The California Consumer Privacy Act, along with other states' rules, introduces potentially costly compliance risks; GDPR experience is of limited help
Friday, August 23, 2019
By John Hintze
Financial institutions and other companies are facing major challenges in gearing up for state privacy laws taking effect across the U.S. - and not just the most prominent of them, the California Consumer Privacy Act (CCPA). Upwards of a dozen states, including New York and Washington, are issuing regulations; some requirements will overlap and others won't, creating compliance headaches that put affected organizations at risk of fines and, worse, business disruptions.
Nevada kicks off this round, with rules that go into effect in October. The Nevada and California laws - the latter kicking in at the start of 2020 - impact any companies collecting data on customers residing in those states. The Nevada law is narrower than California's, mainly expanding on existing requirements, and it exempts companies that already must comply with the Health Insurance Portability and Accountability Act (HIPAA) or the financial industry's Graham-Leach-Bliley Act (GLBA).
“That's where this becomes tricky, because all the laws have different requirements and different standards,” said Dave Deasy, senior vice president of marketing at TrustArc, a privacy-compliance platform company based in San Francisco.
Federal legislation that might preempt the multiple state laws has been discussed for the last few years but is not likely to be passed in the foreseeable future, said Linda ThielovÁ, privacy counsel at privacy and security technology company OneTrust.
A survey this year by OneTrust and the International Association of Privacy Professionals (IAPP) identified reputation as the primary motivator for CCPA compliance, followed by protection of consumer privacy, and concern about sanctions and enforcement actions.
In a TrustArc survey, 68% of respondents pointed to vendor and other third-party expectations as the main driver for CCPA compliance, followed by fines and class-action lawsuits. At less than 10 months before the effective date, only 14% of companies surveyed then across the U.S. were compliant with CCPA, and 44% had not yet started the implementation process.
“I've had major customers telling me that as part of a security audit, if they can't show those third parties they have sufficient privacy-security measures in place, they will stop doing business with them,” Deasy said.
Details Still Pending
Half of OneTrust-IAPP survey participants said they anticipate being CCPA compliant by the end of 2019, and another 25% by July 1, 2020, when the California attorney general's office intends to begin enforcing the rules.
Although some companies may have closed the gap since the survey was conducted, CCPA is still very much a work in progress. ThielovÁ noted that with some of the law's provisions still pending, there will be changes as companies pursue their compliance efforts, and some of those will be significant. For example, the definition of “consumer” currently includes a company's employees, enabling them to exercise rights to view personal data held by the company and to delete it.
“That probably wasn't the original intention, and the amendment is pushing to clarify that employees are excluded from the definition of consumer,” ThielovÁ said. “That's important, because otherwise companies will have this new layer of employees to loop into compliance.”
Also to be clarified is “valuable consideration,” in the context of CCPA's stipulation that companies can't sell, rent, disclose or otherwise release data without customer permission or for valuable consideration.
“That's a pretty big gap that needs to be filled in,” said Rich Vestuto, a Deloitte Risk and Financial Advisory managing director.
No Way Around It
Imposition of privacy requirements state-by-state creates multiple challenges. Vestuto noted that many U.S. companies could afford to ignore the Europe Union's General Data Protection Regulation (GDPR), which imposes a broader set of rules than CCPA, because they didn't have any business there. But now U.S. companies, apart from highly localized or regional ones such as utilities, won't have that luxury.
“If it's a company of any size, it's almost certainly going to be doing business in California,” Vestuto said. “And with other states following closely behind, companies will have to be working to comply with their laws. This will be ongoing.”
As summarized in a Deloitte quick reference guide, the noncompliance penalties per violation are $2,500 (if unintentional) or $7,500 (if intentional). If personal information is exposed in a data breach, consumers can sue for $100 to $750 per incident, or more if the actual damages exceed $750.
“If the CCPA applies to your business and you haven't started planning for compliance, it is imperative that you do so right away to mitigate the risk of hefty fines,” Yvette Gabrielian, senior director in the Cyber Risk practice of Kroll, wrote in a recent blog. “However, even if you believe your organization is exempt from the law, now is a good time to consider implementing best practices that can put you ahead of the curve as privacy protections shift to the national stage.”
GDPR Applicability Limited
Companies that have dealt with Europe's stringent GDPR are not assured of being in compliance with state laws.
ThielovÁ said that core requirements are similar, covering tracking of customers' personal information, the data flow, why the company needs the data, and which companies it is sharing it with.
But, ThielovÁ said, “CCPA and other state laws will have specific layers of requirements that are unique to them.” An example is CCPA's restrictions on selling customers' personal information: “Any company, whether it is GDPR compliant or not, will have to take this extra step and be prepared for the implications.”
Companies that have had to comply with HIPAA and GLBA requirements typically have not had to comply with GDPR, given that their customers tend to be domestic. But that experience should aid them in CCPA compliance efforts. It may also add a layer of complexity. CCPA exempts information required by GLBA's privacy rule as well as the California Financial Information Privacy Act, but CCPA also has entirely different elements. CCPA's definition of consumers, for instance, is much broader than GLBA's, so a financial firm processing customer information may not meet all of the new privacy law's requirements.
“I find this to be one of the biggest risks,” ThielovÁ said, “because on the face of it, the CCPA is exempting all the information under these existing laws, but it doesn't mean that companies in the financial sector will be exempt from CCPA as a whole. It can be even harder for those companies, because they have to figure out which laws apply to which portions of their information.”
Knowing Where the Data Went
CCPA's requirements are more far-reaching than they may seem at first reading. John Clark, a partner at Deloitte, notes that the CCPA legislation, which was hurriedly assembled, does not have the breadth and detail of GDPR. Nevertheless, he added, in many cases companies will still have that responsibility. For example, CCPA does not require GDPR's record of processing activities, essentially a data inventory, but if a consumer requests the information a company has about him or her and/or asks to delete it, the company must nevertheless know where that data is.
Companies that have not had to comply with GDPR or sector privacy requirements probably face the greatest challenge in terms of getting their CCPA ducks in a row, because they may not have a complete understanding about the data they have and where it is stored.
“It can be tremendous work to figure that out, because they have to keep track of data not just within their four walls, but where else it may have gone,” Vestuto said. Those destinations can include an outside benefits servicer, and third-party providers of human resources, email marketing, affinity programs, and other services.
“Any company collecting large volumes of personal information and sharing it with third parties must have a strong handle on what they're doing with it and who they are sharing it with,” the Deloitte consultant said. “Social networking firms are the prototypical example of companies that will be most impacted by this.”
Clark said that most companies he has talked to about CCPA are in the near term developing manual data inventories, typically using spreadsheets and perhaps some governance, risk and compliance tools to automate workflow and document the inventories. They tend to be focused on identifying the relevant business processes, the applications to handle the data, and the third parties their companies are sharing information with.
“In the long term, we expect much better automation to support managing those data inventories,” Clark said. “So the fields of data governance and data privacy will increasingly converge.”
He noted there is a growing market for tools to automate compliance with data-privacy rules, such as the responses to customers' requests related to their data, and keeping track of cookies that third-party firms may plant on a company's website.
“A third-party cookie on my website can result in an exchange of information with that party that may be using it for advertising purposes,” Clark said. “So I have to look at managing those cookies in a more effective way.”
He added that by now companies should have completed their data inventories and developed a road map for compliance. “If not, I would definitely be concerned,” he said.