Articles, Newsletters and Advisories
(by Justine Kasznica)
In 2018, California signed into law the first state-level comprehensive privacy act, the California Consumer Privacy Act of 2018 (CCPA), which will go into effect Jan. 1, 2020. In part due to the CCPA’s broad scope and reach beyond California, as well as the large fines and penalties for CCPA noncompliance, the law is influencing and setting a high bar for data protection practices nationwide. Since the CCPA was signed into law, several states have proposed or enacted similar legislation, turning privacy and cybersecurity into a patchwork of state-led experimentation.
We are seeing more states joining California and developing their own privacy laws, which will make it difficult for companies to track and comply with every state’s privacy act, not to mention the privacy regimes in non-U.S. jurisdictions, such as Europe’s General Data Protection Regulation (GDPR).
While some states are beginning to enact or consider uniform approaches to privacy and cybersecurity, such as the NAIC Model Law for Cybersecurity, it will take time for such models to emerge and achieve the requisite consensus. In the absence of a uniform federal and state approach to privacy, businesses need to take the initiative now and be aware of the various state, federal and foreign laws being introduced and enacted — even if their operations may not yet affected.
How does California’s privacy act work?
The California Consumer Privacy Act of 2018 (CCPA) protects consumers who are residents of California by giving them rights to disclosure, access, deletion, control (opt-out and portability rights) as well as imposing a prohibition on antidiscrimination. It also addresses the data privacy rights of children under the ages of 13 and 16. The CCPA is modeled on the GDPR, articulating similar individual consumer rights (even if their terms differ) and imposing business obligations and enforcement mechanisms. While compliance with GDPR may facilitate CCPA compliance, the two privacy regimes deviate in definitions of personal information/data, scope of the rights protected, affected organizations, and penalties and enforcement.
The CCPA applies to for-profit entities (and non-profits if they control, are controlled, or are under contract or relationship with an affected for-profit company) that that do business in California and collect or direct the collection of personal information of consumers, if such entity:
- Has total annual gross revenues in excess of $25 million a year.
- Receives, sells or shares the personal information of 50,000 or more consumers, households or devices of California residents.
- Derives 50 percent or more of its annual revenue from selling personal information of California residents.
The regulations are expected to be finalized in the spring of 2020, with enforcement beginning July 1 (although the attorney general has indicated that his office may look back to the first half of the year for bringing enforcement actions). CCPA violations could lead to large cumulative fines, civil penalties and statutory damages, particularly where violations of the law are deemed to be intentional.
What should businesses do with regards to compliance?
In light of the rapidly changing privacy regulatory landscape, companies are encouraged to evaluate how they operate and collect, store and process personal information. Many U.S. companies, including those in the Pittsburgh region, will need to change their data privacy practices to comply with the CCPA, GDPR and other applicable privacy laws. Even those companies that are not themselves subject to a particular privacy law may be affected if they partner or do business with companies that need to comply with such a law, and the compliance obligations are passed on to them by contract.
The following is a pragmatic approach to privacy law compliance:
- Perform a data privacy assessment, designed to capture whether and what kind of personal information an organization collects, for what purpose it is collected, and how the information is being used. Achieving consensus on the definition and categories of personal information/data will be critical to this exercise.
- Take time to understand which privacy laws and regulations apply or will apply to your organization.
- Make sure to work with legal counsel to modernize or update your terms and conditions, privacy policies, cookie and other data collection policies.
- Compliance with CCPA may require the redesign and deployment of new internal and user-facing processes, safeguards and tools to enable individuals to exercise their rights with respect to their personal information. These may include the implementation of new communication tools, notices, banners and opt-in or opt-out features, as well as data access, correction and deletion procedures. Make sure to plan ahead and budget time and resources for such changes.
- If you believe your organization is subject to the CCPA, reach out to experts in legal, risk and IT, who can work together to ensure the business is compliant.
Bottom line: Whether your organization falls within the scope of the CCPA or not, a wait-and-see approach is not a good strategy. Privacy laws are only going to become more important as the landscape evolves, and the GDPR and CCPA are just the beginning.