Although he began by saying that the new California Consumer Privacy Act is an "extraordinarily complicated and poorly written statute," Chris Mohr, SIIA's VP for intellectual property and general counsel, wants to make one thing clear.
"This statute already exists—although the onset is delayed until Jan 1, 2020—so I urge our members to start thinking about it in terms of how they are going to comply. I don't think [regulators] are going to reach out to a New York business with five [California] customers, but so many companies have customers in California that the reality is that this is a nationwide statue and it may become a de facto standard.
"So think about what tweaks you need to make to comply. If you've already been through the GDPR exercise, then it will be considerably easier. But there are differences."
The occasion for Mohr's comments was a recent SIPA webinar titled California Consumer Privacy Act and GDPR Enforcement Update. Joining Mohr on the webinar was Carl Schonander, SIIA's SVP, global public policy.
Members can access the full recording with slides in our Webinar Library.
Mohr said that the current statute, as written, is grammatically inconsistent and difficult to understand. That's why SIIA and many other groups are in the conversation to make it clearer. (For a full understanding of the statute, it would be best to view the webinar and slides.)
"It's important to understand that the definition of personal information here is broader than the definition of personal information in GDPR," Mohr said. "In addition, while similar, the compliance obligations are potentially more extensive. So for those of you who had to deal with [the GDPA requirements], you'll be in good shape to deal with a lot of this, but there's still going to be more work to do."
The CCPA gives consumers four rights: (1) transparency; (2) deletion; (3) opt-out; and (4) notice. The privacy portions of the statute are enforced only by the Attorney General's office; its data breach requirements can be enforced by private rights of action.
As for what's new in the statute, transparency is one item. "If you collect [personal] information and receive a verifiable [consumer] request, you have to give [consumers] information that you collected about them, how you got it and who you gave it to... That's a new requirement."
The second important business to this is that the CCPA provides the right to opt out of further sale of information. So if a business has personal information about a consumer, the consumer may contact that business and tell it to stop disclosing it. The business must comply.
Mohr said that there is a political scramble to ameliorate the worst parts of the statute. "There's a large coalition of interests to make the law better which SIIA is a part of." The California Attorney General's office also held listening sessions around the state in order to help it craft regulations, and SIIA has submitted comments to the AG's office on several issues.
SIIA is particularly concerned with CCPA as it relates to the First Amendment and freedom of information. "The use of government power to prevent people from talking about you when you don't want them to" is something SIIA will look at, Mohr said. Stopping the dissemination of public record information that government made available in the first place also brings up several questions.
"One of the things that we'll be looking to fix is the treatment of B2B information," Mohr said—for example in terms of financial deals and employment where personal information is public.
Asked if you are exempt if you keep data within your own business, Mohr said no. Even if you are just using that data internally, you would still be subject to deletion requests for any information that you collect from consumers directly.
As for GDPR, Schonander advised companies to "continue to review what personably identifiable information you hold. Conduct a data mapping exercise. Be clear with yourself what your lawful basis for processing that data is—usually it will be consent."
The General Data Protection Regulation went into effect May 25, 2018. Schonander reiterated that Article 3 makes it clear that the law can apply to companies even if they are not legally established in the European Union—"even if you have no office but offer products and services to the EU then the law applies to you. GDPR says you can process and use personal identifiable information, but you have to be able to articulate what legal basis you're doing it."
There haven't been a lot of infractions so far, though regulators say that they are working on 350 cases. The largest enforcement case has involved French Data Protection and Google. It received a lot of attention and the largest fine—$50 million. Other infractions involve: passwords of users being stored in unencrypted plaintext format; illegal video surveillance; and hospital staff members accessing patient data illicitly.
But don't be lulled into complacency, Schonander said. "Over 40,000 complaints have been lodged."
"What do they want to see?" he asked. "Have you appointed a data protection officer? It's helpful to have someone be the general counsel or some individual to point to for data protection issues. Have you inventoried and mapped your data? If I were to [advise] a company rep who didn't want to read all 200 pages, I would say, 'Look at article 30.' It lists what's supposed to be included in a record of data processing activities."
To be compliant, Schonander advised the following:
Again you can access the webinar here
- Cooperate with any requests;
- Encrypt passwords;
- Implement logical access control;
- Have a data retention policy.
- Have an action plan for achieving compliance.
- Have a privacy notice;
- Pay attention to old-fashioned violations. "They still matter."