The California Consumer Protection Act bears a resemblance to the GDPR, but there are significant differences. Perkins Coie’s Dominique Shelton Leipzig, Susan Fahringer and Anna Mourlam discuss how to use GDPR as a jumping-off point for CCPA compliance.
Since the implementation of the General Data Protection Regulation (GDPR) on May 25, 2018, the EU’s Supervisory Authorities have logged over 144,000 queries and complaints, 89,000 data breach notifications and a staggering 281,088 national and 446 cross-border cases. And it is not just investigations: In November 2018, Knuddels, a German social media company, was fined €20,000 (US $$22,400) for failing to securely store the personal data of its customers. In December 2018, a Portuguese hospital was fined €400,000 (US $44,800) for allowing improper access to patient records. This year, a taxi company in Denmark was fined 1.2 million kroner (US $180,000) for retaining personal information, and a Polish data processing company €220,000 (US $246,300) for scraping the internet for personal information (PI) to contact individuals for promotional purposes. Most recently, the U.K.’s data watchdog announced plans to fine Marriott £99 million (US $120,353,805) and British Airways £183 million (US $222,472,200) over last year’s data breaches — the highest fines levied to date.
These fines and related enforcement trends give some insight into activity we can expect in connection with the California Consumer Privacy Act of 2018 (CCPA), which will become effective on January 1, 2020. Like the GDPR, the CCPA grants rights to consumers and imposes corresponding obligations on covered businesses. The rights of consumers covered by the CCPA include
- an abbreviated right to request that a business make certain disclosures about the PI they collect (Cal. Civ. Code § 1798.100),
- an expanded right to disclosure regarding the PI the business collects (id. § 1798.110(a)),
- a right to disclosure regarding the PI that is sold or disclosed for a business purpose (id. § 1798.115),
- a right to opt-out of the sale of PI (id. § 1798.120),
- a right to opt-in for the sale of a minor’s PI (id. § 1798.120(c)),
- a right to deletion of PI collected (id. § 1798.105),
- a right to access PI (id. § 1798.100(d)) and
- a right to not be discriminated against for exercising any of the rights granted by the CCPA (id. § 1798.125).
The CCPA defines “consumers” to mean California residents and generally defines “business” as for-profit entities that meet certain threshold requirements (§ 1798.140(g) (consumer), (c) (business)). The CCPA provides for enforcement by the California Attorney General, as well as a private right of action allowing consumers to sue under limited circumstances.
Adopting procedures to implement the obligations set out in the CCPA will help a company to minimize both business disruption and enforcement risks in connection with CCPA. To help ensure compliance with the GDPR and the CCPA and to help leverage steps already taken in connection with the GDPR, we recommend that businesses take steps in each of the following six phases. These phases are based on the French Data Protection Authority’s Six Steps for GDPR Compliance and Federal Trade Commission orders such as the Vizio 2017 order.
Phase 1: Appoint an Individual or Task Force to Lead the Privacy Program
The appointed leader or task force must monitor compliance, advise the organization, verify implementation and serve as a point of contact.
Phase 2: Update your Data Map to Include California-Specific Questions
The process of creating and maintaining a data inventory differs from company to company, but several key steps are common across industries. First, the business must identify all PI that it is collecting and where, or from whom, such information is obtained. The business must also identify where the PI is stored and whether it is shared or sold to others (and, if so, for what purpose). In addition, the inventory should have a mechanism to track the 12-month “look-back” period for responding to consumer data requests as required under the CCPA.
Phase 3: Conduct a Gap Analysis or Risk Assessment
After conducting a data inventory, a business should assess its risks by benchmarking its policies and practices with the CCPA. A typical gap analysis:
- lays out the applicable legal requirements/standards,
- identifies the business’s relevant policies and practices,
- analyzes the ways in which the business is or is not compliant as to each legal requirement/standard and
- provides detailed recommendations on the steps it can take to establish substantial compliance.
Conducting a gap analysis as part of developing a comprehensive privacy program allows a business to proactively identify the privacy and data security risks and mitigate them. With a comprehensive understanding of its risks, a business can properly allocate resources to the gaps of varying risk levels and can make sure its policies and procedures are in compliance with the law. Finally, by implementing the recommendations set forth in a reliable gap analysis, a business can demonstrate substantial compliance to stakeholders as well as in response to enforcement actions.
Phase 4: Conduct a Data Impact Assessment for High-Risk Processing
Like the GDPR, certain categories of data may pose heightened risk for enforcement action under the CCPA. As a pre-emptive measure, businesses should take care to identify all data flows associated with children, medical, financial or location data, as well as address any gaps in the necessary processing protocols.
Phase 5: Begin Mitigating Risks
After all the potential risks have been identified, the business should begin updating or implementing the appropriate policies and procedures. For example, a business can review employee training materials and consider whether updates are required, particularly for employees who handle consumer privacy inquiries.
Other steps to consider include user interface updates to the business’s website and mobile applications (e.g., adding a link to opt-out of selling or, in the case of children, a link to opt-in), as well as determining how to implement the 12-month look-back capability within technical systems.
Phase 6: Stay Vigilant!
Compliance does not end with implementation. A business should create an auditable record of compliance, as well as continue to monitor the legal landscape. Although privacy regulations are here to stay, best practices are in constant flux and require close watch — both here and overseas.