The privacy landscape is evolving and increasingly becoming more complex. Over the past few years, public awareness has grown, which has been an instrumental factor in the passing of the California Consumer Privacy Act of 2018 (CCPA) and more recently, the California Privacy Rights Act of 2020 (CPRA).
These rapid changes in the privacy and compliance landscape should be a signal for companies to re-evaluate how their teams approach privacy. Along with the advancement of laws and regulations, there is also a shift in consumer perception and expectation. Companies that make an effort and go the extra mile to protect their customers’ private data will build stronger, trustworthy relationships with their customers and lead the pack within their industries.
Most importantly, teams that adopt a privacy-forward mindset will have no trouble ensuring regulatory compliance, preventing costly data breaches from happening, and adapting to new laws and regulations that are likely to form in the future. Like we did in 2020, here we cover the major data privacy and compliance laws you should be focusing on in 2021 to build a strong, privacy-forward team.
The California Consumer Privacy Act of 2018 (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) is sometimes called California’s version of the EU General Data Protection Regulation (GDPR). While the CCPA’s scope is not as extensive as that of the GDPR, CCPA compliance has been challenging for companies. The statute is densely written, with numerous internal cross-references, making it difficult to parse down. Some important concepts, such as the nature of a “sale,” may have different interpretations. The result is a statute that requires significant effort to comply with.
Who Does the CCPA Impact?
The CCPA went into effect in 2020 and over 50 lawsuits were filed claiming violations of the statute. The CCPA applies to any business — even those outside of the United States — that collects personal information from California consumers (with the exception of nonprofit or government organizations).
Businesses that meet one or more of the following conditions need to comply with the CCPA:
- Have a gross annual revenue in excess of $25 million
- Possess the personal information of 50,000 or more consumers, households, or devices
- Earn more than half of their annual revenue from selling consumers’ personal information
But remember, even if you don’t meet one of these conditions and may be considered exempt, it is still strongly recommended that your team adopt a privacy-forward strategy. This will enable your company to keep up if compliance laws and regulations change, or if your business scales and happens to meet one of the above conditions over time.
Final CCPA Compliance Regulations
In June 2020, California Attorney General Xavier Becerra’s office published the final CCPA regulations to help businesses comply with the statute. Highlights from the final version include:
Notice and Consent
If a business seeks to use a consumer’s previously collected personal information for a purpose materially different from what was previously disclosed to the consumer, the business shall directly notify the consumer of this new use and obtain explicit consent.
Right to Access (“Request to Know”) Personal Information
Upon receiving a request to disclose personal information held, a company has 10 business days to confirm receipt of the Request to Know and 45 calendar days to fulfill it. The business can extend up to 45 additional days, but has to provide a reason within the first 45 days.
Service Providers Are Largely Unregulated
An entity that processes information on behalf of a business based on a contract is a “service provider,” and is largely unregulated by the CCPA. Instead, the statute relies on the business itself to police the CCPA compliance of its service providers.
What Companies Need to Know About the CCPA
In terms of information security mandates, the regulations cite three areas where companies must pay particular attention:
1. Need for a risk assessment
The regulations state that “[a] business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”
2. Heightened protection for certain information
The regulations prohibit the sharing of certain personal information: “A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.”
3. Need for secure transmissions
The regulations highlight the need to protect personal information while it is transmitted to the consumer: “A business shall use reasonable security measures when transmitting personal information to the consumer.”
Bottom line: Companies that collect personal information of California consumers should broadly review how they protect that information, especially as it relates to securely transmitting it to the consumer or sharing with third parties. A good place to start is with our CCPA compliance checklist, which details five steps businesses should take to become CCPA compliant.
The California Privacy Rights Act of 2020 (CPRA)
The California Privacy Rights Act of 2020 (CPRA) was passed by voter approval on November 3, 2020. This marks a significant shift in the data privacy landscape and will expand upon the CCPA. Eventually, the CCPA will be incorporated into the CPRA when it takes effect on January 1, 2023 — which is why the CPRA is sometimes referred to as the CCPA 2.0.
