The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Can a supervisory authority bring an enforcement action for a violation of the ePrivacy Directive?
It depends on which Member State is involved.
The European Data Protection Board has stated that when the ePrivacy Directive imparts a specific rule – such as an obligation to collect the consent of an online user before placing, or accessing, cookies, or the obligation to obtain consent before transmitting direct marketing – that provision preempts the general rules of the GDPR.
Whether a supervisory authority is able to investigate a potential violation of the ePrivacy Directive depends on the Member State’s legislation implementing the ePrivacy Directive. Some Member State implementing statutes confer upon supervisory authorities jurisdiction over alleged violations of both the GDPR and the ePrivacy Directive; other Member State implementing statutes confer on a separate government body jurisdiction over alleged violations of the ePrivacy Directive. As the European Data Protection Board has stated:
When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities [i.e., supervisory authorities] are competent to scrutinize subsets of the processing which are governed by national rules transposing the ePrivacy Directive only if national law confers this competence on them.1
As a result, if an organization is alleged to have violated a specific rule of the ePrivacy Directive in some Member States the supervisory authority may be the correct government entity to initiate an enforcement action; in other Member States the supervisory authority may lack jurisdiction.
In situations in which the supervisory authority is empowered to investigate alleged violations of the ePrivacy Directive, the EDPB has made clear that the supervisory authority should not conflate its enforcement powers (including presumably its ability to obtain administrative fines) conferred under the GDPR with its enforcement powers and fining ability conferred under the Member State statute implementing the ePrivacy Directive. As the EDPB has made clear:
When . . . data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules . . . such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive. 2