This past July we posted an article about the Europe’s Global Data Protection Regulation (GDPR) took effect in May 2018: Go here.
The law informed businesses in Europe, or with European activities, of the rules regarding the collection, storage, and usage of personally identifiable information of consumers. The law gives consumers broad powers in how companies may or may not use their data.
It was predictable that such legislation would eventually come to the US and California is the first state. The California Consumer Privacy Act of 2018 [“CCPA”] was signed into law on June 28, 2018. California consumers now have a very similar level of control over their personal data. What has become the toughest privacy law ever seen in the US, CCPA is poised to impact every industry and reshape what businesses can do with consumer data.
Not all businesses that store California consumers’ data are obliged to comply with CCPA. Companies that are not subject to the new regulation are ones that do business in the state and: (a) possesses or transacts on personal data of under 50,000 California consumers; (b) have annual gross revenue under $25 million, or (c) derive less than 50% of their revenue from selling a California consumer’s personal information. All others are subject to the new regulation.
CCPA in brief
The main difficulty with the CCPA is the definition of consumer personal information. It describes “personal information” as any data that can potentially relate to an individual – biometric data, behavioral data, cyber data, even browsing history. Compared with GDPR, CCPA gives broader definitions of personal information and imposes more stringent restrictions on the commercial use of information, particularly in the sharing of that information.
The law firm, White & Case, published an extremely useful article that compares the basic provisions of the CCPA with the GDPR here:
There is also a great article here concerning the territorial scope of GDPR from Fox Rothchild.
However, the impact of the law will depend on the final wording. In an effort to avoid a costly dispute over a proposed ballot initiative, the State of California quickly passed CCPA prior to the November elections. The law will go into effect January 1, 2020; however, there are inconsistencies and a lack of clarity in the law as passed. Consequently, the State Legislature is expected to decide on several amendments that provide additional clarification. An amendment to the CCPA, that further explains fines, commercial rights, and adds some definitions, has been passed. Other amendments are expected before the law is implemented. But for businesses looking to comply with the law, the challenge of building a compliant business model for the new regulation will be difficult – lawmakers must pass revisionary language that further explains privacy rights and data controller’s responsibilities.
For now, companies should be reviewing the key components of CCPA and outlining changes to how they handle consumer personal information of California consumers.
In simplest terms, the key consumer-protection provisions of CCPA are:
Right to Know: Businesses must disclose the categories of personal information being collected about California consumers and the proposed use of such the information. In addition, consumers Further, may request what sources are being used to acquire the information, the reason for collecting or selling their personal information, which third parties the business will share the information with, and what specific data has been collected on the consumer.
Right of access and data portability: Consumers are allowed to request their personal information up to twice per year. Organizations must provide two or more methods for consumers to request their information, one of which must be a toll-free number. Businesses then have 45 days to comply with the request.
Right to be forgotten: Consumers reserve the right to instruct businesses to remove and destroy the consumer’s personal information (with certain exceptions), and businesses are required to inform the consumer of this right.
Right to opt out: Consumers have the right to opt out of any business’s plan to sell the consumers information, and businesses are required to inform consumers of this right.
Right to opt in: Businesses are prohibited from selling the personal information of minors 12 years and younger without parental consent. Businesses must also obtain the consent of those minors 13-16 years of age before selling their information.
Right not to be discriminated against: Any consumer exercising their rights under the law is protected from discrimination. Businesses are prohibited from discriminating, including offering different prices for the same goods/services, or the unwillingness to offer goods and services in response to the consumer exercising such rights. Exceptions are permitted for price differentials that are reasonably linked to the prices or services the business provides to the Consumer.
Additional responsibilities and penalties companies face under CCPA include:
Granting consumers access rights: This could mean deep architectural changes to organizational internal and external technological infrastructure.
Significant statutory penalties: The state Attorney General is authorized to enforce the law and penalties can be imposed up to $7,500 per intentional violation. Additionally, the penalties’ provisions will likely be attractive to plaintiffs’ lawyers as the law also includes a private cause of action in connection with the data breach provision. Penalties for violations of this provision range from $100 – $750 per Consumer per incident, or actual damages, whichever is greater and with no explicit requirement of intent.
Broad regulatory powers and discretion: The Attorney General of California is given wide-ranging authority to enforce this law and to award fines and impose injunctive relief.
Because of the onerous nature of CCPA, companies in every industry and profession need to understand their processes for data collection, use, storage, and destruction.
Some internal steps your firm should take include:
Implementing data tracking: An audit trail is an essential first step to setting up a privacy compliance program. Companies should understand where personal information is coming from, and that the handling of that information is meeting CCPA compliance requirements.
Conducting a gap analysis: A review of your current privacy policies and responsibilities can uncover exposures that can then be addressed.
Updating IT and privacy policies: All policies and procedures related to consumer personal information should be updated to reflect CCPA compliance requirements.
Understanding insurance coverage: Like GDPR, it is anticipated that CCPA fines and penalties will be uninsurable in the majority of the US. However, CPAGold™ is actively monitoring developments in California and developing applicable insurance coverage to reflect these new exposures. Check your professional liability policy for coverage.
Your firm can mitigate its exposures and put meaningful methods in place that help tackle privacy regulatory concerns. Working with experts who are well-versed in GDPR-level compliance matters can help your company be better prepared to conduct business within the new CCPA privacy landscape.
This article was inspired by a blog positing from AXA XL which can be read here.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org