EU to California: “We just passed the most extensive cyber-security and privacy regulation in history.”
California to EU: “Hold my beer.”
Last time we addressed navigating some tricky provisions of the GDPR, including territorial scope and contracting requirements.  The expansive nature of this EU law has had a significant impact, and nowhere was this more widely felt than when the California legislature looked at its privacy landscape and said, “hold my beer.”  Okay, so while that is a funny analogy, it’s not quite how things unfolded.  A well-funded and passionate individual named Alastair Mactaggart created a ballot initiative regarding privacy.  This sent shock waves throughout the business community, and eventually resulted in the California Consumer Privacy Act (CCPA).  This piece of legislation was hastily drafted and became the central focus of an eleventh-hour deal to dismiss the ballot initiative, which garnered more than twice the number of votes necessary to make it on the ballot.  The CCPA passed as drafted and the ballot initiative was withdrawn.  One major advantage of legislation is that it can be modified, and in another nail-biter of a deal between the business community and privacy advocates, a clean-up bill was also passed.  The law goes into effect January 1, 2020, but AG enforcement of the law is delayed until the earlier of 6 months after publication of a final rule, or July 1, 2020.

The Basics

Just like the GDPR, the CCPA is both a data protection and a data privacy regulation.  Consumers have four basic rights under the CCPA:  the right to notice about what personal information is being collected, the right to access their data, the right to request deletion of their data, and the right to obtain the data collected in an electronic, portable format.  A few items of note that jump out when reading the law:

• Companies are required to notify consumers at or before the time personal information is collected, and the collection of data can include passive receipt of the information. This broad definition of what it means to “collect” data may present pragmatic difficulties regarding how and when companies notify consumers.  The format and adequacy of such notices may not be determined until the AG rule-making process is complete;
• While some companies seem very focused on the duty to delete the data, and their ability to comply with the requirements of the law in this regard, the list of exceptions to the duty to delete (or the lists of reasons companies can decline to comply with a request to delete) is quite expansive, and our instinct tells us that most companies will be able to maintain data provided they have a legitimate purpose to do so.

The Nitty Gritty

The CCPA still presents major challenges for any company doing business in California.  It contains many ambiguities, chief among them the following:

• Understanding and socializing the breadth of the definition of personal information under the CCPA. The CCPA contains its own specific definition of personal information, and then refers to any other information that is designated as personal information under California law.  We have attempted to compile a list, but the bottom line is the definition includes any piece of information about an individual in California, including, but not limited to the following:

[table id=2 /]

• The definition of consumer under the CCPA does not include a carve-out for information obtained about individuals that are employees or that are associated with vendors or agents, for example. These are not traditional “consumer” relationships, but nevertheless, the CCPA does not contain clear enough definitions or exclusions to those definitions to provide for these scenarios…again, it covers any information about any individual in California;
• The definition of “selling” under the CCPA is also similarly broad and includes mere sharing. It is true that the sharing must be for “monetary or other valuable consideration.”  A real question exists whether “other valuable consideration” is intended as a term of art, like boilerplate language included in a contract, or whether consideration other than monetary will be deemed to make the mere exchange of information, for instance, a “sale.”
• Companies must verify the identity of consumers making requests to access their personal information, but in a catch-22, companies will have to collect personal information within the definition of the law in order to verify the consumers’ identity;
• The timing regarding enforcement is a bit wonky: The original effective date of the CCPA is January 1, 2020.  Because the relevant information collected under the CCPA is the preceding twelve months, this means that companies need to be ready with any necessary technological enhancements and trained teams as of January 1, 2019 (this year!).  The clean-up bill states that AG enforcement will begin on the earlier of 6 months after the AG completes its rule-making process or July 1, 2020.  This begs the question of whether delayed enforcement means a delayed requirement to implement the law, or whether the AG will have the authority to look at the conduct of companies dating back to January 1, 2019;
• The definition of personal information excludes publicly available information, but the exclusion contains a number of subjective factors, making it difficult for organizations to determine with certainty what is or is not publicly-available;
• Although it was originally thought that the data portability provisions of the ballot initiative turn legislation would not be included, they were not entirely deleted, and as a result, there are a few remnants requiring companies to provide consumer data in an electronic format.

The CCPA will be enforced by the Attorney General, and the AG’s rule-making process may clear up some of these ambiguities and clarify the requirements.  That said, the law also includes a limited private cause of action for data breach, with penalties of $100 to $750 per incident per consumer.  Before the consumer can pursue these damages, the company must be notified of the issue and have an opportunity to cure the failure to comply.  We question the value of this provision, given that a data breach could be compared to a bell you can’t un-ring.

