the risks have been sufficiently mitigated that adverse results are unlikely to occur.

These new requirements are fantastic. These will hopefully eliminate the problem of companies waiting weeks or months to disclose to impacted consumers that their personal data was hacked.

You can learn more about this aspect of the GDPR here:

Remember, if you are subject to the GDPR, you must comply with this law by May 25, 2018 when it goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

GDPR: Protecting Personal Data

Image by Descrier from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) is the new privacy law that goes into effect on May 25, 2018. Every company that sends commercial email to the European Union must comply with it, even if you’re not located in the EU. The purpose of this law is to obtain consent before using a person’s personal data and to adequately protect it.

Protection by Design and Default

The GDPR requires that you take adequate precautions to protect the personal information entrusted to you. The law does not specify exactly what you must do protect this data beyond the requirement that you take the appropriate technical and organizational measures considering the cost, available technology, and why you are processing individuals’ data. The level of security should correlate to the level of risk related to the nature of the data and what you’re doing with it. Additionally, you should only process the necessary data to fulfill your purpose for doing so.

Another requirement of GDPR is that the people who have access to the data subjects’ information are only permitted to process it per the data controller’s instructions. This is a rule that every organization should have: only those who need access to the data subject’s information should have it, and it should be limited to only for the tasks for which they need it.

You can learn more about these requirements here:

Maintain a Records of Processing Activities

The GDPR requires certain companies to maintain a record of all their processing activities. These companies fall into one of two categories:

  1. Companies that employ 250 or more persons.
  2. Companies whose work with data subjects’ information presents a high risk to the data subjects’ rights, or the companies process data that falls into one of the following special categories:
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation

As a company with no employees (just me running this show) and the only information people give me are their email address and name, I don’t have to maintain this record. If I did, it would only be a list of newsletters I sent and the service I use keeps my list protected behind a password.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

GDPR: Full Disclosure Required

«Via sicura» by Falk Lademann from Flickr (Creative Commons License)

If you’ve been following this blog, you know I’m all about preparing for the General Data Protection Regulation (GDPR) as it applies to content marketing. This rule applies to every company that sends commercial emails to anyone in the European Union. (If you don’t know where everyone on your list is located, assume at least one of them lives in the EU.) We’ve already talked about how, under this law, when you want to add a person to your email list, you must get their specific informed consent and you must be able to prove that you obtained their consent to be on your list.

The GDPR requires, when you obtain this consent, to provide the person (aka data subject) with the following information:

  • The identity and contact information of the controller of the data subject’s information or their representative;
  • The contact information for the data protection officer (if applicable);
  • Your purpose for processing the data subject’s information and legal basis for doing so;
  • The period of time the data will be stored;
  • The data subject’s right to request erasure or corrections of their data or to restrict the processing of their data;
  • The data subject’s right to withdraw their consent;
  • The data subject’s right to lodge a complaint with the supervisory authority; and
  • Whether the data subject giving their information fulfills a statutory or contractual obligation.

If you want to process the subject’s data for another purpose, you must tell the person in advance, and when a person’s data is processed for direct marketing purposes, the data subject has the right to object at any time.

At the first reading of these requirements, my first thought was that the signage at conferences where vendors collect business cards would have to become much more complicated to comply with GDPR. I thought about how this firm will comply with these requirements. People voluntarily add themselves to my email, so I don’t know where they live. I will be adding double opt-in consent for my email list, and I believe the most effective way to comply with these requirements is to include this information in the confirmatory email.

You can hear more about these requirements here:

We have to comply with these rules by May 25, 2018 when this new rule goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.