One of the most familiar aspects of how Coronavirus (COVID-19) has changed the economy is the widespread application of work-from-home protocols (WFH). WFH has allowed businesses to maintain operations by enabling employees to perform their duties remotely. Remote operations often involve employers providing a virtual private network (VPN) that allows employees to connect to their employers’ internal networks from home devices.
When navigating to websites through VPN, site visitors will generally appear to be working from the location of the VPN servers. This can cause compliance issues when the individuals utilizing a VPN are residents of California, the European Union, or other jurisdictions with laws governing the protection or use of their citizens’ personal information.
In the past several years, many jurisdictions have enacted detailed regulatory schemes intended to protect the personal information of its citizens. Most prominently among these are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the State of California. Among other obligations, these laws require that companies which collect and use individuals’ personal information comply with detailed safeguards to protect such information, disclose the types and uses of information collected (including any sale of personal information), and provide certain opt-out rights to individuals whose information is being collected and processed.
In order to comply with privacy regulations such as GDPR and CCPA, many website operators display different information or URLS to visitors depending on the location of the visitors. Website operators direct visitors to the appropriate information by determining the geolocation of each visitor through the IP address of the device the individual is using to access the internet. However, when using VPN, the visitor will appear to be accessing the site from the location of the VPN servers. This means that an employee located in California may appear to be accessing a website or application from another geographic location. (This is why employees located, for example, in Los Angeles may see the weather for New York when they log into their computer and visit a website that reports the “local” weather.) Accordingly, the California resident may not (i) be shown the version of the website displaying the privacy information mandated by CCPA, and (ii) have their personal information sorted into the website operator’s silo of user information processed and retained under the requirements of CCPA. Note that this concern is applicable in a WFH setting, as well as in a multi-office environment where a wide area network (WAN) may cause the IP addresses of devices in the firm’s satellite offices to appear as though they are located in the same city as the primary office or central servers.
The penalties for noncompliance with CCPA and GDPR can be severe. Both regimes impose significant statutory fines, even for unintentional violations, as well as private rights of action for affected individuals. Under GDPR, member states of the European Union are also allowed to add criminal penalties for violations. More information on the requirements and penalties under CCPA and GDPR can be found here.
Remote work environments create substantial risks for entities covered by CCPA and GDPR. If you think your company may be impacted by the foregoing considerations, the following activities may be useful for assessing and mitigating risk that can arise from incorrect processing of personal information relating to individuals protected by CCPA, GDPR and similar privacy regulations.
In summary, it is important for businesses who may be subject to CCPA and GDPR to take additional steps now in order to mitigate their risk of suffering negative impacts from the coronavirus and from the ongoing risks associated with the use of VPN for remote work. For more information about recommended steps, please contact your Foley relationship partner.
Companies in all sectors of the economy continue to be impacted by COVID-19. Foley is here to help our clients effectively address the short- and long-term impacts on their business interests, operations, and objectives. Foley provides insights and strategies across multiple industries and disciplines to deliver timely perspectives on the wide range of legal and business challenges that companies face conducting business while dealing with the impact of the coronavirus. Click here to stay up to date and ahead of the curve with our key publications addressing today’s challenges and tomorrow’s opportunities. To receive this content directly in your inbox, click here and submit the form.