If you’re not part of the solution….

The California Chamber of Commerce is actively working on a bill to address a narrow set of clean-up issues, including important carve outs to the definition of consumer to exclude vendors, agents and other business-to-business data.  In addition, different industries are seeking their own, California-specific modifications.  If you are concerned about the content and outcome of these legislative fixes, you should seek to involve yourself in these discussions.  Many experts have attributed low odds to achieving meaningful change to the CCPA.  If clean-up bills significantly undermine the rights granted to consumers under the CCPA, another ballot initiative is certainly a possibility.

The Road Ahead

As the fifth largest economy in the world, California’s new privacy legislation will have a massive impact on most businesses.  This is especially true given that compliance with privacy law in the US is a 50-state solution, and some companies may be forced to comply with the most restrictive law in those states in order to save the money and time wasted on gradual, piecemeal solutions.  The exact steps towards compliance will be different for each organization, but a very high-level road map should include the following components:

• Form a leadership team, including appointing a data privacy officer (DPO), to oversee enterprise-wide compliance efforts and initiatives.
• Build a team of trusted outside consultants and legal advisers to assist with compliance and verify conclusions;
• Socialize expansive definitions within the organization;
• Undertake data mapping (surveying key operations on where personal information is collected and stored, along with verification);
• Conduct gap analysis regarding access control and data protection;
• Implement changes to privacy notices, privacy practices and data protection;
• Interface with vendor management teams to ensure that contract language complies with the GDPR and CCPA requirements;
• Train teams for responses to consumer requests and build out required functions to field requests;
• Consider building California specific websites;
• Create team and function to maintain compliance program, including policies and procedures on a going forward basis;
• Ensure that all stakeholders within the organization, including legal, IT, information security and marketing/PR understand and are very clear on roles and responsibilities in the event of a breach. The chain of command should be clear, and table-top exercises can be very helpful in flushing out the process.

Regarding the first bullet on this checklist, please note, under certain circumstances, appointing a formal data privacy officer is required by the GDPR.  Regarding the third bullet on this list (“expansive definitions”), we acknowledge that some of you may have glossed over as this sounds like an example of corporate-speak.  What we mean is that people inside your organization need to start thinking about privacy in a dramatically different way.  When you use the term “personal information” everyone’s brain will (understandably) go to the traditional definition of NPI under the GLBA.  It will take time and a good bit of cognitive dissonance for essential decision-makers to understand that the world has shifted, and that personal information now means everything that can be associated with an individual inside California.

A Pragmatic Highlight

Although we haven’t included it on this roadmap, as a pragmatic strategy, companies may find it beneficial to first narrow the categories of personal information they collect, and subsequently, to create a policy regarding the deletion of historical data coupled with a going-forward policy on when data will be deleted.  Less data means less data to manage.

Can the Feds Save Us?

After reading this post, some may feel overwhelmed by the costs of compliance and begin to wonder about how we might move towards a clearer and more uniform regulatory environment.  Next week we will discuss the potential of enacting uniform federal privacy legislation that could solve for the challenges associated with the CCPA.
THIS BLOG POST AND ASSOCIATED MATERIALS ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND NOT PROVIDED FOR THE PURPOSE OF PROVIDING LEGAL ADVICE.  YOU SHOULD CONTACT YOUR ATTORNEY TO OBTAIN ADVICE ON ANY PARTICULAR ISSUES.  THE OPINIONS AND VIEWS EXPRESSED IN THIS POST REPRESENT THE OPINIONS AND VIEWS OF THE INDIVIDUAL AUTHORS AND MAY NOT REFLECT THE OPINIONS OR VIEWS OF A PARTICULAR COMPANY.

About the Author

Ms. Redman practiced commercial real estate law for 11 years in Atlanta, Georgia.  After developing expertise in title insurance, she joined a leading title insurer based in Santa Ana, California.  While in this position, Ms. Redman developed expertise in privacy regulation.  In January 2019, Ms. Redman joined Fidelity National Title as Senior Vice President, Western Region, Fidelity National Title Group, where she will interface with clients and customers on a variety of subjects, including underwriting and reinsurance.

Contributors

ICSynergy CyberSecurity Services

ICSynergy International LLC has provided CyberSecurity strategy and implementation services for over 15 years.  Since our early days of delivering world class Identity Management solutions, we always look at Cybersecurity through a people, process and technology lens.  This approach becomes even more important when looking at the repercussions of a GDPR or CCPA breach.  Let ICSynergy’s team of privacy and security professionals help you to formulate your approach to GDPR and CCPA.