On June 21, 2018, the Supreme Court of the United States issued its decision in South Dakota v. Wayfair, Inc., 138 S.Ct. 2080 (2018).  The Wayfair decision is very significant in that it overturns the longstanding precedent that historically prohibited any state from requiring out of state businesses to collect sales or use taxes on sales of products shipped into the state for use within the state.  Put more simply, depending on the volume of sales within a specific state, the Wayfair decision allows states to require out-of-state sellers to collect and remit sales taxes on sales of products or services to be provided with the state.

Background: Prior Law and the Wayfair Decision

Prior to the Wayfair decision, the Supreme Court had interpreted the Commerce Clause to limit the ability of states to tax, or require the collection of taxes by, entities without a physical presence within the state attempting to levy the tax.  Specifically, the Court had ruled that a state could not require an out of state seller to collect and remit a sales and use taxes unless the seller had a physical presence within the state.  See, National Bellas Hess, Inc. v. Department of Revenue of Ill., 386 U.S. 753 (1967); and Quill Corp. V. North Dakota, 504 U.S. 298 (1992).  For example, prior to the Wayfair decision, a business that sold products nationwide on the internet could not be required to collect the South Dakota sales or use taxes on sales that were shipped into the state of South Dakota unless the company had an actual physical presence within South Dakota. 

Due to the growth of the internet and the economy’s move towards greater online sales, states were unable to collect any amount of taxes on sales to individuals within their borders, resulting in a substantial amount of lost revenue.  The Court noted that the prior interpretation of the law caused states to lose up to $32 billion in tax revenue each year and that the state of South Dakota alone lost between $48 and $58 million annually.  Concern about the lost revenue caused the State of South Dakota to declare an economic emergency and passed a law which required out-of-state sellers to collect and remit the South Dakota sales tax on sales to individuals within the state if: (1) the seller, on an annual basis, either delivers more than $100,000 of goods or services into the state or engages in more than 200 separate transactions for the delivery of goods into the state; and (2) the Supreme Court clearly establishes the constitutionality of the law.

Recognizing the shifting economy and the significant financial impact on the states, the Court overturned its rulings in Bella Hess and Quill and ruled that a South Dakota law that required the collection and remittance of the state’s sales and use tax by sellers who delivered more than $100,000 of goods or services into the state or engaged in more than 200 separate transactions for the delivery of goods or services into the state collect was permissible under the commerce clause because the tax was only levied against sellers with a substantial nexus to South Dakota.

The Impact of the Wayfair Decision

The obvious impact of the Wayfair decision is that out-of-state sellers of goods and services in South Dakota may be required to collect the South Dakota sales and use tax.  Beyond that obvious impact, many other states have enacted laws requiring out-of-state sellers to collect and remit sales and use taxes, possibly requiring all businesses with virtual storefronts to do so.  Though it should be noted that such requirements will not directly increase the amount of taxes actually paid by such out-of-state entities because the entities will only be required to remit the amount of taxes that it should have collected from consumers at the time of the sales transaction.  However, requiring businesses to collect sales and use taxes may adversely affect sales by increasing the effective price that consumers are required to pay for certain products or services.

Although the Wayfair decision is limited to parameters of the South Dakota sales tax law, since the Supreme Court’s decision, many states have enacted similar laws.  As of February 1, 2019, in addition to South Dakota, 32 states and the District of Columbia have enacted laws requiring remote sellers to collect sales tax.  As demonstrated by the table below, the majority of states have enacted acts that are similar to the South Dakota law as approved by the Supreme Court, and several states have enacted variations of the South Dakota law.

