Archive | Privacy RSS feed for this section

GDPR Applicability to U.S. Merchants, Processors and Acquirers

2 Jan

The EU General Data Privacy Regulation (GDPR) was adopted in 2016 and went into effect on May 25, 2018. The GDPR is a framework regulation that is designed to provide a uniform regime to protect the privacy of an individual of the European Union (“data subject”) whose personal data is collected, stored, or processed.   

At first glance, there would seem to be no need for a merchant, processor, or acquirer operating in the United States to worry about the GDPR.  But the GDPR provides for extra-territorial jurisdiction beyond the EU. There can be significant obligations and penalties imposed on U.S. entities which fail to fully comply with the GDPR if they collect, store, or process personal data of a data subject.  

The GDPR is extremely broad in scope.  Accepting or processing payments may be classified as the collection and processing of personal data under the GDPR. As such, any company involved in processing payments from consumers should take steps to determine whether they or any of their business partners are collecting, storing, or processing personal information of a data subject. 

The good news is that in order for the GDPR to apply to a U.S. entity, there must be an intent to market to an EU resident.

In-person transactions occurring in the U.S. that involve EU residents visiting the U.S. are unlikely to involve the GDPR. However, the application of the GDPR to online activity can be much more treacherous. For example, if a merchant sells goods or services online and markets to residents of the EU (as opposed to merely allowing purchases from residents of the EU), then the GDPR is likely to apply. Similarly, if a merchant maintains a website in the language of an EU country, it is more likely that the GDPR could apply to those online commerce activities. And, since the merchant could be collecting personal data of a data subject, all of participants in the chain that process or assist with processing a payment transaction could be unintentionally subject to the GDPR.

So, what are some important questions to pose regarding your operations?

If you are a merchant:

  • Do you market to countries in the EU?
    • Do you maintain your website in alternate languages?
    • Do you accept currencies such as the Euro for purchases?
    • Do you allow EU residents to participate in your loyalty and awards programs?

If you are a processor or acquirer:

  • Do you monitor the online activities of your merchants?  If so, do any of your merchants answer “yes” to the above questions?
    • Have you updated your merchant agreements to address GDPR concerns?

Merchants answering “yes” to any of the questions above should seek legal guidance to determine if and to what extent the GDPR may apply to them.

Processors or acquirers that do not monitor the online activities of merchants or that have not updated merchant agreements would be well advised to consult with knowledgeable counsel to ensure that they are not unintentionally subject to the GDPR through the activities of their merchant portfolios.

–Holli Targan, Nicole Meisner, and Daniel Unger,
Attorneys, Jaffe, Raitt, Heuer & Weiss, P.C.

The above is intended as general information only and should not be construed as legal advice or as creating or soliciting an attorney-client relationship. You should consult your attorney for guidance with respect to any particular issue or legal inquiry.

Holli Targan

Attorney & Partner

The California Consumer Privacy Act

15 Oct

Following closely on the heels of the EU’s General Data Protection Regulation (GDPR), California recently enacted its own consumer privacy law called the California Consumer Privacy Act of 2018 (CCPA).

The law, which requires protection of personal information of California residents, was passed in June and then amended in late September. Merchants and payment processors will be affected by the CCPA, even those that are not based in California. Businesses will need to think closely about what types of data they collect and how they store and transmit such data. They will also need to establish processes for dealing with consumer requests.

Below are some key provisions:

  1. The law protects the personal information of consumers, defined as natural persons who are residents of California.
  2. It gives consumers the right to know what types of personal information are being collected, and whether personal information is sold or disclosed and to whom.
  3. It authorizes consumers to opt out of the sale of personal information to third parties.
  4. It allows a consumer to request a copy of the specific pieces of information collected and an explanation of the business purposes for which they are used.
  5. It gives consumers the right to request the deletion of personal information collected.
  6. It requires businesses to provide equal service and pricing with respect to privacy, which means a business cannot charge a different price to a consumer who opts out.
  7. For individuals under 16, the CCPA requires an opt-in regime rather than opt-out. So the sale of such an individual’s personal information would require affirmative consent.
  8. The law applies to companies that conduct business in California, collect consumer personal information, and satisfy the following:
    1. Annual gross revenue exceeds $25 million; or
    2. Buys, sells, or shares/receives for commercial purposes (alone or in combination) personal info of 50,000 or more consumers, households, or devices; or
    3. Derives 50% or more of annual revenue from selling consumer personal information.
  9. The law becomes effective on July 1, 2020.

Personal information is defined broadly, encompassing many types of personal, professional, educational, and commercial information, biometric and geolocation data, as well as any inferences drawn from such information to create a consumer profile “reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

The law also introduces a private right of action against business in certain circumstances involving unauthorized access, theft, or disclosure of personal information that is stored in nonredacted or nonencrypted form.

Merchants and payment processors would be well advised to examine the law, determine its effect on their operations, and prepare well ahead of the effective date in 2020.

California Consumer Privacy Act

— Daniel Ungar and Nicole Meisner, Attorneys, Jaffe, Raitt, Heuer & Weiss, P.C. The above is intended as general information only and should not be construed as legal advice or as creating or soliciting an attorney-client relationship. You should consult your own attorney for guidance with respect to any particular issue or problem.

Daniel Ungar

Daniel Ungar

Daniel M. Ungar is a member of the firm's Electronic Payments Group and Privacy and Datasecurity Group. Daniel, a former patent examiner in the areas of crypto- and cybersecurity, holds an advanced computer science degree from Johns Hopkins University and a J.D. from Harvard Law School.