July 7, 2020
2020 has already proven to be a banner year for data privacy and compliance. Litigation related to the CCPA has been steady, a successor to the CCPA is on the horizon, and GDPR enforcement has been strong.
The California Consumer Privacy Act of 2018
The California Consumer Privacy Act of 2018 (CCPA) is sometimes called California’s version of the EU General Data Protection Regulation (GDPR). While the CCPA’s scope is not as extensive as that of the GDPR, compliance with the CCPA has been challenging for companies. The statute is densely written, with numerous internal cross-references, and overall is difficult to parse. Some important concepts, such the nature of a “sale,” are given to different interpretations. The result is a statute that requires significant effort to comply with.
Since the beginning of this year, when the CCPA went into force, some 25 lawsuits have been filed on behalf of plaintiffs claiming violations of the statute, most (if not all) of which have been filed as class actions. Undoubtedly, more such lawsuits are on the way.
In June, California Attorney General Xavier Becerra’s office published the final CCPA Regulations to help businesses comply with the statute. Highlights from the final version include:
- Notice and Consent
If a business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer, the business shall directly notify the consumer of this new use and obtain explicit consent.
- Right to Access (“Request to Know”) Personal Information
Upon receiving a request to disclose personal information held, a business has 10 business days to confirm receipt of the Request to Know and 45 calendar days to fulfill it. The business can extend 45 additional days but have to provide a reason within the first 45 days.
- Service Providers Are Largely Unregulated
An entity that processes information on behalf of a business based on a contract is a “service provider,” and is largely unregulated by the CCPA; instead, the statute relies on the business itself to police the CCPA compliance of its service providers.
What companies should pay attention to in the CCPA:
In terms of information security mandates, the Regulations cite three areas where companies must pay particular attention:
- Need for a risk assessment. The Regulations state that “[a] business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” [my emphasis]
- Heightened protection for certain information. The Regulations prohibit the sharing of certain personal information: “A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.”
- Need for secure transmissions. The Regulations highlight the need to protect personal information while it is transmitted to the consumer: “A business shall use reasonable security measures when transmitting personal information to the consumer.”
Bottom line: Companies that collect personal information of California consumers should broadly review how they protect that information, especially as it relates to securely transmitting it to the consumer or sharing with third parties. That review should include the definition of “sensitive personal information,” as it is described in the proposed California Privacy Rights Act of 2020 (CPRA), discussed below.
The California Privacy Rights Act of 2020 is likely to pass
The California Privacy Rights Act of 2020 (CPRA) is a current ballot initiative that seeks to clarify and expand the mandates of the CCPA. In May, the measure had received more than 900,000 signatures, gaining the support needed to place it on the state’s November 2020 ballot. Widespread public support makes this measure likely to pass. If this occurs, it will become enforceable on July 1, 2023. While this two-year grace period seems lengthy, the EU GDPR featured the same period and organizations struggled to meet the deadline.
Key aspects of the CPRA:
- Creation of the California Privacy Protection Agency (CPPA), tasked with enforcement of the CPRA and other state privacy regulations. In GDPR terms, the CPPA would be a supervisory authority;
- Appointment of a state “Chief Privacy Auditor” to conduct audits of businesses;
- Creation of a new class of personal information, “sensitive personal information,” and significant restrictions on its use. Examples include Social Security numbers, a consumer’s precise geolocation, biometric information, and contents of a consumer’s private communications;
- A ban on advertising deemed to use “profiling”;
- Elimination of the 12-month rolling time period used to calculate in-scope personal information. Instead, all information collected would be in scope; and
- A mandate to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the CPPA.
The CPRA would much more closely resemble the GDPR than does the current state of the CCPA. The amount of effort needed to meet the terms of the proposed law is likely to be significant, and companies that will likely be subject to it should begin preparing now for compliance. Also, because this initiative would amend the California constitution, the ability of the state’s legislature to weaken it would be severely curtailed. As a result, the CPRA would almost certainly become the default national data protection statute for the United States.
General Data Protection Regulation Enforcement
In 2019, roughly 150 enforcement actions were taken by EU supervisory authorities against organizations violating the GDPR. So far, in 2020, there have been at least 100 major GDPR enforcement actions.
The two largest proposed fines were issued by the U.K. Information Commissioner’s Office (ICO):
- £99M against Marriott International, based upon compromise of the Starwood reservation database, with 383 million customers being affected; and
- £183.39M against British Airways, based upon user traffic to the British Airways website being diverted to a fraudulent site, with 380,000 customers being affected.
Both offenders are still in settlement negotiations with the ICO.
The Irish Data Protection Commissioner’s Office has 21 open investigations into technology companies such as Facebook, Google, Apple, Twitter, and Verizon Media. In particular, there are investigations into WhatsApp and how it communicates to users how their data is being processed and into Twitter for a data breach.
Data Privacy and Compliance Priorities for 2020
Far and away, the number one data privacy and compliance priority for companies in 2020 is preparing for the potential, if not likely, approval of CPRA or for the passage of similar legislation. CPRA creates a new and relatively broad category of personal information and will necessitate a review of what personal information is being collected, used, and shared, as well as how it’s being protected. In particular:
- Update your data inventory. In several instances of organizations being sanctioned by EU supervisory authorities for GDPR violations, the offenders did not know why they had collected the personal data in question. Updating your data inventory (especially in light of new definitions of personal data) offers the opportunity to uncover previously unknown personal information and discern why it was collected before a regulator or plaintiff’s counsel asks.
- Draft updates to your privacy “policy.” Your publicly-facing notice of privacy practices is an important mechanism to convey to the public and business partners how you use, share, and protect personal information. However, privacy policies that cite practices that don’t take place or are not enforced are a magnet for regulators who only have to prove such policies are unfair or deceptive, which is a very low bar to clear.
- Review partner agreements. Business partner agreements invariably contain provisions on the sharing, use, and protection of personal information and require a thorough review. The mandates or licenses cited often border on the absurd, including requirements for SOC II reports from companies that don’t offer cloud services, co-controller status for companies that are truly data processors, and certifying an entire company as compliant with some NIST or ISO standard.
Data Privacy Manager™: Your next step for data privacy and compliance
The most important task any organization can take in meeting the demands of data privacy and compliance regulations is precisely identifying where personal data exists throughout the enterprise, determining how it’s being used and protected, and who has access to it, especially with respect to third parties.
To do this effectively, you need a solution that can find sensitive data wherever it lives, track it, and build workflows to manage it appropriately to ensure compliance. Spirion’s Data Privacy Manager™ does it all, with incredible speed and highly accurate results. Schedule a demo to see how Data Privacy Manager™ can help your organization protect what matters most.