The Annual Threshold Transaction Amounts Requiring the Collection and Remittance of Sales or Use Taxes by Out-of-State Sellers	Types of Transactions Included in the Threshold Test	States Establishing this Requirement as of February 1, 2019
Either more than $100,000 in sales OR at least 200 separate transactions	Only sales of tangible personal property are included in determining if the threshold is met.	HI, IL, IN, IA, KY, LA, ME, MD, MI, NC, ND, SD, RI, UT, VT, and WV
Either more than $100,000 in sales OR at least 200 separate transactions	Both the sale of tangible personal property and the sale of services are included in determining if the threshold is met.	CO, DC, WI, and WY
Either more than $100,000 in sales OR at least 200 separate transactions	The sale of tangible personal property, the sale of electric or digital products and services, and the sale of services are all included in determining if the threshold is met.	NJ and SD
Either more than $100,000 in sales OR at least 200 separate transactions	Both the retail sale of tangible personal property and the retail sale of services are included in determining if the threshold is met.	WA
Either more than $100,000 in sales OR at least 200 separate transactions	Only sales of tangible personal property are included in determining if the threshold is met.	NE
Either more than $250,000 in sales OR at least 200 separate transactions	Only sales of tangible personal property are included in determining if the threshold is met.	CT
Either more than $250,000 in sales OR at least 200 separate transactions	Both the sale of tangible personal property and the sale of services are included in determining if the threshold is met.	GA
Either more than $250,000 in sales AND at least one other activity described in the state law (ex., advertising on cable television) conducted within the state	Only sales of tangible personal property are included in determining if the threshold is met.	AL
Both more than $300,000 in sales AND at least 100 separate transactions	Only sales of tangible personal property are included in determining if the threshold is met.	NY
Both more than $500,000 in sales AND at least 100 separate transactions	Only sales of tangible personal property are included in determining if the threshold is met.	MA
More than $250,000 in sales	Only sales of tangible personal property are included in determining if the threshold is met.	MS
More than $100,000 in sales	Only sales of tangible personal property are included in determining if the threshold is met.	SC
More than $10,000 in sales	Only sales of tangible personal property are included in determining if the threshold is met.	OK
Engages in the regular solicitation of sales, and, either: (1) has 10 or more sales totaling more than $100,000 within the state, or (2) has 100 or more retail sales transactions within the state	Only retail sales of tangible personal property are included in determining if the threshold is met.	MN
More than $10,000 in total sales and the seller has an agreement with an in-state retailer to refer potential customers to the out-of-state seller for a commission	Only retail sales of tangible personal property are included in determining if the threshold is met.	ID

Wayfair’s Impact on Tax-Exempt Associations

The primary ways in which Wayfair will affect exempt organizations relates to the requirement to collect and remit sales taxes on online sales and to pay sales tax on online purchases.  As such, exempt organizations need to: (1) identify the states in which they engage in the sale of products and services; (2) determine whether any such state requires the collection of sales or use tax for the sale of such products or services; (3) determine whether the organization’s sales within each state meets the threshold for collecting and remitting the state’s sales and use taxes; (4) determine whether the state exempts tax-exempt organizations from the collection or remittance of such taxes; and (5) apply for such exemption where applicable.

The European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”) came into effect on May 25, 2018, imposing a new regulatory regime on companies that process, collect, and/or share personal data.  The GDPR also provides EU Member States’ data protection authorities with long-arm jurisdiction over many non-EU companies that process data about individuals located in the EU.  While the GDPR largely builds upon the foundation of its precursor, Directive 95/46/EC (the “Directive”), the expanded scope of the law means that many non-EU companies are being quickly introduced to the EU’s deferential treatment of data privacy as a fundamental right.  Accordingly, under the GDPR, individuals are given data privacy rights that may be unfamiliar to U.S. companies.  In addition, the GDPR imposes new data privacy obligations and risk management frameworks on companies within its scope.  Compared to U.S. law, many of the terms and concepts in the GDPR also have broader scope, covering more types of data and processing.

Global companies like Microsoft, Google and Facebook, which are heavily involved in data processing, have been watching and adapting their policies to the new GDPR standards.  In the age of the internet, however, most organizations, non-profits, and traditional businesses are regularly involved in the processing of personal data in day-to-day activities, such as processing payments, providing individuals with registered accounts on websites, storing contact lists, and sending out marketing or promotional materials.  All of these activities involve some level of personal data processing and, where the GDPR applies, organizations may be subject to new rules and standards on everything from their technical data security measures, customer service, contractual arrangements with vendors, privacy policies, and marketing activities.

What Exactly Is the GDPR?

The GDPR is an EU Regulation issued by the EU Commission.  This means that the regulation is immediately applicable across the EU on its effective date (May 25, 2018).  EU Member States have the option of creating additional national laws and regulations to support or fill in the blanks in the GDPR.  The national rules, however, must be consistent with the GDPR.

Under the Directive, which was passed in 2010, EU Member States each created one or more national data protection authorities (“Supervisory Authorities”) responsible for administering, interpreting, and enforcing national rules on data protection.  The GDPR piggy-backs on this system, using these same Supervisory Authorities to administer and enforce the GDPR across EU territory.

A Supervisory Authority can exercise its investigative, corrective, advisory, and enforcement powers over organizations if it believes the organization or its processing activities fall under the GDPR.  This can include the initiation of legal proceedings against U.S. organizations in EU courts.

