CCPA: Businesses want to be compliant. They just need to know how.
Big tech companies prefer federal privacy law
Arguments between big tech companies and lawmakers over what is fair legislation, and what could unjustly impede tech businesses’ efforts to sell their wares, are unlikely to dwindle any time soon. Interestingly, according to a report by Fortune, “Facebook, Google, Apple, and the Internet Association, which lobbies on behalf of its members like Amazon, Facebook, Twitter, and Airbnb, all say they support federal laws aimed at protecting user privacy. What the companies differ on with many privacy advocates, however, are the details.
A number of tech companies are embracing federal legislation, to a point, because would otherwise have to abide by a hodgepodge of state laws. They’re already preparing for the California’s Consumer Privacy Act, the nation’s first state law for data privacy, which takes effect in 2020.
Policymakers are increasingly concerned about how companies collect, store, and use consumer data. And that has turned into a push for rules about how companies must protect consumer information and how they must be more transparent about how they use that data.”
As with any new legislation, various amendments are proposed and either passed or rejected before a new law comes in effect. And the CCPA is no exception. California’s Attorney General is currently proposing more amendments to CCPA law. However, there are fears that these latest proposals may not be of much help to companies who are struggling with how to comply with the law, with some claiming that the proposed amendments, if passed, will serve to incentivize private enforcers to file suits, incurring severe penalties even in cases where alleged violations do not cause any actual harm.
However, penalties imposed for non-compliance are unlikely to be waived simply because the defendant “didn’t know”. As the saying goes, “Ignorance of the law is no excuse.”
That said, California’s privacy law should be accompanied by adequate clarification, in order to promote clear understanding and ease compliance, while at the same time limit private remedies by tailoring them to the culpability of a defendant’s actions and conduct.
Lessons from the GDPR experience
The challenges of enforcing data privacy law, while educating data users on how to achieve compliance is no mean feat for any regulatory body. Indeed, before the General Data Protection Regulation (GDPR) became law, the UK’s Information Commissioner’s Office (ICO) was already busy creating comprehensive help on its website, answering commonly asked questions, as well as providing clear instructions and compliance check-lists for all types of organizations whether they are commercial entities, not-for-profits, government departments, schools, churches or charities. The volume of helpful information and guidance published by the ICO has grown considerably since before the GDPR came into effect in May 2018.
However, despite the ICO’s best efforts, small business owners across the UK admit they are still “clueless” about GDPR, in a recent survey.
50% of the 1,000 businesses polled confessed to being confused by data protection and privacy rules. As a result, business owners and employees are still making mistakes, or have unlawful processes which could attract multi-million-pound fines.
More than 25% of businesses allowed employees to use their own computers, tablets and phones for work purposes. This contravenes data privacy rules, as personal data could be stored unencrypted at home.
Astonishingly, the latest round of proposed amendments to the CCPA include the elimination of the AG’s obligation to provide guidance to businesses, upon request, about how to comply with the CCPA.
CCPA in a nutshell
The CCPA is due to come into effect on January 1, 2020, although actual enforcement has been deferred until July 1, 2020. In simple terms, the new law gives California consumers the right to require that a business which collects personal information about the consumer disclose:
the categories of sources from which their personal information is collected,
the categories of third-parties with whom their personal information is shared, and
the specific pieces of their personal information collected and shared.
Additionally, the law grants California consumers the right to opt-out of the “sale” of their personal information by a business subject to the CCPA.
The CCPA applies to companies that:
have annual gross revenues of $25,000,000 or more; or
annually buy or receive for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
derive 50% or more of their annual revenues from selling consumers’ personal information.
California’s privacy law, in its current form, allows lawsuits by private individuals whose “nonencrypted or nonredacted personal information, …is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
The plaintiff must give 30 days’ notice of the claimed breach, allowing the opportunity for the notified company to cure the breach. The private right of action allows plaintiffs to seek civil penalties of $100 to $750 per “per consumer per incident,” or actual damages, whichever is greater.
As well as private individual suits, the Attorney General is authorized to seek up to $7,500 in civil penalties for each intentional violation, or $2,500 for each unintentional violation which is not cured within 30 days following the receipt of the notice of violation.
Implications of CCPA in its present form
It is reported that several aspects of the CCPA in its present form pose particular concerns for businesses.
Disclosure and opting-out of the sale of personal information
Companies have an abundance of choices of third-party ‘Software as a Service’ (SaaS) solutions when it comes to optimizing customer-facing business operations. While the GDPR takes SaaS relationships into account by requiring Data Processing Agreements by “Data Controllers” and “Data Processors”, to each have a legally-binding set of obligations regarding the processing of personal information, the CCPA holds the Data Controller responsible for the processing (or “sale” pursuant to the CCPA) of personal information.
