As we stand on the eve of drastic change to the data privacy legal landscape in the United States, many companies are preparing to analyse their business practices and wondering where to start.
There is considerable ambiguity regarding what compliant data privacy practices look like in 2020 due, at least in part, to one moving target – the California Consumer Privacy Act (CCPA). Taking effect on January 1, 2020, the CCPA is the first comprehensive privacy law in the US and will revolutionise a legal landscape that has been famously sector-specific by imposing European-style privacy mandates on entities across the country.
Revelations of extensive and previously undisclosed data sharing by Facebook, which came to light in the 2018 Cambridge Analytica incident, were the likely impetus for California businessman Alastair Mactaggart’s success in launching the ballot initiative that resulted in the rushed enactment of the CCPA – with the backing of large Silicon Valley technology companies such as Facebook and Google – in the summer of 2018.
The CCPA applies to any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organised or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on whose behalf such information is collected, and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- has annual gross revenues in excess of $25m;
- alone or in combination, annually buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; and/or
- derives 50% or more of its annual revenues from selling consumers’ personal information.
The law requires high levels of transparency to consumers regarding how their personal information is used and shared, and gives individual consumers rights to access, delete, correct, and prevent the sale of their personal information, among other things.
Personal information is very broadly defined to include any information capable of being associated with a person. The California Attorney General may enforce the CCPA beginning July 1, 2020 (or six months after issuing regulations, if sooner) and may seek $2,500 to $7,500 per person per violation. There is also a private right of action in the event of unauthorised access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and a private plaintiff may recover $100 to $750 per person per violation without any showing of harm.
The law calls for the California Attorney General to promulgate binding rules in furtherance of some of its provisions. Technical amendments took effect in September 2018, and dozens of additional proposed amendments are the subject of debate in Sacramento.
Federal law?
Other states appear primed to pass similar, but slightly different laws. Early 2019 saw the emergence of similar bills in Washington, New York and New Mexico, among others.
There is also a much higher likelihood that an omnibus federal privacy law will pass sometime in the next few years. For the first time in US history, executives at the largest technology companies, including Apple, Google, and Facebook, are calling for a federal privacy law. More than half a dozen bills have also been proposed by legislators on both sides of the aisle at the federal level, raising the question of pre-emption.
It is clearly time for private entities in the US to prepare for change, but change can be expensive, especially when it involves legal fees and business practice pivots. How does a company begin? The answer lies in data governance as the first step in an ongoing process.
The European Union’s General Data Protection Regulation (GDPR) is built around the themes of transparency and choice regarding an entity’s data use. CCPA, following in the footsteps of GDPR, is fundamentally built around the same themes. As such, a data governance programme focused on transparency and choice will set a company on the road towards compliance.
Knowing your data
The first step in creating such a data governance programme is sometimes referred to as ‘knowing your data’, and is carried out by a process called data mapping or data inventory. A company cannot possibly be transparent in its data practices if it fails to know where all of its data is and what is being done with it. Data mapping is the process whereby a company audits itself and determines: what kind of data it collects, from whom and for what purposes; where the data is stored; how long the data is kept; and if the data is transferred (where and why).
A company should also take steps to segregate its data as appropriate and address access controls as part of a larger and holistic information security programme. This allows the company to address applicable privacy law requirements with respect to the source, type, and use of data (including assigning retention limits, meeting collection purpose limitation requirements, and facilitating consumer access rights). This also permits the company to classify/assign levels of sensitivity so data is stored with security proportional to such sensitivity.
Another step in a data governance programme is contract review and vendor management. If a company makes data available to third parties, including vendors, existing laws require that a contract be in place outlining the parameters of the transfer, the purpose of the transfer, the limitations on use, and the responsibilities of each party including if in the event of mishandling or breach. If a contract is already in place, it will need to be updated to meet the new CCPA requirements of transparency and choice with a ‘data protection addendum’ or similar amendment.
‘Privacy By Design’
Building privacy into business processes and practices, is another critical piece of a mature data governance programme. Exemplary of one potential approach to ‘Privacy By Design’ are procedures that require ‘pseudonymisation’ of personal information.
The CCPA introduces for the first time in US privacy law a concept of pseudonymisation, defining it as ‘processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal information is not attributed to an identified or identifiable consumer’. Although pseudonymised information is still personal information, both the CCPA and the GDPR reward risk mitigation in the form of such measures.
The future of privacy regulation in the US remains opaque, but the time is long gone to begin compliance efforts. Organisations should launch and advance data governance programmes that promote legal compliance, best practice and responsible data stewardship.