United States: Data Privacy Enforcement On The Rise In The US – California's CCPA Setting The Benchmark

On January 1, 2020, California will become the first state in the US to implement a sweeping new data privacy law that gives its residents the right to know (1) what "personal information" has been collected about them; (2) with whom it has been shared; (3) how it may be deleted; and (4) how to stop it from being sold. Known as the California Consumer Privacy Act of 2018 (CCPA), the new regime signals a significant shift in US privacy law and will greatly impact how covered businesses collect, use, store and share the "personal information" of all California residents, including non-consumers, job applicants, employees and business-to-business partners.

The CCPA is expansive in scope, both in terms of substance and enforcement. It applies extraterritorially; covers new forms of data such as IP addresses and internet browsing activity; defines "sale" broadly to include the exchange of "personal information" for not only monetary consideration, but for any "valuable" consideration; and provides for both regulatory enforcement and a private right of action. With just under four months until the law takes effect, covered organizations are working hard to understand the complexities of the new law and build CCPA-ready compliance programs. Some are updating existing corporate compliance programs, including programs built in response to last year's European Union General Data Protection Regulation (GDPR), while others are building programs from scratch. But no matter the organization's posture, all entities are asking the same question: What does CCPA compliance look like?

Unfortunately, the CCPA does not provide a roadmap for compliance. Although certain provisions of the Act require covered businesses to update their external facing privacy notices with certain language and links, there are no express requirements for internal facing policies and procedures, risk management, or accountability. From a compliance perspective, it's somewhat of a blank slate. It's therefore important to look outside the box for guidance.

In April 2019, the Criminal Division of the US Department of Justice (DOJ) released an updated guidance document for white-collar prosecutors to use in the evaluation of corporate compliance programs. "The Evaluation of Corporate Compliance Programs" sets forth topics the Division has found relevant in evaluating corporate compliance programs in the course of criminal investigations and potential actions thereafter. Several sections of the guidance document are directly relevant to the building of a CCPA-focused compliance program, including the incorporation of risk assessment into the process, developing robust internal facing policies and procedures, implementing training, and ensuring third parties are managed effectively.

Below we provide an overview of the CCPA, outline its various components, and offer five compliance tips through the prism of the DOJ's 2019 guidance that organizations can take now to get ready for the CCPA in January.

CCPA OVERVIEW

Who is covered?

The CCPA applies only to a covered "business," which the Act defines as any for-profit entity that: (1) does business in California; (2) collects or determines the "purposes and means of the processing" of a California resident's "personal information"; and (3) satisfies one of the following three thresholds:

  • Gross revenues in excess of US$25 million;
  • Buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices in a year; or
  • Derives 50 percent or more of its annual revenues from "selling" consumer personal information.

A "business" is also defined as any for-profit entity that controls or is controlled by a business as defined above and that "shares common branding with the business."

"Consumer" defined

The CCPA broadly defines "consumer" to mean any natural person that is a California resident (as defined under California law) "however identified, including by any unique identifier." The phrase "unique identifier" is also broadly defined. The definition of "consumer" therefore ostensibly includes job applicants, employees, non-consumers, business-to-business partners, officers, directors and competitors. An amendment is pending that would exclude job applicants, employees, directors and officers.

"Personal information" defined

The CCPA's definition of "personal information" is equally expansive. The Act defines "personal information" that which "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The CCPA provides the following (non-exhaustive) list of examples of personal information:

  • Identifier information, such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, or other similar identifiers;
  • Characteristic information, such as race, religious creed, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, or military and veteran status;
  • Commercial information, such as records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information, such as fingerprint, iris scan, or geometric outline of face or body;
  • Internet or electronic network activity information, such as browsing history, search history, and information regarding a California resident's interaction with an internet web site, application, or advertisement;
  • Geolocation information, such as the location of the particular consumer or household;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Education information; and
  • Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

SUMMARY OF NEW RIGHTS AND OBLIGATIONS

Right to disclosure and duty to disclose

The CCPA gives California residents the right to demand, through a verifiable consumer request, that a business disclose the categories and specific pieces of personal information about the resident that it has collected, sold or disclosed in the preceding 12 months. Businesses, in turn, must timely respond to such requests (i.e., within 45 days of receipt, unless extended). Businesses must also disclose "at or before the point of collection" the categories of personal information collected and the purposes for use about California residents, and must include on external-facing privacy notices a description of the consumer's right to disclosure and a list of the categories of personal information the business has collected, sold or disclosed for business purposes in the preceding 12 months.