Key Aspects of the CPRA
Altered Scope of Covered Businesses
The requirements for covered businesses will change with the CPRA. With the CCPA, businesses that possess personal information of 50,000 or more consumers, households or devices are required to comply. When the CPRA is enacted that number will change to 100,000. The requirement that states businesses who earn more than half of their annual revenue from selling consumers’ personal information will be changed to businesses who earn more than half of their annual revenue from selling and sharing consumers’ personal information.
New Category of Sensitive Personal Information
The CPRA includes a new class of data called “sensitive personal information,” which will be held to higher standards than other types of personal information. Along with this new class of data, the CPRA gives individuals greater control over how businesses use this type of data. Individuals will be able to request that a business use anything that falls under “sensitive personal information” only as necessary to provide goods or services, and only for a limited number of purposes outlined by the CPRA.
Introducing the “Rights of Correction”
Individuals will be able to request that businesses correct inaccurate personal information about themselves. Businesses will be required to notify consumers of this right and are required to make reasonable efforts to fulfill a requested correction.
Extends Overall Scope to “Sharing” Data
The CCPA mentions selling data and the CPRA takes this a step up by amending any instance of “selling” data to “selling or sharing.” This amendment is meant to eliminate any loopholes that companies may try to exploit.
How Businesses Can Prepare for the CPRA
First, make sure that your organization is CCPA compliant and build strong workflows that make it easy for your team to maintain compliance. Since the CPRA builds off of the CCPA, businesses should make sure they have all aspects of the CCPA in check for a natural, seamless progression towards compliance when the CPRA is eventually enacted. For example, if your team is up-to-speed on Subject Rights Request workflows now, you should be ready to handle a new wave of “Rights of Correction” requests that may come your way in 2023.
The General Data Protection Regulation
The General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Enacted in 2016, the GDPR is known as a regulation that has set the tone and standard for data privacy — there are similar elements of the GDPR found in both the CCPA and CPRA.
Companies that have a business presence in Europe or that processes personal data of European citizens should be aware of the data privacy regulations they are responsible for complying with.
In 2020, there were over 100 major GDPR enforcement actions taken by EU supervisory authorities against organizations violating the GDPR.
The two largest proposed fines were issued by the U.K. Information Commissioner’s Office (ICO):
- £99M against Marriott International, based upon compromise of the Starwood reservation database, with 383 million customers being affected; and
- £183.39M against British Airways, based upon user traffic to the British Airways website being diverted to a fraudulent site, with 380,000 customers being affected.
Both offenders are still in settlement negotiations with the ICO.
The Irish Data Protection Commissioner’s Office has 21 open investigations into technology companies such as Facebook, Google, Apple, Twitter, and Verizon Media. In particular, there are investigations into WhatsApp and how it communicates to users how their data is being processed and into Twitter for a data breach.
Data privacy and compliance priorities for 2021
The number one data privacy and compliance priority for companies in 2021 is ensuring CCPA compliance and preparing for the future with the recent passing of CPRA. The CPRA creates a new and relatively broad category of personal information and will necessitate a review of what personal information your organization is collecting, using and sharing, as well as how your team is protecting that information.
If you haven’t already, add these tasks to your security team’s priority checklist:
1. Update your data inventory
In several instances of organizations being sanctioned by EU supervisory authorities for GDPR violations, the offenders did not know why they had collected the personal data in question. Updating your data inventory (especially in light of new definitions of personal data) offers the opportunity to uncover previously unknown personal information and discern why it was collected before a regulator or plaintiff’s counsel asks.
2. Draft updates to your privacy “policy”
Your publicly facing notice of privacy practices is an important mechanism to convey to the public and to business partners how you use, share, and protect personal information. However, privacy policies that cite practices that don’t take place or are not enforced are a magnet for regulators who only have to prove such policies are unfair or deceptive — which is a very low bar to clear.
3. Review partner agreements
Business partner agreements contain provisions on the sharing, use, and protection of personal information, and require a thorough review. The mandates or licenses cited often border on the absurd, including requirements for SOC II reports from companies that don’t offer cloud services, co-controller status for companies that are truly data processors, and certifying an entire company as compliant with some NIST or ISO standard.
As we work our way through 2021, there are bound to be new data breaches, proposed updates to compliance legislation, and additional regulatory enforcement actions. Building a privacy-forward strategy for your organization will help you be better prepared for what the future holds.