2 minute read
The Impact of Data Privacy Legislation on Licensing
By: Gregory J. Battersby
The General Data Protection Regulation (GDPR) is an EU regulation on data protection and privacy for all individuals within the European Union and the European Economic Area.
It was approved by the EU Parliament in 2016 and enforced on May 25, 2018. Organizations that are not compliant with its terms can face heavy fines of up to €10 million, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year.
The primary aim of the GDPR is to give individuals control over their personal data. It contains provisions and requirements pertaining to the processing of personal data of individuals (“data subjects”) such as names and surnames; home address; e-mail address; identification card number; location data (i.e., the location data from a mobile phone); cookie ID; IP address; data held by a hospital or doctor; advertising identifiers.
Other countries and states have adopted similar legislation. While the United States has not yet adopted a national law, many states, most notably, California, have enacted their own data privacy laws, e.g., the California Consumer Privacy Act (CCPA). Violators of the CCPA are subject to civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. Other states, such as Connecticut, Colorado, Utah, and Virginia, have adopted their own versions of data privacy legislation.
A bipartisan draft bill (the “American Data Privacy and Protection Act”) is currently pending in Congress in 2022.
What impact does this legislation have on licensing?
Such direct to consumer licensees should protect themselves by ensuring that they are in full compliance with such legislation. Additionally, they should strongly consider obtaining and maintaining cyber liability insurance to protect themselves in the event of a breach.
Most of the major insurance carriers now offer cyber liability insurance, typically as part of a company’s commercial liability insurance package. It is intended to protect a company’s business from risks associated with its e-business, the Internet, networks, and other similar assets.
Risks that are typically covered include privacy violations, intellectual property infringement, or the transmission of a virus passed to other parties via the Web. Cyber liability coverage also offers protection for Internet communications exposures. It can also cover a) both online and offline services; b) security breaches, mistakes, and unauthorized employee acts, including virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content; c) network information enterprise-wide, not just information on websites; and d) theft of others’ trade secrets and proprietary or confidential information from the insured.
Licensors who grant licensees these types of direct to consumer licenses similarly need to protect themselves in the same manner as they protect themselves from product liability actions.
Unfortunately, liability can arguably also extend to their licensors under the same theory that applies to product liability cases—the requirement that the licensee is subject to a quality control provision of the license agreement.
25
Poplar Plains Rd. Westport, CT 06880
(203) 454-9646 gjbattersby@gbiplaw.com
www.gbiplaw.com
The answer is little or none for those manufacturers/licensees who sell to retailers and distributors. That’s not the case, however, for those licensees (and their licensors) who engage in direct sales, particularly on-line sales because they actively obtain and maintain the type of personal information that falls under the above-described privacy legislation.
Such liability has not, as of yet, been established, but nevertheless, prudent licensors have taken steps to protect themselves from potential claims by: a) broadening the indemnity obligation of the such licensees to include claims based on violations of the data privacy laws; and b) requiring the licensee to maintain cyber liability insurance and adding the licensor (and agent, if applicable) as a named insured under the policy.