Right to opt-out and duty to notify

The CCPA also gives California residents the right to "opt-out" of the "sale" of their personal information. The word "sale" is defined broadly to mean any exchange of personal information for monetary or other valuable consideration. Businesses must provide California residents notice of their opt-out right and the potential for any sale of their personal information, and include on their home page a "clear and conspicuous link" titled "Do Not Sell My Personal Information" which, when activated, will allow California residents to opt-out. Businesses must also include a description of the new right on their external-facing privacy notices, train all individuals responsible for handling opt-out requests, and respect the consumer's decision to opt-out for at least 12 months before requesting another sale of their personal information.

Right of deletion and duty to delete

The CCPA also gives California residents the right to request that a business delete their personal information, subject to certain exceptions. Upon verification of the request, businesses will be obligated to delete that information and direct any of their "service providers" to do the same.

Risk of non-compliance

The risk of CCPA non-compliance can be significant. The state Attorney General has the sole authority to enforce the entire CCPA and to impose civil penalties of $2,500 per violation (or $7,500 for each intentional violation). And unlike the GDPR, there are no caps on civil penalties. Businesses may also seek advisory guidance from the state Attorney General (a provision the AG's office has sought to write out of the law through amendment). The state AG is also scheduled to release draft implementing regulations in the fall. California residents also play a role in enforcement, and may bring a private right of action against any business that suffers a negligent data breach as a result of its "violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Such suits may include requests for injunctive relief and/or statutory damages in the amount of $100 to $750 per consumer, per incident, or "actual damages," whichever is higher.

DOJ GUIDANCE OVERVIEW

Although the state Attorney General has not released compliance guidance, it's helpful to leverage the DOJ's April 2019 guidance on corporate compliance when thinking through compliance structures under the CCPA. The DOJ's April 2019 guidance, which is meant to assist US prosecutors in making informed decisions as to whether, and to what extent, a corporation's compliance program was effective at the time of a criminal offense. The guidance highlights three guiding questions for any corporate compliance program review:

  • Is the corporation's compliance program well designed?
  • Is the program being applied earnestly, in good faith and effectively?
  • Does the program work?

In terms of design, the DOJ recommends that a corporate compliance program include an adequate risk-assessment structure, policies and procedures, training and communications, a confidential reporting structure and investigation process, and third-party management.

Tip No. 1: Align strategy and data mapping

Before an organization begins to plan for the CCPA, it should first determine its overall data privacy/information security strategy. This strategy determination will drive the organization's compliance efforts and, as the DOJ recommends, help the organization allocate appropriate resources to the data privacy/information security function. It will also help the organization design a risk management program that adequately identifies, assesses and defines the organization's risk profile.

Consider, for example, a business that operates in 25 US states, including California, and uses a single online privacy policy for all of its states and websites. In its current privacy policy, the business does not extend the rights of disclosure, deletion or opt-out of the sale of personal information. In preparing for the CCPA, should the business adopt the CCPA's new data privacy rights across all jurisdictions, or create a carve-out program for California only? How should the organization handle varying definitions of "personal information" across multiple jurisdictions? On the one hand, adopting California's progressive approach to data privacy across the organization could be useful in mitigating against future changes in the laws of other jurisdictions (e.g., state copycat laws) or in federal data privacy law. It could also be used as a market differentiator. On the other hand, offering data subject rights in jurisdictions where no such rights currently exist will likely increase the business's liability exposure. Determining the appropriate data privacy/information security strategy in light of the organization's risk tolerance is therefore a critical first step to CCPA compliance.

Equally important is undertaking a data mapping/data inventory exercise. This step is particularly important under the CCPA because the definition of "personal information" under the Act is so broad that data points not previously considered sensitive (e.g., IP address, internet browsing activity, etc.) now must be treated as personal information. Only by undertaking a data mapping/data inventory exercise can an organization appropriately understand and appreciate its risk profile and the degree to which it should devote scrutiny and resources to its compliance program.

