Jennifer Schaus & Associates SERVICES FOR US FEDERAL GOVERNMENT CONTRACTORS
WEBINAR WEDNESDAYS – 2018 WASHINGTON, DC OFFICE PHONE: 2 0 2 – 3 6 5 – 0 5 9 8
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Join Us for Our 2018 Series of Complimentary Webinars on various US Federal Government Contracting Topics. Presenters are industry experts sharing knowledge about the competitive government contracting sector. Find all of our Govt Contracting webinars (free download) at www.JenniferSchaus.com
Contact Us @ 2 0 2 – 3 6 5 – 0 5 9 8
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
REMINDERS: All webinars are complimentary. All webinars are recorded. They are found on our website and on YouTube. Please send your questions to the speaker directly. Thank you for participating.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT JENNIFER SCHAUS & ASSOCIATES: - Based in downtown Washington, DC; -
A la carte services for Federal Contractors;
- Proposal Writing to GSA Schedules, 8a Cert, Contract Admin & more!; Educational webinars; -
Networking events and seminars;
WEBSITE: http://www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
ABOUT OUR SPEAKER: ANDREW MIRSKY
www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT ANDREW MIRSKY Principal, M Street Legal (DC and NYC) Education: University of PA Law School 25 years of legal experience handling corporate, contract and IP business matters for technology, media and publishing, internet and other businesses. Contact Info: andy@mstreetlegal.com (202) 339-0303 mstreetlegal.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
mstreetlegal.com
Clients in digital media and technology, including intellectual property, corporate and finance, and privacy matters. Based in Washington, DC (satellite office in New York, NY).
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
OPT-IN CONSENT RULES UNDER NEW DATA PRIVACY LAWS Or … Why are you seeing all of those cookie consent banners? (Hint: Because of GDPR) Wednesday, July 18, 2018
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
More precisely: Why the (seemingly) sudden emphasis on consent?
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
GDPR EU General Data Protection Regulation GDPR “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” – eugdpr.org/
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
GDPR Applies to … Any organization that processes or stores personal data of EU citizens or monitors behavior of EU citizens. You don’t have to be physically operating in EU to be covered. * Regardless of whether you have an office or physical presence in EU. * Processing or storing need not take place in the EU.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
“Personal Data” * Much broader definition than most US federal or state legal definitions. * Includes IP addresses, application User IDs, GPS data, cookies, biometric data, email addresses, etc.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
So GDPR applies to you, so what?
Huge potential penalties for noncompliance. Tier 1 Penalties: Up to 2% of global annual revenues (max. €10M) for non-serious breaches (Recordkeeping requirements, Breach Notification rules). Tier 2 Penalties: Up to 4% of global annual revenues (max. €20M) for serious breaches (Consent requirements or “Privacy-by-Design” concepts).
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
“Lawfulness of Processing” (GDPR Article 6) A “lawful” basis is required to process personal data of EU citizens. Consent is one such legal basis, but there are others: •The “legitimate interest” of the data controller. •Performance of contractual obligations with the individual data subject. •Others (see GDPR Article 6).
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
If data that you collect is not “personal data”, consent rules do not apply. Example: Tracking software, such as use of tracking pixels (e.g. Google Analytics). Do you have to obtain an individual’s GDPR-sufficient consent in order to track their website visits? Yes: If the data you track about customers is not “personal data” – it does not “identify” an individual or an individual “identifiable” by reference to other available data – consent rules do not apply. No: If you track demographics and other “personal data”, then consent is required (or another lawful basis to process the data).
Be careful: Google Analytics is not the only tracking pixel commonly used. Almost all 3rd party widgets/plugins employ tracking, including video embeds and social media “share” buttons.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
If data that you collect is “personal data” but does not relate to EU citizens, then consent rules do not apply. Well … Yes and no. EU laws (GDPR and e-Privacy Directive) do not apply. But: US laws could apply if relate to US citizens. e.g. California Consumer Privacy Act of 2018.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
If EU laws don’t apply to US sites, why so many consent requests from so many websites? Why cookie consent banners on every website? Geo-fencing is not always practical. From Jeff Sauer (JeffAlytics): “I don’t want the 74% of my visitors that aren’t in a GDPR area to get hit with a cookie consent popup when they land on my site. So, I am going to look for a solution that allows me to limit my tracking consent notice to visitors from GDPR areas.” https://www.jeffalytics.com/gdpr-compliance/.
Other reasons: Industry best practices, herd mentality, California and other non-EU laws. The best reason of all: GDPR + related privacy laws (e-Privacy Directive) + Facebook/Cambridge Analytica = escalated expectations by customers.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Consent – How to obtain? (Source: GDPR Articles 4 and 7)
* Must be explicit disclosure, prominent, specific and affirmative. Individuals must actively confirm consent by clicking a distinct and clearly designated field or adding a signature with clear, conspicuous language.
* Examples (from GDPR Recital 32): “ticking a box” on a website or “another statement or conduct which clearly indicates … the data subject’s acceptance of the proposed processing of his or her personal data”.
* Not good consent: Typical “click wrap” or long terms of use with fine print/ legalese/ lengthy terms.
* Right to withdraw consent: An individual may withdraw consent at any time and must be informed of that right before consent is given.
* Details surrounding how consent is given must be recorded and documented. * Unbundling:
If consent to one use of personal data is given together with other matters, the consent must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Cookie Banners Why are you seeing all of these cookie consent banners? EU’s e-Privacy Directive updated in 2009 to require consent for all non-essential cookies (NOTE: e-Privacy Directive soon to be replaced by new e-Privacy Regulation). “Consent” now defined by reference to GDPR’s “freely given, specific, informed and unambiguous… clear affirmative action”. Unclear if implied consents still valid: Notice of cookies being used, but no clickthrough consent required. Probably yes, but only if cookie banner is prominent, “unambiguous” … and not buried in the Privacy Policy.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
A few takeaways *Consent not always a true “opt-in”. e.g.: “soft” opt-in. * In order to process personal data of EU citizens, a “lawful” basis is required. Consent is one lawful basis, but not the only basis. * Important to consider all of the personal data you collect, all of the uses and all of the third parties with whom you share. What this presentation is not: * Not a compliance guide. * Speak with legal counsel about specific actions you should take.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2018 - WASHINGTON DC
www.JenniferSchaus.com
THANK YOU FOR ATTENDING!!
WWW.JENNIFERSCHAUS.COM
QUESTIONS? CONTACT OUR SPEAKER ANDREW MIRSKY AT (202) 339-0303 AND AT ANDY@MSTREETLEGAL.COM
SERVICES FOR US FEDERAL CONTRACTORS
OFFICE: 2 0 2 – 3 6 5 – 0 5 9 8