Does the GDPR Apply to My Organization? 

Determining whether the GDPR applies to your organization is not a cut and dried issue.  There are two tests for determining whether an organization falls within the scope of the GDPR, and both definitions are based on vague regulatory language without much substantive interpretation by authoritative agencies or courts.  While there are still some gray areas, EU courts have consistently favored long-arm jurisdiction for EU data privacy laws.  Accordingly, it is important to evaluate the applicability of the GDPR to your organization and assess the risks of any operations in gray areas.

What Are the Penalties of Violating the GDPR?

In order to incentivize the protection of EU residents’ rights through compliance with the GDPR, the EU has adopted a hefty penalty structure for violations.  The Supervisory Authorities are granted broad powers for ordering organizations to stop, change, or continue their data processing activities.  In addition, Supervisory Authorities have the power to issue administrative fines. 

The most egregious instances of noncompliance can be penalized with fines of up to €20 million or four percent of an organization’s annual gross revenue, whichever is higher.  For less egregious violations, administrative fines can be as high as €10 Million or two percent of an organization’s annual gross revenue, whichever is higher.

Contacting Counsel for a GDPR Evaluation

Given the broad scope and serious penalties under the GDPR, it is important for companies to evaluate the applicability of the GDPR to their activities.  At GKG Law, we have helped numerous organizations conduct reviews to determine how the GDPR may apply to them and the appropriate steps to become compliant.  If you have any questions, please contact Oliver Krischik at 202.342.5266 or okrischik@gkglaw.com.

On May 25, 2018, the European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”) went into effect, imposing new prohibitions, standards, and risk management guidelines on how companies can collect, process, transfer, and share personal data.  For U.S. associations, the most notable aspect of the GDPR was the expanded, (extra)territorial scope – companies outside the EU can now be subject to GDPR fines as high as €20 million or four percent of annual gross income, whichever is higher. 

The GDPR’s scope is broadly defined, and while some authoritative interpretations may serve as fenceposts, EU supervisory authorities that administer and enforce data protection regulations have not yet provided clear guidance on how U.S. companies may fall under EU jurisdiction.  Nonetheless, given the significant penalties, the numerous EU regulating bodies tasked solely with data protection under the new law, and the ability for individuals to lodge complaints with regulators or bring private actions against violators, it is important for U.S. organizations to understand if and how the GDPR may apply to their activities.

Territorial Scope

There are two tests to determine if the scope of the GDPR directly applies to your organization’s data processing activities:

• The Establishment Test
• The Targeting Test

If your organization meets either of the two tests above, then the GDPR would apply to those processing activities that are in the context of the establishment’s activities (Establishment Test) or that involve the personal data of data subjects located in the EU (Targeting Test).

Contractual Scope

Even if your organization does not directly fall within the territorial scope, it may nonetheless find itself receiving contractual agreements from partners requiring GDPR compliance.  This may occur in a number of circumstances, including, for example:

• (1) If your organization is a data processor that performs operations on sets of data on behalf of other companies or individuals, the data controller (i.e., the organization that determines the purposes and means of processing) itself may fall under the GDPR.  The data controller would be required to ensure that its data processors conduct themselves in full compliance with the GDPR.
• (2) If one of your organization’s partners falls under the GDPR, and both your organization and its partner jointly determine the purpose and means of processing, then the partner would be deemed a “joint controller” alongside your organization under the GDPR.  Accordingly, the GDPR would require the partner to clearly allocate data protection responsibilities with your organization by means of an arrangement.  The most common vehicle for this arrangement would be a contractual agreement.
• (3) If one of your organization’s partners is contractually required to comply with the GDPR, one of the provisions may require the partner to ensure that other organizations (like yours) that have access to a shared pool of a data also abide by the GDPR.
• (4) If one of your organization’s processors anticipates that some of its customers may fall within the scope of the GDPR, the processor may require all of its customers to agree to a Data Protection Addendum or other contractual agreement requiring GDPR compliance.

In some cases, your organization may be able to negotiate or work with partners to limit unnecessary contractual obligations for GDPR compliance.  In other cases, your organization may be able to find different vendors or processors that also fall outside of the GDPR.  This is not always possible, and if one of your partners, vendors, or processors believes it falls under the GDPR, it may be important to evaluate the applicability of the GDPR to your own organization’s activities.

I think My Company Falls Under the GDPR: What’s Next?