Tip No. 2: External- and internal-facing notices, policies and procedures

A well-designed compliance program includes policies and procedures that give content and effect to the organization's risk assessment process. According to the DOJ, such policies and procedures should flesh out "ethical norms" and "address and aim to reduce risks identified by the company as part of its risk assessment process." The CCPA requires covered businesses to update and change their external-facing privacy notices. It also will force organizations to update and change their internal-facing policies and procedures, or create new ones. For example, an organization receiving consumer requests for disclosure, deletion or to opt-out of the sale of the personal information will need to be prepared to receive those requests, verify the identity of the requesting party and respond within the time frame specified under the law (i.e., within 45 days from the date of the request for a disclosure, unless an appropriate extension applies). Organizations that receive a request for deletion will also need to be in a position to verify whether the information is subject to an appropriate exception; whether any of its service providers have the same information (and must therefore be directed to delete); and whether any other exception applies to the California resident's request. Developing robust policies, procedures and notices is therefore a critical step in preparing for the CCPA.

Tip No. 3: Training

Another hallmark of a well-designed compliance program, according to the DOJ, is appropriately tailored training and communications. This includes taking steps to ensure that policies and procedures are integrated into the organization; that critical information is relayed in a manner tailored to the audience's size, sophistication, or subject matter expertise; and that appropriate personnel are trained in carrying out the procedures dedicated to mitigating the organization's risk. The CCPA contains some express training requirements (e.g., personnel handling opt-out requests). Organizations would also be wise to implement comprehensive CCPA and privacy/security training; audit that training; and ensure that communications concerning CCPA requests are uniform and easily understood throughout the organization.

Tip No. 4: Third-party risk management

The DOJ states that a well-designed compliance program "should apply risk-based due diligence to its third-party relationships." This includes understanding third-party partners' qualifications, associations, reputations and relationships; ensuring that they have appropriate controls in place; and understanding how those third-party relationships are managed. Third-party risk management is especially important for CCPA compliance because the transfer of personal information to service providers is exempt from the opt-out rights. "Service provider" is narrowly defined as any entity that "processes information on behalf of a business" and to which the business discloses a California resident's personal information for a "business purpose" pursuant to a written contract, provided that the written contract "prohibits the entity receiving the information from retaining, using, or disclosing" the personal information for any other purpose than specified in the underlying contract. Determining the existence and scope of third-party relationships, and having a firm understanding of service provider relationships, is therefore a key function of CCPA compliance. It is also important because the security posture of service providers may impact the liability of the covered business when there is a private right of action brought by a California resident following a data breach.

Tip No. 5: Information security audit

The private right of action under the CCPA currently applies only if a California resident's non-encrypted or non-redacted personal information is compromised or breached as a result of the business's "violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Although the law does not define the phrase "reasonable security procedures and practices," many organizations currently rely on federal or international standards as a benchmark for "reasonable" information security. But those standards vary. One company may track its information security practices with the so-called "NIST" standard (a widely accepted 2014 cybersecurity framework prepared by the US Department of Commerce's National Institute of Standards and Technology). Another may track the international security standards created by the International Standards Organization. Or companies may follow industry-specific standards, such as the Common Security Framework (CSF) established by the Health Information Trust Alliance (HITRUST), or frameworks for critical infrastructure, such as the US Transportation Service's Pipeline Security Guidelines or the North American Electric Reliability Corporation's Critical Infrastructure Protection (CIP) standard.

California may have its own information standards, separate from federal, international or industry-specific standards. In the "2016 California Data Breach Report," then state Attorney General Kamala Harris expressly endorsed the Center for Internet Security's Critical Security Controls as a "reasonable" security measure, stating that they "define a minimum level of information security that all organizations that collect or maintain personal information should meet," and that "[t]he failure to implement all the Controls that apply to an organization's environment" would constitute a "lack of reasonable security." As the CCPA moves toward implementation, covered businesses should conduct a gap assessment of their current information practices to ensure they are operating within the appropriate framework.

LOOKING AHEAD

There is no one-size-fits-all solution for CCPA compliance. Because the law does not provide a clear roadmap for compliance, each organization will need to look at the CCPA requirements through the lens of its own risk tolerance and compliance structure. Third-party risk and gap assessments, preferably conducted through a law firm to maintain privilege and protection, are a good first step. And, of course, all these efforts may need to be revisited as the California State Legislature adopts substantive amendments (scheduled to be complete by September) and the state Attorney General releases its anticipated implementing regulations this fall (estimated for October).

In the interim, organizations should plan and develop a CCPA compliance program, remain flexible over the next few months, and think strategically about how they want to be viewed and to position themselves on issues of data privacy and information security across the enterprise and in their respective markets.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions