chevron-down Created with Sketch Beta.
Feature

An American Perspective on the GDPR One Year In

By Justin P. Webb and Sarah A. Sargent

©2019. Published in Landslide, Vol. 11, No. 5, May/June 2019, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

On May 25, 2018, the General Data Protection Regulation (GDPR)1 went into effect in the European Union (EU), and over the course of the last year, companies and attorneys alike have learned more about the regulation. Upon the regulation’s passing in 2016, it caused immediate panic and made companies across the world pay attention—in varying degrees, as reflected by the current level of compliance even one year in—given its unique extraterritorial applicability and steep fines. Since then, the GDPR has led to a series of mistakes in interpretation, unnecessary e-mails requesting data subject consent, revised privacy policies, and wholescale retooling or the establishment of privacy programs at companies across the globe, whether required or not. It has also caused headaches and unintended consequences for EU regulators and exposed understaffing on the issue of privacy across the globe. However, as companies have moved toward some semblance of compliance, much of the panic has transformed into pragmatism, both for companies subject to and not subject to the GDPR and for the regulators tasked with overseeing the GDPR, including the European Data Protection Board. This article discusses some of the lessons learned one year after the GDPR went into effect, with a particular focus on the GDPR as applied to American entities.

A Brief Background

The GDPR replaced the 1995 EU Data Protection Directive (Directive).2 Much like the Directive, the GDPR governs the collection and processing of personal data, which is defined as any information relating to an identified or identifiable natural person.3 The GDPR applies not only to entities established in the EU but—in a change from the Directive—also extraterritorially, that is, to entities outside the EU that either offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU.4 At its heart, the GDPR provides individuals with considerable rights over their personal data, including the right to be forgotten, the right to notice and consent, the right to access, and the right to object to processing of their personal data.5 To provide those rights, the GDPR places a number of requirements on entities that collect or process personal data. To start, an entity must have a legal basis for processing personal data, for example, pursuant to a contract with a data subject, a legal obligation, or consent of the individual, or arising from a legitimate interest.6 Other requirements of the GDPR include mandatory contractual provisions in agreements involving the processing of personal data, data security measures, data breach notification obligations, and considerable recordkeeping obligations.7 Finally, the regulation requires that entities appoint a data protection officer or, in some cases, a personal representative in the EU.8 Failure to comply with the GDPR can result in fines up to 20 million Euros or 4 percent of a business’ global turnover (total revenue).9

Initial Mistakes

Over the last year, companies have made numerous mistakes due to mass misunderstandings of the regulation’s language. The most common mistakes arose from misunderstandings about the GDPR’s provisions relating to applicability, consent, and notice to regulators of data security breaches.

When the GDPR initially went into effect, there was confusion, mostly in the United States, about the GDPR’s applicability to EU citizens and residents. Many incorrectly assumed that the regulation’s protections followed EU citizens and residents around the world. Rather, the regulation’s protections apply to any individual located in the EU; thus, citizenship and residency have no bearing on its application. For example, if a French tourist visits a local, small flower shop in the United States while on vacation and uses a credit card to purchase flowers, the flower shop is not required to comply with the GDPR simply because it processed the French tourist’s personal data.

Given that the GDPR applies to individuals located in the EU, U.S. companies also began to fret about a different problem: travel to the EU by their employees. Specifically, were U.S. entities required to comply with the GDPR solely because their employees occasionally made trips to the EU for work? What if the company collected and processed data about those employees or perhaps monitored their behavior, through mobile device management applications or other tracking technologies on their work computers, while they were in the EU? These types of tangential interactions with the EU befuddled a considerable number of U.S. entities. Whether the GDPR applies in these circumstances requires a lawyerly answer: it depends. But, for the majority of U.S.-based and U.S.-centric companies, the GDPR would not apply.

Another common mistake has been overreliance on consent as the legal basis of processing personal data. Consent is one of six legal bases for processing personal data under Article 6 of the GDPR,10 and consent has the most pitfalls because individuals may always withdraw their consent and force the company to stop processing the data. For many mission-critical functions like fraud prevention, security, and certain marketing, consent may not be the best or even the required basis. Additionally, valid consent is difficult to obtain under the GDPR because it must be affirmative and freely given.11 This means that consent cannot be a condition of receiving a service or arise from a power imbalance like those that exist between employer and employee. Despite the difficulties with consent and the availability of five other bases for processing personal data, many companies automatically defaulted to seeking consent for all data processing once the regulation went into effect. Many individuals were greeted with an avalanche of e-mails in May 2018 asking for consent to continue using personal data.12 Many of these e-mails were unnecessary because the companies either had already obtained consent or could have relied on another legal basis. This created a different problem for U.S. companies seeking across-the-board consent: individuals failed to respond to e-mails seeking consent in considerable numbers. Many companies stopped processing the personal data or purged it from their records altogether.

Currently, companies most often rely on “legitimate interests” and contract (both pre-contract and post-contract) as the legal bases for processing. For example, a company has a legitimate business purpose in sending a customer marketing materials on products similar to what the customer previously purchased. This permission is explicitly provided in the text of the GDPR. And unlike with consent, an individual cannot automatically force a company to stop processing his or her data upon request if the company relies on it for its legitimate business interests. Instead, if an individual challenges a company’s legitimate interest, a balancing test is used to determine whether the company’s legitimate interest outweighs the individual’s rights. Companies should consider, and where possible rely on, bases other than consent for processing personal data.

Much to the chagrin of European regulators or data protection authorities (DPAs), entities have also made the mistake of overreporting potential data breaches, or reporting such breaches prematurely before there is enough substantive information for determinations to be made by DPAs. Under the GDPR, an entity must notify DPAs within 72 hours of becoming aware of a data security breach, but there is no requirement to report a breach if it is “unlikely to result in a risk to the rights and freedoms of natural persons.”13 Unfortunately, the GDPR is not clear about what will result in such risks: hence the overreporting. Since the GDPR went into effect, DPAs have received a significant increase in breach reports, with some DPAs receiving nearly quadruple the historical average.14 Many EU DPAs, including the United Kingdom’s Information Commissioner’s Office (ICO), report that companies are not conducting the appropriate risk analysis before reporting a breach or are reporting the breach so early for fear of missing the deadline that they are unable to provide any substantive information other than “something is going on, and we are trying to figure out what it is.”15 Due to this overreporting, DPAs are being overwhelmed by unnecessary notices, and there has been much discussion about the lack of preparedness of DPAs in both head count and process.16 Given the amount of overreporting, some companies elect to call DPAs to consult with regulators on whether they are required to report.17 Before rushing to beat the 72-hour clock, companies should conduct a risk analysis to determine how individuals’ rights are impacted and consider carefully when the company actually becomes “aware” of a data breach—i.e., what amount of information is sufficient to cross that threshold.

Current Enforcement Efforts

On the minds of everyone with a modicum of interest in the GDPR are the steep fines, and how those would be doled out by DPAs. Each EU member state has its own DPA with enforcement authority. While some well-established DPAs, such as the ICO, transitioned smoothly into GDPR enforcement, other DPAs took longer to create functioning websites, draft new forms, and establish contact hotlines. As a result, many of the first GDPR fines were not issued by DPAs until the fall of 2018.18 Additionally, data breaches involving incidents that arose prior to May 25, 2018, are arguably not within the scope of the GDPR’s fine provisions. Indeed, companies may in some cases be hoping that breaches discovered post-May 25 have some pre-May 25 element that will shoehorn the incident into the much less onerous penalty provisions of the Directive. So far, regulators have focused primarily on egregious and large violations and have opened investigations into multinational technology companies that many expected would be fodder for scrutiny: Facebook, Twitter, and Google.19

In November 2018, the German DPA issued its first GDPR fine to a German social media company that suffered a data breach impacting over 1.8 million users.20 The DPA fined the company $23,000 for failing to apply any protections for sensitive information, such as passwords. The DPA issued a low fine amount because the social media company was transparent, quick to implement security upgrades, and cooperated with the regulators. Other DPAs have utilized investigation powers to require companies to perform audits after a data breach or complaint. The first enforcement action under the GDPR by the United Kingdom’s ICO was to audit AggregateIQ Data Services Ltd., a Canadian digital marketing firm associated with the Facebook Cambridge Analytica scandal.21 The marketing firm initially refused to cooperate with the ICO’s investigation, asserting it was not subject to the jurisdiction of the ICO, but the ICO argued that it did have jurisdiction of the firm via the extraterritorial scope under the GDPR because the firm possessed personal data of U.K. individuals as a result of work it did on behalf of a U.K. client.22 Ultimately, the firm complied with the regulator’s requests after the ICO narrowed its enforcement action.23 After the investigation, the ICO issued an enforcement notice against the marketing firm in October 2018 ordering it to stop processing U.K. citizens’ data24 and worked with the Canadian federal regulators to assist in enforcement.25

Similar to the Federal Trade Commission’s enforcement actions regarding unreasonable data security practices, a number of DPA investigations have been resolved through agreements between the regulators and the offending companies. The Irish DPA reported that it amicably resolved a complaint regarding LinkedIn’s misuse of personal data when LinkedIn agreed to implement a number of immediate actions to stop processing user data for particular purposes.26 Looking forward, regulators will likely continue to focus on violations that impact a significant amount of individuals, arise from a data breach involving the lack of reasonable security measures, or appear on the DPA’s radar as a result of multiple complaints from data subjects.

When it comes to U.S. companies, there have not been any fines issued, so far. And, while Facebook and Twitter are currently under investigation by the Irish DPA, those companies are global in nature. Thus, they are not good proxies for U.S. entities with medium-to-low exposure under the GDPR. As of now, there have not been any reports of U.S.-based or U.S.-centric entities being actively pursued by DPAs. Indeed, DPAs have appeared reticent at times to exercise extraterritorial jurisdiction over U.S. entities for violations of the GDPR. For example, the ICO warned the Washington Post about its cookies consent practices (specifically, that they did not comply with the GDPR), but rather than investigating further or issuing fines, the ICO merely stated that it “hope[d] that the Washington Post [would] heed [its] advice, but if they choose not to, there is nothing more [it could] do in relation to [the] matter.”27 The reticence on the part of the ICO may arise from the untested extraterritorial provisions of the GDPR, as well as the lack of an effective enforcement mechanism for fines, given that no U.S. court would enforce such a judgment.

New Guidance from Regulators

Many of the mistakes and misunderstandings relating to the GDPR arose from the broad, sometimes sweeping language in its text, without any meaningful interpretation by either the Article 29 Working Party or the European Data Protection Board (EDPB). In addition to the individual DPAs, the EDPB serves as the EU body that interprets and enforces the GDPR. The EDPB replaced the Article 29 Working Party—the former regulatory body under the Directive, which also provided interpretations of some of the provisions of the GDPR pre-May 25, 2018. The EDPB conducted its first plenary session in January 2018 and adopted previous Article 29 Working Party guidance as equally applicable under the GDPR. Subsequently, the EDPB released new guidelines under the GDPR related to transfer of data outside of the European Economic Area and, most importantly, to the territorial scope of the GDPR.

On November 23, 2018, the EDPB released “Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)” (Territorial Guidance)28 for public comment through January 18, 2019. The Territorial Guidance represented a distinctly practical approach to the application of the GDPR to non-EU entities, including American companies. The much anticipated guidance relieved fears that U.S. entities with solely U.S.-based operations could potentially face stiff fines under the regulations. Rather, the Territorial Guidance provides that a non-EU entity must actually direct or target its activities to the EU to trigger applicability, and any analysis of such direction or targeting must be taken in concerto, or based on the totality of the circumstances. Thus, tangential interactions with the EU, standing alone, are unlikely to bring many U.S. companies within the scope of the GDPR.

The Territorial Guidance answered many of the issues described earlier in this article. It outlines how companies should apply the territorial tests to determine if the GDPR applies, and provides hypothetical factual scenarios to assist lawyers and privacy professionals in analogizing a company’s EU interactions to determine the GDPR’s applicability. In addition to hypotheticals, the Territorial Guidance also lists factors that should be considered when determining if a company is offering goods or services in the EU, many of which are derived from previous European Court of Justice opinions interpreting the applicability of the Directive to non-EU entities. Those factors include whether a company is paying a search engine operator for an Internet referencing service in order to facilitate access to its site by consumers in the EU, listing international clients domiciled in the EU, accepting transactions in the local currency of an EU member state, or permitting goods to be shipped to individuals in the EU. For many privacy professionals, the Territorial Guidance confirmed what they had been advocating: a wait-and-see approach to GDPR compliance based on risk tolerance. The Territorial Guidance also confirmed an assumption that the EDPB would take a pragmatic approach to GDPR applicability such that it would not apply to every company that sends infrequent e-mails to individuals in the EU or has EU individuals access its website occasionally. Of course, for many U.S. companies, their relationships with the EU are not so attenuated and the GDPR most certainly applies to their operations, at least in part. But, a great many of those entities had already been subject to the Directive or working with legal counsel intimately familiar with the intricacies of the GDPR.

A Practical Approach for American Companies

As initial panic over extraterritorial application and large fines subsided, many U.S. companies took a practical approach to GDPR applicability. Some companies, such as the L.A. Times, initially blocked EU users from their websites in an attempt to avoid triggering the regulation.29 Others took steps to minimize the amount of EU personal data they collected or held, and reevaluated their advertising efforts directed at EU individuals. For example, the New York Times (which has taken the position that the company is subject to the GDPR) now only uses direct-sold advertising in the EU in lieu of using behavioral targeting advertisements.30 The publisher initially removed behavioral targeting ads from the EU to minimize its exposure under the GDPR while it built out a compliance program, but recently the company has decided to make the decision permanent, as its digital advertising business has continued to grow despite the change.31 Alternatively, a number of U.S. companies that only incidentally provided business-to-business services in the EU took the wait-and-see approach previously noted to assess compliance once regulators released further guidance. This approach proved fruitful for some, as the Territorial Guidance confirmed that companies must intentionally target individuals in the EU to satisfy the extraterritorial tests.

Another practical method companies have used to mitigate GDPR costs is to shift operations involving EU personal data to EU-based subsidiaries or affiliates, or to spin off entities solely for the processing of EU data. Additionally, many entities subject to the GDPR opt to only comply with the GDPR for EU personal data, as opposed to providing the rights to all individuals they collect and process information about. This situation may also arise when a vendor has a client that contractually requires the vendor to comply with aspects of the GDPR. Rather than forfeit the business, the vendor will contractually agree to treat the client’s EU personal data consistent with the requirements of the GDPR. In such a scenario, the vendor does not become subject to the GDPR legally, but merely contractually, which can lessen the burden of compliance.

In addition to the mitigation efforts noted above, companies caught by the GDPR have relied on two bases to determine their level of compliance. First, many companies have taken a slow approach to GDPR compliance, emboldened to some extent by comments of EU regulators that they were not expecting 100 percent compliance with the regulation as of May 25, 2018.32 Rather, EU regulators, when assessing GDPR compliance, would take into consideration whether companies were taking steps toward GDPR compliance, as opposed to ignoring the regulation altogether. This slow approach is borne out by many surveys of companies’ GDPR compliance efforts. For example, the International Association of Privacy Professionals’ IAPP-EY Annual Privacy Governance Report 2018 revealed that only 44 percent of companies required to comply with the GDPR were fully compliant.33 Of the remaining companies, 7 percent reported that they were not compliant, and 49 percent reported being partially compliant. Overall, a significant number of companies are still working on their initial compliance efforts, with a focus on progress over perfection for a variety of reasons: the cost of compliance; the lack of compliance of vendors, service providers, and customers; and the lack of technology, time, employees, and processes to comply with the GDPR, including the onerous recordkeeping obligations.

While many companies are still working through their initial compliance efforts, even more are contemplating how to efficiently implement privacy programs and raise privacy awareness from employees up to the boardroom. Even after companies have achieved substantial “paper” compliance by adopting new processes and policies, many companies continue to struggle with data subject requests from individuals, especially requests for access and data portability. Most companies do not have an automated process to review their systems for electronic personal data of individuals; rather, such a review requires a manual review of their databases, systems, and file shares, as well as paper records. As such, many companies performing manual reviews struggle to comply with requests within the required 30-day timeline, or lack confidence that their manual review efforts have captured all copies of an individual’s personal data, especially those in unstructured data. In response to this issue, companies continue to work through data mapping, process automation exercises, and software implementations designed to assist in automating some or all of the process.

Indirect Impacts of the GDPR

The GDPR’s impact is not limited to whether a company must comply or not. Rather, the GDPR has indirectly impacted U.S. companies by bringing publicity and awareness to the issues surrounding personal data and the commercialization of that data. As U.S. consumers see more and more global companies adopting comprehensive and transparent data privacy programs, they begin to question where their data is and what is being done with it. And, many companies are left with a conundrum: apply the protections of the GDPR to EU personal data only, or apply it entity-wide to all personal data. For large technology companies with in-house software development teams like Google, Facebook, and Twitter, entity-wide compliance is easier to bake into the technology. For smaller companies, or those with less technology acumen, instituting an entity-wide privacy program applicable to all personal data is a bridge much too far. Unfortunately, this issue will only become more complicated when the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.34 Similar to the GDPR, U.S. companies will be forced to choose between providing the more robust privacy protections in the CCPA only to California residents or spending more money and time to provide those rights to all individuals to avoid the negative public relations of providing better privacy to one group of customers over another.

The growing public awareness of data privacy, accentuated by constant news reports of significant data breaches, has fueled data privacy and security concerns and subsequent legislative initiatives worldwide. In addition to the passing of the CCPA in California, other countries have passed GDPR-like legislation, including Japan.35 Since the passage of the California law, tech industry giants and other large corporations, such as Facebook, Google, IBM, and Microsoft, have also begun lobbying for a federal privacy law in the United States. Their motives are not altruistic; there is not a concerted effort to democratize privacy by spreading it across the United States in the form of federal legislation. Rather, much of those lobbying efforts are aimed at passing much weaker federal privacy legislation that would preempt the more onerous requirements of the CCPA. On the other side, many entities like the EFF, ACLU, and consumer groups are pushing for federal privacy legislation that would indeed require many of the data subject-centric rights provided in the GDPR across the United States.

Conclusion

The GDPR significantly impacted companies across the world beginning in 2016. However, many of the fears about the GDPR applying across the globe, even to attenuated EU conduct, were overblown. And, in the panic that ensued as May 25, 2018, approached, companies turned the ambiguities in the GDPR into unnecessary action, rather than taking a wait-and-see approach. Regulators have now demystified some aspects of the GDPR, but many ambiguities and questions remain that will be elucidated with the passage of time and additional guidance from the EDPB and DPAs. Furthermore, as more DPAs attain full functionality and adjust to the demands of the GDPR, we will gain a better understanding of enforcement priorities and potential fines for specific conduct. U.S. companies should be keeping a watchful eye on the actions of European regulators, further interpretation of the GDPR’s ambiguities, and their own operations, which could inch ever closer to sweeping their activities within the scope of the GDPR (if they are not already subject to its strictures).

Endnotes

1. Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter GDPR].

2. Council Directive 95/46/EC, 1995 O.J. (L 281) 31 (EC).

3. GDPR, supra note 1, at art. 4(1).

4. Id. at art. 2.

5. Id. at arts. 12–23.

6. Id. at art. 6(1).

7. Id. at arts. 24–43.

8. Id. at arts. 27, 37.

9. Id. at art. 83(6).

10. Id. at art. 6(1)(a).

11. Id. at art. 4(11).

12. Jennifer Baker, Are All These GDPR-Consent Emails Even Necessary?, Int’l Ass’n Privacy Profs. (May 22, 2018), https://iapp.org/news/a/are-all-these-gdpr-consent-emails-even-necessary/.

13. GDPR, supra note 1, at art. 33(1).

14. Elaine Edwards, DPC Receives over 1,100 Reports of Data Breaches Since Start of GDPR Rules, Irish Times (July 30, 2018), https://www.irishtimes.com/business/technology/dpc-receives-over-1-100-reports-of-data-breaches-since-start-of-gdpr-rules-1.3580240.

15. ICO Warns on Over-Reporting of Data Breaches, Out-Law.com (Sept. 13, 2018), https://www.out-law.com/en/articles/2018/september/ico-warns-over-reporting-data-breaches/.

16. Douglas Busvine et al., European Regulators: We’re Not Ready for New Privacy Law, Reuters (May 8, 2018), https://www.reuters.com/article/us-europe-privacy-analysis/european-regulators-were-not-ready-for-new-privacy-law-idUSKBN1I915X; Malcolm Moore, Year in a Word: GDPR, Fin. Times (Dec. 24, 2018), https://www.ft.com/content/c8581322-fca9-11e8-ac00-57a2a826423e; Christian W., Danish Data Protection Agency Overwhelmed by GDPR Cases, CPH Post Online (Aug. 20, 2018), http://cphpost.dk/news/danish-data-protection-agency-overwhelmed-by-gdpr-cases.html.

17. ICO Warns on Over-Reporting of Data Breaches, supra note 15.

18. Chris Baraniuk, Vote Leave Data Firm Hit with First Ever GDPR Notice, BBC News (Sept. 20, 2018), https://www.bbc.com/news/technology-45589004; Foo Yun Chee, Exclusive: EU Privacy Chief Expects First Round of Fines under New Law by Year-End, Reuters (Oct. 9, 2018), https://www.reuters.com/article/us-eu-gdpr-exclusive/exclusive-eu-privacy-chief-expects-first-round-of-fines-under-new-law-by-year-end-idUSKCN1MJ2AY; Oliver Schmidt, Germany’s First Fine under the GDPR Offers Enforcement Insights, Int’l Ass’n Privacy Profs. (Nov. 27, 2018), https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-offers-enforcement-insights/.

19. Hasan Chowdhury, Twitter Faces Investigation by Privacy Watchdog over User Tracking, Telegraph (Oct. 15, 2018), https://www.telegraph.co.uk/technology/2018/10/15/twitter-faces-investigation-privacy-watchdog-user-tracking; Elaine Edwards, Data Protection Commission Confirms Formal Investigation into Facebook Data Breach, Irish Times (Oct. 3, 2018), https://www.irishtimes.com/news/ireland/irish-news/data-protection-commission-confirms-formal-investigation-into-facebook-data-breach-1.3650606; Adam Satariano, Google Is Fined $57 Million under Europe’s Data Privacy Law, N.Y. Times (Jan. 21, 2019), https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html.

20. Ionut Ilascu, First GDPR Sanction in Germany Fines Flirty Chat Platform EUR 20,000, Bleeping Computer (Nov. 23, 2018), https://www.bleepingcomputer.com/news/security/first-gdpr-sanction-in-germany-fines-flirty-chat-platform-eur-20-000/.

21. Scott Ikeda, Busy Year with Millions in ICO Fines Levied for Data Breaches, CPO Mag. (Dec. 11, 2018), https://www.cpomagazine.com/2018/12/11/busy-year-with-millions-in-ico-fines-levied-for-data-breaches/.

22. AggregateIQ Data Services Ltd., Enforcement Notice (Info. Comm’r’s Off. Oct. 24, 2018), https://ico.org.uk/action-weve-taken/enforcement/aggregate-iq-data-services-ltd/.

23. Id.

24. Id.

25. Info. Comm’r’s Office, Investigation into the Use of Data Analytics in Political Campaigns: A Report to Parliament (2018), https://ico.org.uk/media/2260271/investigation-into-the-use-of-data-analytics-in-political-campaigns-final-20181105.pdf.

26. Data Prot. Comm’r, Final Report (1 January – 24 May 2018) 21 (2018), https://www.dataprotection.ie/sites/default/files/uploads/2018-11/DPC%20annual%20Report%202018_0.pdf.

27. Rebecca Hill, Washington Post Offers Invalid Cookie Consent under EU Rules—ICO, Reg. (Nov. 19, 2018), https://www.theregister.co.uk/2018/11/19/ico_washington_post/.

28. European Data Prot. Bd., Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)—Version for Public Consultation (Nov. 16, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf.

29. European Readers Still Blocked from Some US News Sites, BBC News (June 26, 2018), https://www.bbc.com/news/technology-44614885.

30. Jessica Davies, After GDPR, the New York Times Cut Off Ad Exchanges in Europe—and Kept Growing Ad Revenue, Digiday (Jan. 16, 2019), https://digiday.com/media/new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue/.

31. Id.

32. Angelique Carson, What Will Happen on May 26? We Asked Helen Dixon, Int’l Ass’n Privacy Profs. (Apr. 3, 2018), https://iapp.org/news/a/what-will-happen-on-may-26-we-asked-helen-dixon/.

33. Int’l Ass’n of Privacy Prof’ls, IAPP-EY Annual Privacy Governance Report 2018, at 65 (2018), https://iapp.org/media/pdf/resource_center/IAPP-EY-Gov_Report_2018-FINAL.pdf.

34. California Consumer Privacy Act of 2018, A.B. 375, 2017–2018 Leg., Reg. Sess., https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

35. Michihiro Nishi, Japan: Data Protection in Japan to Align with GDPR, Mondaq (Sept. 27, 2018), http://www.mondaq.com/x/739986/Data+Protection+Privacy/Data+Protection+In+Japan+To+Align+With+GDPR.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Justin P. Webb is a CIPP/US-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. His practice focuses on compliance with domestic and international privacy regulations, data breach response, technology contracting, and cybersecurity and data privacy due diligence in M&A.

Sarah A. Sargent is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and data privacy, specifically with respect to domestic and international compliance planning and data breach response.