California’s new data privacy law will implicate a large population of Colorado companies. But if a new survey is any indicator, a lot of them might be behind the eight ball in preparing for the California Consumer Privacy Act.
Enacted last year and going into effect next January, the CCPA is the first state law that gives residents some control over how companies collect, keep or use their personal data. Earlier this month, privacy compliance company TrustArc published a survey reporting that 86 percent of respondents said their companies haven’t yet completed their compliance prep for the CCPA. The law’s novel requirements and broad language are keeping many data privacy and security attorneys busy fielding tricky questions from corporate clients.
Many of the CCPA’s requirements, like the so-called “right to be forgotten,” are unfamiliar to U.S. companies that aren’t already grappling with the European Union’s sweeping data privacy rules under the General Data Protection Regulation.
But California’s law covers a much broader population of U.S. companies than does the GDPR.
The CCPA applies to for-profit businesses that gross more than $25 million in annual revenue, handle the personal information of at least 50,000 California consumers, or acquire most of their revenue from selling consumers’ personal information.
But the CCPA casts a wide net for companies because of its especially broad definition of personal information. Instead of just some combination of an individual’s name and another identifier, like a Social Security number or email address, personal information under the CCPA could include any of that data as well as IP addresses, biometric information and geolocation information.
The main crux of the CCPA is that it introduces a host of rights individuals will have regarding the use of their personal data, said Chris Achatz, a Boulder-based data privacy and security attorney with KO Law Firm.
California consumers may ask a business to produce personal information it has collected on them. Covered businesses must also enable consumers to “opt out” of having their data sold to a third party, and even request having that data deleted altogether.
Those privacy requirements are new territory for most U.S. businesses, whose legal obligations have mostly centered around posting a privacy policy, data breach notification and data security standards.
“For a lot of companies, [the CCPA] is their first foray into responding to data privacy rights,” beyond just posting a privacy policy, Achatz said.
The companies that have gone through GDPR compliance programs can leverage what they’ve done already for that regulation to comply with California’s new law, according to David Stauss, a data privacy and security attorney who is a partner at Husch Blackwell in Denver. “Many of the concepts and mechanisms are similar,” he added. But there are differences in how the right to deletion is implemented between the GDPR and CCPA, like which exceptions apply and how quickly companies must respond to requests, he noted.
The CCPA is forcing many companies to identify what personal information they collect, which business units are collecting it and what third parties and vendors they send the information to. Mapping the data transmissions throughout a multi-tiered company is a long process, Stauss said.
It gets more complicated when a business is exchanging personal information with its subsidiaries and affiliates.
Companies have to figure out which entities would be considered part of the same business under the CCPA, and which ones would be independent third parties. Stauss said the difference becomes important when a consumer makes an opt-out request, for example. If a subsidiary is “selling” that consumer’s data to its parent company under the CCPA’s broad definition of a sale, the opt-out would block even that routine transaction.
A big question facing companies is just how far-reaching an opt-out request would be given their corporate structure, Stauss said. “The last thing you want to do is get yourself in a situation where you can’t do an ordinary data transfer.”
Achatz said one of the most common CCPA questions he gets from companies is how far they have to go in deleting a consumer’s data when they receive a request to do so. Like the GDPR, California’s privacy law carries certain exceptions that allow companies to continue using that personal data in different contexts.
“There are limitations on that [right to deletion] that are in the CCPA that most companies just need to take a look at and work into their policies,” Achatz said. “When people hear ‘right of deletion,’ they think … this is the nuclear option, and it doesn’t have to be that way.”
Ahead of January 2020, California is weighing amendments to the CCPA that would, among other things, strike employment information from the personal information definition. Some legal departments might be taking the wait-and-see approach to see what happens to the CCPA before they undergo the bulk of their compliance preparation — an approach Stauss said he’d advise against. While certain drafting errors in the law might get fixed, “there are rights in the statute that aren’t going away,” Stauss said. “You want to get started in earnest on your compliance efforts.”
Achatz and Stauss each noted that several other states are considering data privacy bills with requirements similar to California’s.
“The point being, this is not a one-off,” Stauss said. “This is a new area of law that you’re going to have to figure out.”
— Doug Chartier