Sometimes you want to go where everybody knows your name — or at the very least is familiar with your data breach incident response plan. Clients new and old alike have been trickling into law firms in anticipation (or mild apprehension) of the California Consumer Privacy Act (CCPA).
The law brings new and sweeping changes to the way the U.S. has traditionally viewed consumer privacy, whether businesses are ready for them or not.
More control over personal data
The state’s forthcoming privacy regulations, which are scheduled to go into effect January 1, 2020, will bear more than a passing resemblance to the European Union’s General Data Protection Regulation (GDPR), empowering Californians with more control over the way their data is collected, shared or viewed by companies on a daily basis.
While the GDPR may provide a suitable springboard for complying with the CCPA, sticking the landing will require navigating some big and potentially expensive question marks around expectations and execution that could linger well beyond 2020.
One of the most immediate questions, for instance, is what the law will actually entail.
Not yet set in stone
“The CCPA is not yet set in stone, so we really don’t know what the law is going to look like when it goes into effect in 2020. It’s a bit of a moving target,” says Kevin Cahill, a partner based out of Dechert’s Orange County office. “[People] want to get started with compliance, but we still don’t know what the rules of the road are, so it’s kind of hard to go at it full-steam at this point.”
Once the CCPA was signed by California lawmakers, Cahill and the other attorneys working in cybersecurity and data privacy at Dechert began reviewing the particulars of the new regulation, some of which they fully expect to change.
In fact, it has changed from the initial version already: Several amendments to the law were passed last September, eliminating a notification requirement for consumers pursuing private action and bringing additional clarification to what entities are exempt from the CCPA’s reach.
For attorneys, heeding these ongoing changes can be a bit like trying to prepare a client to take a driver’s test while the DMV is still in the process of color-coding the traffic lights.
“The law is evolving in that there were amendments to it, and there might be additional amendments to it before it’s enacted in 2020, so in that sense it’s kind of a moving target,” says Hanley Chew, of counsel at Fenwick & West.
Still, if you absolutely have to start taking aim, Chew thinks the CCPA requirements targeting transparency and the mechanisms companies need to manage and disclose the data they’re collecting will probably be around for the long haul.
Does it apply to you?
One fairly pressing question many companies will face is if the law applies to them. But for some, getting to that question means first realizing the law exists in the first place.
For all of the talk about various privacy laws waiting to come into fruition at the state or federal level, business managers are apt to begin tuning some of the noise out in favor of one of the many other demands competing for their attention — customers, employees, the actual turning of a profit.
Ditto for a company’s in-house counsel. “In-house folks are busy people, they don’t have time always to pay attention to every new legal or legislative development, so it’s sort my job to keep track of things that could impact their business,” Cahill says.
Elizabeth Dill, a partner in Lewis Brisbois Bisgaard & Smith’s data privacy and cybersecurity practice, notes that, when dealing with the GDPR, corporate clients tended to fall into one of three categories:
(1) those who reach out immediately after the regulations are announced.
(2) those who reach out with just enough time to undergo the compliance process.
(3) those who reach out within days of the law’s effective date.
She recommends that clients begin preparing for the CCPA as soon as possible. The scope of the work required can vary depending on the size and nature of the company itself. Plus, some clients walk through the door wondering if the CCPA even applies to them.
The answer to that question can usually be ascertained through a data-mapping exercise focused on the kind of data a company traffics in and how it is collected, stored and processed.
“What we usually do is prepare an assessment for clients based on a questionnaire that they fill out for us, and the answers to the questions determine, for our purposes, whether or not we’re going to proceed forward and recommend that they start the process of compliance,” Dill says.
That questionnaire relies heavily upon the wide-ranging parameters that bring a company or business under the mandate of the CCPA, which are not contingent upon the limits of the California border.
When the regs apply
The CCPA generally doesn’t care which ZIP code is listed next to a business’ corporate headquarters so long as the data of a California resident is involved. Then, if a company has gross revenue of more than $25 million; buys, receives or sells the personal information of 50,000 or more consumers; or derives more than 50% of its revenue from selling consumer information, the regulations apply.
“We ask about what kinds of information they handle, what kinds they store, what kinds they transmit, if they sell any kind of personal information,” Dill says. “But one of the things that’s interesting about the CCPA, like the GDPR, is that the definition of personal information is much broader than even California’s data breach notification statute.”
Personal information as defined by the CCPA isn’t just limited to information like Social Security numbers, driver’s license numbers or financial account numbers. According to Dill, the law encompasses any information that relates to or could reasonably be linked to a particular consumer or household.
How one chooses to define “household” is one of several potential ambiguities lawyers may have to contend with as the CCPA continues to shift in and out of focus. While a common-sense definition of the word is well within grasp, Dill thinks it will be the subject of much discussion moving forward.
A close cousin to GDPR
Because the CCPA has a similar disposition to the GDPR, businesses that have already taken the plunge with the GDPR have a running start when it comes to getting up to speed with certain provisions of the new California law.
The CCPA’s “right to be forgotten,” for example, requires companies to acquiesce to demands made by individual consumers to have their data erased. It’s a fixture of the GDPR, but a first for privacy law in America.
Ensuring that those kinds of requests are seen, processed and executed in a timely fashion may require companies to make significant changes to their pre-existing infrastructure or reallocate man power. But thanks to the GDPR, some of the more dramatic alterations to the fabric of a business may have already been made.
“A lot of companies have already put a lot of the infrastructure in place in order to comply with the GDPR, and so a lot of times we’re just building on what they’ve already put in place,” Chew says.
Still, the blueprints for complying with GDPR and the CCPA aren’t precise matches. Reece Hirsch, a partner at Morgan, Lewis & Bockius, says the privacy rights outlined in the CCPA are potentially much more fine-tuned to the individual than GDPR regulations.
For example, consumers under the umbrella of the CCPA have the right to know the categories of data that a business has collected about an individual and how that information has been sold or disclosed over a period of time stretching back 12 months.
The expansiveness of such requirements can quickly become a burden to companies attempting to comply.
“It affects many different components of the company’s business, and so I think it’s important to start by engaging all of the relevant personnel within the company about what these new rules might mean, even though they are still a work in progress,” Hirsch says.
Regardless, January 2020 definitely won’t be the last time law firms and corporate legal departments hear about the CCPA. In addition to helping clients deal with any confusion regarding practical applications of the law or keeping abreast of future amendments, there’s also a chance they’ll be seeing more time in court.
Statutory damages for security breaches
A provision of the CCPA creates statutory damages for security breaches, and as a result Hirsch expects to witness a spike in California security breach class action suits. Lawyers may want to consider incorporating a review of a client’s incident response plan into their CCPA prep work, he says.
“It’s a good time for organizations to revisit and retune their incident response plan to make sure that they are making themselves as bulletproof as possible so that they are prepared to both detect breaches as soon as they occur and also to respond to them quickly to mitigate harm,” Hirsch says.