It has been widely reported in the news and business media that French privacy authorities have imposed large (in excess of 50 million Euros) fines on Google for its non-compliance with the European Union’s General Data Protection Regulation (‘GDPR’). The following analyzes what the French action means for your business, if you are subject to the GDPR (and in the near future, even if you are not). If you are interface with users in any meaningful way on an interactive website, the news from France should be important to you.
You will recall that we have written about the essence of the GDPR being informed user consent to collection and use of personal information. The emphasis is on BOTH ‘informed’ and ‘consent’!
What previously was seemingly mundane technical site configuration and aesthetic layout choices now have a major impact on your company’s compliance posture.
Google’s offense, in the eyes of the French regulators was two-fold:
- It pre-checked several boxes where consent was requested; and
- It dispersed around its website, the requests for consent and related explanations, requiring users to utilize five or six clicks for a full explanation.
If you are or become subject to the GDPR, this means in the first instance that you must not pre-check any boxes which you are using to obtain user consent. Yes, this is a nuisance. However, the takeaway from the Google story is that this kind of prompting will get you in big trouble.
It also means that your company must not fragment its explanations and consent requests. Multiple screens for this purpose are verboten. A heading such as ‘CONSENTS WHICH YOU ARE BEING REQUESTED TO PROVIDE’ is appropriate.
Does this mean that multiple consent boxes pertaining to each action item – e.g. data sharing, right to be forgotten, targeted advertising, right to revoke consent, etc. – are also appropriate? The decision from France leaves some uncertainty as to whether multiple boxes are overly confusing. It remains our counsel that multiple boxes are most appropriate in order to establish the actuality of each consent, as opposed to allowing an argument that a singular box approach did not make clear the various matters at issue. Regardless, it is now quite clear that each box must be preceded with a very clear caption as to its subject matter. While all GDPR compliance efforts are inherently amenable to case by case consideration, this issue is particularly suited for that approach.
It is also clear that apart from the site layout, the specific verbiage which is used for disclosures and consent requests must be truncated to the extent possible, while still giving the reader an understanding of what is going on. Whether one would say that this means that ‘brevity is the soul of [GDPR] wit’ or that ‘less is more [compliant]’ can be argued, but it is clear that legalese is off limits.
Why do we mention this? Even if you are not subject to the GDPR, the California Consumer Privacy Act (“CCPA”) is scheduled to become effective at January 1, 2020 and has many similarities to the GDPR (and a few material differences). It is possible that California courts will look to EU authority regarding corresponding sections of the California law. Thus, unless you are certain that your business will qualify for an exception to the CCPA, you should take into account this and other EU decisions, when implementing your CCPA compliance strategy.
FisherBroyles, LLP Cyber & Privacy partners are pleased to work with you to determine what actions, if any, are called for regarding your specific needs and circumstances, now and in the future.
About FisherBroyles, LLP
Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to over 225 attorneys in 22 offices nationwide. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.
These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.
© 2019 FisherBroyles, LLP