Data Privacy and Compliance (CCPA, CPRA, GDPR): Looking Ahead

2020 was quite a banner year for data privacy and compliance. Litigation related to the CCPA has been steady, a successor to the CCPA passed, and GDPR enforcement has been strong.

The California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 (CCPA) is sometimes called California’s version of the EU General Data Protection Regulation (GDPR).  While the CCPA’s scope is not as extensive as that of the GDPR, compliance with the CCPA has been challenging for companies.  The statute is densely written, with numerous internal cross-references, and overall is difficult to parse.  Some important concepts, such as the nature of a “sale,” are given to different interpretations. The result is a statute that requires significant effort to comply with.

CCPA Enforcement

Since the beginning of 2020, when the CCPA went into force, some 25 lawsuits have been filed on behalf of plaintiffs claiming violations of the statute, most (if not all) of which have been filed as class actions.  Undoubtedly, more such lawsuits are on the way.

CCPA Compliance

In June 2020, California Attorney General Xavier Becerra’s office published the final CCPA Regulations to help businesses comply with the statute. Highlights from the final version include:

  • Notice and Consent
    If a business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer, the business shall directly notify the consumer of this new use and obtain explicit consent.
  • Right to Access (“Request to Know”) Personal Information
    Upon receiving a request to disclose personal information held, a business has 10 business days to confirm receipt of the Request to Know and 45 calendar days to fulfill it. The business can extend 45 additional days but have to provide a reason within the first 45 days.
  • Service Providers Are Largely Unregulated
    An entity that processes information on behalf of a business based on a contract is a “service provider,” and is largely unregulated by the CCPA; instead, the statute relies on the business itself to police the CCPA compliance of its service providers.

What companies should pay attention to in the CCPA:

In terms of information security mandates, the Regulations cite three areas where companies must pay particular attention:

  • Need for a risk assessment. The Regulations state that “[a] business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” [my emphasis]
  • Heightened protection for certain information. The Regulations prohibit the sharing of certain personal information: “A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.”
  • Need for secure transmissions. The Regulations highlight the need to protect personal information while it is transmitted to the consumer: “A business shall use reasonable security measures when transmitting personal information to the consumer.”

Bottom line: Companies that collect personal information of California consumers should broadly review how they protect that information, especially as it relates to securely transmitting it to the consumer or sharing with third parties.  That review should include the definition of “sensitive personal information,” as it is described in the subsequent California Privacy Rights Act of 2020 (CPRA), discussed below.

The passing of the California Privacy Rights Act of 2020

The California Privacy Rights Act of 2020 (CPRA) was approved by California voters after appearing on the November 2020 ballot. Widespread public support makes this measure likely to pass. The law will become enforceable on January 1, 2023.  While this two-year grace period seems lengthy, the EU GDPR featured the same period and organizations struggled to meet the deadline.

Key aspects of the CPRA:

  • Creation of the California Privacy Protection Agency (CPPA), tasked with enforcement of the CPRA and other state privacy regulations. In GDPR terms, the CPPA would be a supervisory authority;
  • Appointment of a state “Chief Privacy Auditor” to conduct audits of businesses;
  • Creation of a new class of personal information, “sensitive personal information,” and significant restrictions on its use. Examples include Social Security numbers, a consumer’s precise geolocation, biometric information, and contents of a consumer’s private communications;
  • A ban on advertising deemed to use “profiling”;
  • Elimination of the 12-month rolling time period used to calculate in-scope personal information. Instead, all information collected would be in scope; and
  • A mandate to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the CPPA.

The CPRA more closely resembles the GDPR than its predecessor, the CCPA.  The amount of effort needed to meet the terms of it are significant, and companies that are subject to it must put extra effort to maintain compliance.  Also, because this initiative amended the California constitution, the ability of the state’s legislature to weaken is severely curtailed.  As a result, the CPRA is almost certainly set to become the default national data protection statute for the United States.

General Data Protection Regulation Enforcement

In 2019, roughly 150 enforcement actions were taken by EU supervisory authorities against organizations violating the GDPR. Halfway through 2020, there were already at least 100 major GDPR enforcement actions.

The two largest proposed GDPR fines were issued by the U.K. Information Commissioner’s Office (ICO):

  • £99M against Marriott International, based upon compromise of the Starwood reservation database, with 383 million customers being affected; and
  • £183.39M against British Airways, based upon user traffic to the British Airways website being diverted to a fraudulent site, with 380,000 customers being affected.

Both offenders are still in settlement negotiations with the ICO.

The Irish Data Protection Commissioner’s Office has 21 open investigations into technology companies such as Facebook, Google, Apple, Twitter, and Verizon Media.  In particular, there are investigations into WhatsApp and how it communicates to users how their data is being processed and into Twitter for a data breach.

Data Privacy and Compliance Priorities for the Future

Far and away, the number one data privacy and compliance priority for companies right now is preparing for the approval of similar legislation to the CPRA. CPRA created a new and relatively broad category of personal information, necessitating a review of what personal information is being collected, used, and shared, as well as how it’s being protected.  In particular:

  • Update your data inventory. In several instances of organizations being sanctioned by EU supervisory authorities for GDPR violations, the offenders did not know why they had collected the personal data in question. Updating your data inventory (especially in light of new definitions of personal data) offers the opportunity to uncover previously unknown personal information and discern why it was collected before a regulator or plaintiff’s counsel asks.
  • Draft updates to your privacy “policy.” Your publicly-facing notice of privacy practices is an important mechanism to convey to the public and business partners how you use, share, and protect personal information. However, privacy policies that cite practices that don’t take place or are not enforced are a magnet for regulators who only have to prove such policies are unfair or deceptive, which is a very low bar to clear.
  • Review partner agreements. Business partner agreements invariably contain provisions on the sharing, use, and protection of personal information and require a thorough review. The mandates or licenses cited often border on the absurd, including requirements for SOC II reports from companies that don’t offer cloud services, co-controller status for companies that are truly data processors, and certifying an entire company as compliant with some NIST or ISO standard.