What do consumer data laws Like the CCPA and GDPR mean for my business?

About the author

Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.

Over the past 24 months, roughly 35 U.S. state legislatures have passed into law bills that address the protection of personal information. Perhaps the best known of these is the California Consumer Privacy Act of 2018, or CCPA, which affords significant rights to California consumers with respect to their personal information. Among these are the right to access and delete personal information collected from them by businesses, and the right to prevent them from selling that information to a third party. It even affords the right to instruct a third party that already has personal information not to use it. The CCPA draws many of its key provisions from the EU’s General Data Protection Regulation (GDPR), a groundbreaking data protection law that went into force in May of 2018.

Industry commentators often lament the “patchwork” of U.S. state data protection laws that businesses must comply with. However, all or nearly all of these laws share three common requirements:

1. The identification of personal information held in a business’s “information ecosystem”;
2. The implementation of controls to protect that information; and
3. The ability to effectively execute a breach response plan should that information become compromised.
   What this means for your business is that mastering compliance with these three key pillars of data protection will advance compliance with just about all data protection laws.

Identify Personal Information

Before the advent of the Internet, the concept of personal information was largely confined to items such as Social Security numbers and to information related to healthcare and personal finances. Over time, more and more information had the potential to identify someone and to uncover more personal information. In particular, machine-readable information like IP and MAC addresses, geolocation data, and biometric information evolved into information that’s personally identifiable. Today, there are three general categories of personal information that businesses must identify throughout their organization and be able to disclose to consumers:

1. “Regular” or traditional personal information, such as Social security, drivers’ license, and phone numbers; street addresses; and dates of birth;
2. Machine-readable information, including IP and MAC addresses, IMEI/IMSI/ESN (from mobile devices), geolocation/GPS data, log files, and browser cookies; and
3. “Special” personal information concerning someone’s healthcare, political/religious affiliations, trade union activities, and similarly personal items

The universe of information deemed personal is constantly evolving. This year, the Washington state legislature passed into law legislation which added the last 4 digits of Social Security numbers to its list of personal information. The proposed successor to the CCPA, the California Privacy Rights Act of 2020 (CPRA), adds even more types of personal information to California’s list.

Implement Controls

Common to data protection laws is the mandate to “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” (per the CCPA) or some variation of that theme. Among these procedures and practices are three categories of controls: physical (locks on cabinets; alarm systems), technical (firewalls, multi-factor authentication), and administrative (policies and procedures). Data protection laws take different approaches to this:

• No specified controls. Perhaps most common are laws that do not specify controls. Rather, they leave it up to the organization to decide for itself. Examples include the CCPA and CPRA.
• Some controls cited. These laws cite some controls as examples. The GDPR, for example, cites encryption and pseudonymization as favored controls but leaves it up to the organization to determine which “technical and organisational [security] measures” are most appropriate. Oregon expands on this approach, giving fairly long lists of examples of acceptable controls for each of the three categories.
• Many controls cited. These laws cite a list of controls that are mandatory; the organization is still free to include more or to describe why it is dropping a mandated control and using another. New York’s Department of Financial Services’ 23 NYCRR Part 500 regulation and HIPAA’s Security Rule are examples.

Respond to Data Breaches

The GDPR set the standard – 72 hours – for responding to breaches of personal data or other instances where the integrity of that data is compromised. In the U.S., a very common standard is to notify affected persons “without undue delay” or something similar. In addition, a relatively common feature to these laws is the “risk of harm” test; i.e., reporting the breach is only necessary if there is a risk of harm to affected individuals. For example, Art. 33 of the GDPR states that the impacted organization shall notify the relevant supervisory authority unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” Some U.S. states take this approach as well, with Massachusetts, Maryland, and Utah all having some form of the “risk of harm” test.

Another aspect of breach reporting is notifying business partners. Many laws require service providers to notify their customer organizations immediately upon detection of a breach or other compromise, or within a very short window. Art. 33 of the GDPR uses a “without undue delay” standard for service providers to notify their customers.

Finally, a growing trend in the U.S. is a requirement to notify credit bureaus (such as Equifax) of a breach over a certain threshold (e.g., 500 persons). This reflects the idea that the bureaus should take into consideration or at least be aware of the potential for fraud related to the breach.

The Global Outlook

Inspired by the passage of the GDPR into law in 2016, governments around the world have dramatically improved legal protections for personal information. Some examples include:

• Brazil, with the Lei Geral de Proteção de Dados Pessoais (LGPD), which offers comprehensive protection of personal data;
• Thailand, with the Personal Data Protection Act B.E. 2562 (2019) (PDPA), which draws key elements from the GDPR; and
• Japan, with amendments to its Act on the Protection of Personal Information (APPI), which enabled Japan to receive “adequacy” status from the EU and thus allowing the free flow of personal data from there to Japan.

Updates to existing data protection regimes (or the creation of entirely new ones) have taken place over the past 12 months in South Africa, New Zealand, and Egypt. Almost certainly, this trend will continue, and businesses are now expected to consider protection of personal data as just part of their products and services. By mastering the three pillars of data protection cited in this article, you will find that you have substantially advanced compliance with nearly every data protection law in the world.