The GDPR imposes a number of new rules related to data security, disclosures to data subjects, handling requests by data subjects, risk management, disclosing breaches, and contractual arrangements with processors.  Depending on the scale of your data processing activities and the amount of EU data you handle, it may be possible to employ a narrowly-tailored compliance approach. 

At the moment, EU data protection agencies have received numerous complaints and tips about GDPR noncompliance, and private actors have filed private actions against companies they believe are noncompliant.  It will take some time before we understand how the EU intends to enforce the GDPR against U.S. companies.  On January 21, 2018, in the first major GDPR-related enforcement action against a U.S. company, France's data protection agency fined Google, Inc. approximately $57 million for GDPR violations.  While the first major enforcement actions work their way through EU courts, we recommend that you contact counsel to review the applicability of the GDPR to your activities and, if you have GDPR exposure, to help your organization come into compliance.

If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.

On January 21, 2019, France’s data privacy agency, the National Data Protection Commission (CNIL) announced that it was issuing a €50 million fine against Google, Inc. for violating the new EU General Data Protection Regulation (GDPR).  This is the first enforcement action under the new penalty ranges of the GDPR and the first GDPR enforcement action against a U.S.-based company.  It signals a shift to a new phase of GDPR enforcement.  Since the GDPR came into effect on May 25, 2018, data protection agencies in EU member states have been flooded with complaints and investigating possible violations and data breaches by companies that fall within the GDPR’s expansive jurisdiction.  This enforcement action, which targets deficiencies in how a U.S. company has complied with the GDPR, helps to explain the investigative methods and enforcement calculus of EU data protection agencies.

Of course Google plans to appeal the fine before the Council of State, the top administrative court in France.  The appeal decision will likely provide further insight into how U.S. companies should address GDPR concerns.

The Violations

Specifically, CNIL claims that Google violated the GDPR in the following ways:

• (1) Transparency and Information Disclosure Violations
  • Information on how Google users’ data is collected and processed was not easily accessible to users, sometimes requiring a user to click five or six links before arriving at the relevant portion of Google’s privacy policies.
  • The information did not clearly communicate the extent of processing operations carried out by Google on users’ data or the lawful bases for certain processing activities.
  • The information was not sufficiently comprehensive, and often relied on generic and vague descriptions of the data processing activities.  Some information, such as the amount of time that data would be retained, was simply not provided for some data.
• (2) Consent Violations
  • Google failed to obtain sufficiently informed consent from its users to process data for the personalization of advertisements.
  • The “consent” check-box for ad personalization was pre-ticked, meaning that users needed to opt-out of this setting.
  • Google required users to “bundle” their consent by agreeing either to all or none of Google’s data processing activities, instead of requesting specific consent for each set of data operations.

This enforcement action resulted from an investigation by CNIL into how Google obtains consent, discloses information, and then collects and processes data with respect to the creation of a Google account when configuring a mobile phone using Android.  Accordingly, CNIL and other regulatory bodies may still have room to investigate and pursue actions against Google for other GDPR violations related to various other Google services and products.  As more information becomes public, we will provide additional updates regarding CNIL’s Google decision and any other enforcement actions that may implicate GDPR compliance issues for U.S.-based associations.

The Jurisdictional Issue

It is important to remember that while the GDPR is an EU-wide regulation, it is administered, enforced, and regulated at the member state level.  Accordingly, each member state has one (or more) data protection agencies, called “supervisory authorities.”  The GDPR envisaged scenarios where particular GDPR violations may impact individuals across member state borders, and set forth procedures for determining a “lead” supervisory authority that would coordinate investigations and allegations regarding cross-border processing by any non-compliant controller or processor. 

As relevant here, Article 56(a) of the GDPR states that the “the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.”  Article 60 of the GDPR contains the specific procedures for the lead supervisory authority to coordinate investigations and enforcement actions between various member state agencies.  These procedures include some controls to ensure that agencies act in a unified and consistent manner with their investigations and enforcement actions.

Importantly, in this case, Google, Inc. has an entity located in the EU, in Ireland.  However, to qualify as “the main establishment” under the GDPR, the establishment must have some decision-make power or relation to the processing activities at issue.  Here, Google’s Ireland entity did not have decision-making power for the processing operations involved with setting up a Google account on a new mobile phone.  Accordingly, CNIL, and other member state authorities, were authorized to pursue their investigations and enforcement actions against Google’s U.S. headquarters independently of one another with no “lead” supervisory authority coordination.

This procedural curiosity may detract further from any predictability when it comes to GDPR investigations and enforcement actions.  Even if a U.S. company falls within the GDPR because of an existing EU establishment (e.g., an affiliate, subsidiary, or local agent) in one member state – the U.S. company may be targeted by various independent investigations and penalties from separate member states with no coordination or consistency.  On the one hand, this may result in a U.S. company responding to multiple redundant investigations all at once, elevating already expected high costs, and receiving numerous inconsistent enforcement actions.  On the other hand, it may mitigate the possibility that member states all pile on every time an investigation is initiated by a lead authority.

The Lessons

CNIL’s list of Google’s violations in this case provides some insight on how to interpret the GDPR’s rules.

Make Sure the Information in Your Privacy Policies is Accessible, Clear, and Complete

Ever since the GDPR was ratified, experts have warned about the difficulty in reconciling the obligations for (1) clear and concise communication and (2) comprehensive disclosure.  According to CNIL, Google failed on both counts.

First, CNIL found that the descriptions of the data were too vague and generic.  CNIL took particular issue with the fact that Google did not clarify that data processing for ad personalization purposes was based on user consent rather any legitimate interest of the company.  And, in some cases, CNIL noted that Google failed to provide the relevant information altogether.  Specifically, CNIL observed that Google did not provide a retention period for some data.

Second, CNIL notes that Google failed to clearly and concisely communicate information on how it processes, collects, and retains data.  Indeed, CNIL states that “the general structure of the information chosen by [Google] does not . . . comply with the regulation.”  CNIL found that users had to click too many links in the Privacy Policy to access relevant information, sometimes requiring 5 or 6 clicks.  Rather than being comprehensive and user-friendly, CNIL found that this approach made relevant information “not easily accessible.”

These complaints underscore the importance of drafting Privacy Policies to communicate the required information in a clear and concise manner.  They also suggest that splitting the policy into bite-size webpages or segments or using vague, oversimplified language may be more harmful than helpful.

The lessons so far from the Google case for Privacy Policy drafting are:

• (1) Make Sure Users Can Easily Find Information
  • Use clear headlines
  • Do not split up information into too many “bite-size” pieces
  • Do not make the user click too many “learn more” or “more information” links
  • If your policy is long – consider a table of contents
• (2) Do Not Use Vague and Generic Terms
  • Be clear on why and how data is collected and used
• (3) Include Information on the Applicable Retention Period for Collected Data

Do Not Bundle Consent or Use Pre-Ticked (Opt-Out) Boxes

CNIL’s second set of complaints against Google concerned how Google obtained consent from its users. 

First, CNIL accused Google of essentially integrating “pre-ticked” boxes of consents into the Settings and More Options menus.  As a result, users need to review their settings and advanced options in order to clarify that they do not consent to certain ad personalization processing operations.  According to CNIL, this means that users’ consent is not sufficiently informed. 

Second, CNIL observed that Google bundled user consent to the Privacy Policy in one pre-ticked box stating “I agree to the processing of my information as described above and further explained in the Privacy Policy.” 

Companies must ensure that they obtain separate consent for each set of processing operations that require consent under the GDPR.  See Article 7, GDPR.  Additionally, the GDPR’s high standard for consent requires that the consent be unambiguous and affirmative.  For this reason, “pre-ticked” consent boxes are treated as a per se violation of the GDPR.  These are fundamental rules under the GDPR, so CNIL’s second set of accusations are no surprise.

The issue of handling consent in settings or options configurations, however, highlights the importance of “Privacy-by-Design.”  Many features that were previously conceived of as settings or options may now be privacy decisions that need to be made by the user up-front.  Accordingly, applications and systems need to restructure the placement, defaults, and accessibility for setting and options that deal with how personal data is collected, used, or retained.

The lessons so far from the Google case regarding consent issues are:

• (1) Do Not Bundle Consents
• (2) Do Not Use “Pre-Ticked” Boxes
• (3) Make Sure Consent Issues Are Addressed Up-Front, not in Settings and More Options Menus

Conclusion

CNIL’s observations here were not surprising.  Nonetheless, the fact that CNIL independently issued a €50 million fine against Google demonstrates that supervisory authorities, at least in France, are willing to penalize U.S. companies for GDPR violations.  We will be watching the Google appeal process closely, and in the meantime, we will report on situations where supervisory authorities begin to fine U.S. companies for unclear privacy policies and pre-ticked or bundled consent boxes.

If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.