Therefore, in order to meet the requirements of disclosure (Section 1798.110) and/or opt-out requests (Section 1978.120), a business is required to maintain a list of its SaaS vendors, as well as the exact personal information collected by those vendors. Additionally, they must state whether or not this personal information is subsequently “deidentified” (as per Section 1798.125(h)) by each applicable SaaS vendor.
This is usually where the appointment of an appropriately qualified data privacy practitioner is called for, since trying to understand and implement these obligations can be a seriously daunting task. Firstly, the obligations on a company under these sections only occur when it receives a “Verifiable Consumer Request.” Unfortunately, the current statutory mandate of the term “verifiable consumer request” fails to explain how a company should verify such a request, without some additional personal information, which the individual concerned may not want to provide. So far, the AG has not provided any guidance on how businesses should prepare for receiving consumer requests.
Another puzzle with no apparent solution concerns the precise handling of verifiable consumer opt-out requests. Once a company deletes a consumer’s data following such a request, is it legally entitled to retain any of the consumer’s personal data, in order to prove that it did in fact carry out the request, as prescribed by the CCPA? Currently the bill provides no clues concerning this issue.
Employees’ personal information
Despite being named the “California Consumer Privacy Act”, the law could be interpreted to include the personal data of a company’s employees. According to the CCPA, the definition of “Consumer” is “a natural person who is a California resident”. Interestingly, the legislative findings acknowledge that “it is almost impossible to apply for a job ...without sharing personal information;” and the definition of “personal information” includes “professional, employment-related information.”
Within the context of employment, there are two instances in which the CCPA allows a business to decline a deletion request, relating to the business’s internal operations:
“to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”; and
to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
While it may appear that these exceptions allow businesses to retain several pieces of employee information, it is essential that they understand how to remain compliant with the CCPA, while maintaining employee records - particularly where records contain the personal information of former employees - which are maintained in accordance with a company’s record retention policy.
The latest proposed amendments
At a time when businesses thought they had at least some understanding of how the CCPA will work from an enforcement and penalty perspective, California’s Attorney General Xavier Becerra fully supported the introduction of Senate Bill 561 on February 22, 2019.
It should come as no surprise that the AG supports the proposed changes since they remove some of the biggest headaches for enforcement and administration. These include elimination of the AG’s obligation to provide guidance to businesses, upon request, about how to comply with the CCPA, and the removal of a 30-day cure period before enforcement actions can begin - although the 30-day cure period for individual claims remains in place.
This might provide some light relief for individual claims. However, it is doubtful that a company could “cure” somethings as severe as a data breach, or other violation such as a failure to respond to a consumer request within the currently imposed time limit. Possibly the 30-day cure might provide some degree of defense against ‘de minimis’ technical violations, such as the failure to provide appropriate notification language, disclosures, or contact information for consumers. One could argue that even the failure to provide an adequate response to a cure notice could, in itself, raise a claim for statutory damages.
At this time, it is unclear whether SB 561 will be approved. Even in its current form, the private right of action could create significant liabilities for businesses, which are totally disproportionate to the actual harm (since the law does not require actual harm), or culpability (because the law imposes liability for non-intentional, not negligent violations.
And while businesses consider the potential commercial consequences, the law may also have some unintended outcomes for consumers. The CCPA could restrict the use of data which currently enables customers (who want it) to have more personalized online shopping experiences because:
it could potentially have a negative impact on a consumer’s ability to receive discounts through loyalty programs, or use free apps that are paid for by advertising; and
businesses will inevitably push the cost of CCPA compliance onto consumers; and
to the extent businesses exclude California consumers from their current business promotional programs, consumers within the state may be adversely affected.
CCPA: Not the only new kid on the block
It is widely acknowledged that while the CCPA was largely based on the EU’s GDPR, it is also the first comprehensive data privacy legislation to be introduced in the U.S. As several other states develop their own privacy laws based on the CCPA, others are also considering similar legislation. On top of this, Congress continues to debate and create, albeit slowly, a new federal privacy law.
This means that businesses will have their work cut out, as not only will they need comply with California’s strict privacy laws, but also comply with laws enacted in other states, as well as federal laws, which will most likely impose differing requirements.
If businesses are to comply with the CCPA, as well as a federal law, plus privacy laws in other states, they will need to gain sufficient understanding of them. Some argue that a unified approach to data privacy makes a whole lot more sense than the hodgepodge of state laws that seem to be emerging. It is open to debate whether this will happen any time soon.
In the meantime, while the California Attorney General supports a move to rescind any obligation to provide guidance to businesses who are simply asking for some direction on how to comply with the law, California should consider whether the CCPA’s requirements are clear enough for compliance to be achievable.
Share your views or concerns about the CCPA. How are you doing with your preparations for compliance? What questions can we help you with?