January 27, 2020
2020 promises to be a banner year for data privacy and compliance, and it’s not just about the California Consumer Privacy Act of 2018 (CCPA). While the CCPA has significantly raised the bar for the protection of personal data, it’s proposed replacement, the California Privacy Rights and Enforcement Act of 2020 (CPREA), adds a whole host of new protections. Many U.S. states have already introduced CCPA-like legislation or will do so shortly, and others are expected to introduce legislation that address issues such as biometrics, the Internet of Things, and use of consumer credit reports. GDPR enforcement is promising to be rigorous, with the Irish Data Protection Commissioner’s office expected to resolve complaints related to Facebook and Twitter.
Your next step for data privacy and compliance: The most important task any organization can take in meeting the demands of data privacy and compliance regulations is precisely identifying where personal data exists throughout the enterprise, determining how it’s being used and protected, and who has access to it, especially with respect to third parties.
The California Consumer Privacy Act of 2018
CCPA vs. GDPR
The CCPA is sometimes called California’s version of the EU General Data Protection Regulation (GDPR). While the CCPA’s scope is not as extensive as that of the GDPR, compliance with the CCPA has been complicated by its drafting. According to stories in the data protection media, the CCPA was drafted in approximately 4-6 days, in contrast to the GDPR’s drafting and debate lasting some 4-5 years. The result was a statute that is difficult to parse and requires significant effort to assemble a cohesive regulatory picture.
In terms of enforcement activity, California Attorney General Xavier Becerra said he considers the law in effect as of January 1, 2020, even though formal enforcement won’t start until July 1. Moreover, CCPA §150 (data security) is enforceable on January 1st by private parties, which means the potential for class action lawsuits stemming from personal information breaches.
In October of 2019, A.G. Becerra’s office published “draft” CCPA Regulations that were designed to offer insight into complying with the statute. However, these seem to be final – for now. What’s remarkable about the Regulations is not just what’s in them, but what’s not.
In particular, missing from the CCPA Regulations:
- Information on de-identifying or aggregating personal information;
- How to “cure” a breach;
- Details on “third-party identity verification services” or “authorized agents”; and
- A citation to CIS CSC Top 20 (or other data protection frameworks), even though there are numerous information security mandates.
What companies should pay attention to in the CCPA:
In terms of information security mandates, the Regulations cite three areas where companies must pay particular attention:
- Need for a risk assessment. The Regulation states that “[a] business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” [my emphasis]
- Heightened protection for certain information. The Regulation prohibits the sharing of certain personal information: “A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.”
- Need for secure transmissions. The Regulation highlights the need to protect personal information while it is transmitted to the consumer: “A business shall use reasonable security measures when transmitting personal information to the consumer.”
Bottom line: In sum, companies that collect personal information of California consumers should broadly review how they protect that information, especially as it relates to securely transmitting it to the consumer or sharing with third parties. That review should include the definition of “sensitive personal information,” as it is described in the proposed California Privacy Rights and Enforcement Act of 2020 (CPREA).
The California Privacy Rights and Enforcement Act of 2020: Wait, another California Privacy regulation?
The California Privacy Rights and Enforcement Act of 2020 (CPREA) is currently a ballot initiative being sponsored by one of the people that sponsored the original CCPA ballot initiative, Alastair Mactaggart (Mactaggart eventually dropped the initiative in exchange for the legislature passing their version of the CCPA). If approved by California voters, it will go into effect January 1, 2021. The initiative expands on the mandates of the CCPA in many ways.
Key functions of the CPREA:
- Creation of the California Privacy Protection Agency (CPPA), tasked with enforcement of the CPREA and other state privacy regulations. In GDPR terms, the CPPA would be a supervisory authority.
- Appointment of a “Chief Privacy Auditor” to conduct audits of businesses;
- Annual disclosure for political use of personal information;
- Creation of a new class of personal information, “sensitive personal information,” and significant restrictions on its use. Examples include Social Security numbers, a consumer’s precise geolocation, biometric information, and contents of a consumer’s private communications;
- A ban on advertising deemed to use “profiling”;
- Elimination of the 12-month rolling time period used to calculate in-scope personal information. Instead, all information collected would be in scope; and
- A mandate to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the CPPA.
CPREA would much more closely resemble the GDPR than does the current state of the CCPA. The amount of effort needed to meet the terms of proposed law is likely to be significant, and companies that will likely be subject to it should begin preparing now for compliance. Also, because this initiative would amend the California constitution, the ability of the state’s legislature to weaken it would be severely curtailed. As a result, CPREA would almost certainly become the default national data protection statute for the United States.
More California data privacy regulations:
While the CCPA has garnered the majority of attention in the data protection and public news media, two important California data protection statutes also went into effect on January 1st:
- Data Brokers: A.B. 1202. This new statute regulates data brokers, companies that buy and sell personal information about persons with whom they have no relationship.
- IoT Devices: S.B. 327 and A.B. 1906. A first-of-its-kind, S.B. 327 and A.B. 1906 collectively represent the first statute mandating security for “Internet of Things” (or IoT) devices, such as routers and Internet-connect appliances. Recent litigation surrounding alleged failures of the Ring doorbell camera, an IoT device, have brought the need for such legislation into especially sharp focus.
Other States Have Not Been Idle
Other states have not been idle in the pursuit of greater data protection for their residents. Some noteworthy statutes that have or will come into force in 2020 include:
- Oregon and IoT Devices: H.B. 2395. This is Oregon’s equivalent to California’s IoT statute, and in fact is nearly identical to it. It went into effect on January 1st.
- New York and Private Information: S. 5575-B, the SHIELD Act. Effective on March 21st, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) offers significant protection for the private information of New York residents. Elements of the Act include a broad definition of private information, broad jurisdictional reach, and information security requirements.
- Maine and Customers’ Personal Information: L.D. 946. This Maine statute, effective on July 1st, prohibits broadband internet access providers from using, disclosing, selling or permitting access to customers’ personal information unless the customer expressly consents.
Washington (state) Privacy Act (WPA)
With respect to data protection legislation proposed during the 2020 legislative session, most noteworthy is the Washington (state) Privacy Act (WPA). According to Jules Polonetsky, CEO of the Future of Privacy Forum, “The Washington Privacy Act is the most comprehensive state privacy legislation proposed to date. The bill addresses concerns raised last year and proposes strong consumer protections that go beyond the California Consumer Privacy Act. It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not.” With a legislative session ending in mid-March, we’ll know relatively soon what form this bill will ultimately take. As with CPREA, companies that likely will be subject to this statute should it become law should prepare now.
General Data Protection Regulation (GDPR) Enforcement
In 2019, roughly 150 enforcement actions were taken by EU supervisory authorities against organizations violating the EU General Data Protection Regulation (or GDPR).
The two largest proposed fines were issued by the U.K. Information Commissioner’s Office (ICO):
- £99M against Marriott International, based upon compromise of the Starwood reservation database, with 383 million customers being affected; and
- £183.39M against British Airways, based upon user traffic to the British Airways website being diverted to a fraudulent site, with 380,000 customers being affected.
Both offenders are still in settlement negotiations with the ICO.
Other noteworthy GDPR fines include:
- €50 million against Google by the French supervisory authority, the CNIL, for insufficient legal basis for processing personal data;
- €18 million against the Austrian Post by the Austrian Data Protection Authority (DSB) for selling personal data without a sufficient legal basis; and
- €14.5 million against Deutsche Wohnen SE by the Berlin Data Commissioner for retaining personal data longer than necessary.
In early January 2020, the ICO issued a £500,000 fine against electronics retailer Dixons Carphone for a pre-GDPR breach in its point-of-sale system that exposed between 5-6 million payment card records and 10 million personal data records. Had the breach occurred after the GDPR enforcement date, the fine likely would have been much higher.
The Irish Data Protection Commissioner’s Office has 21 open investigations into technology companies such as Facebook, Google, Apple, Twitter, and Verizon Media. In particular, there are investigations into WhatsApp and how it communicates to users how their data is being processed and into Twitter for a data breach.
Norwegian Consumer Council and AdTech Companies:
In early January, the Norwegian Consumer Council released a report on multiple potential GDPR violations by so-called AdTech companies, companies that specialize in the technology of Internet-based advertising. The Council commissioned Mnemonic, an Oslo-based information security firm, to perform a data flow analysis of 10 popular smartphone apps running on Google’s Android operating system, such as OkCupid, Tinder, and Grindr. The report, Out of Control: How Consumers are Exploited by the Adtech Industry, revealed widespread abuses in the sharing of personal data with AdTech companies. From the report: “In the cases described in this report, none of the apps or third parties appear to fulfil the legal conditions for collecting valid consent[.] “The release of this report is likely to instigate widespread investigations across the EU. Previous investigations by EU authorities into data protection violations have resulted in similar investigations being started here in the U.S. (such as the one involving Google’s Street View). Given that the marketing departments of many companies routinely use AdTech (perhaps unwittingly), now is a good time to start reviewing (or updating) marketing practices for compliance with data protection laws.
Data Privacy and Compliance Priorities for 2020
Far and away, the number one data privacy and compliance priority for companies in 2020 is preparing for the potential, if not likely, approval of CPREA or for the passage of the WPA or similar legislation. CPREA creates a new and relatively broad category of personal information and will necessitate a review of what personal information is being collected, used, and shared, as well as how it’s being protected. The WPA offers equivalent challenges. In particular:
- Update your data inventory. In several instances of organizations being sanctioned by EU supervisory authorities for GDPR violations, the offenders did not know why they had collected the personal data in question. Updating your data inventory (especially in light of new definitions of personal data) offers the opportunity to uncover previously unknown personal information and discern why it was collected before a regulator or plaintiff’s counsel asks.
- Draft updates to your privacy “policy.” Your publicly-facing notice of privacy practices is an important mechanism to convey to the public and business partners how you use, share, and protect personal information. However, privacy policies that cite practices that don’t take place or are not enforced are a magnet for regulators who only have to prove such policies are unfair or deceptive, which is a very low bar to clear.
- Review partner agreements. Business partner agreements invariably contain provisions on the sharing, use, and protection of personal information and require thorough review. The mandates or licenses cited often border on the absurd, including requirements for SOC II reports from companies that don’t offer cloud services, co-controller status for companies that are truly data processors, and certifying an entire company as compliant with some NIST or ISO standard.
On a final note, I’ll be reviewing upcoming data protection legislation in a webinar entitled The Quiet Revolution, Part 3: State Data Protection Laws for 2020 sometime in April; visit the Spirion website periodically for details.
Scott M. Giordano, Esq., V.P., Data Protection, Spirion
Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management. Prior to joining Spirion, he served as Director, Data Protection for Robert Half Legal and established the global privacy program for Esterline Technologies Corporation in Bellevue, WA.
During his career, Scott has held senior positions at several legal technology firms and is listed as co-inventor on Intelligent Searching of Electronically Stored Information, patent application no. 13/842,910. In addition, he taught the first law school course anywhere on electronic evidence and e-discovery.
Scott is a member of the bar in Washington state, California, and the District of Columbia.