It has been said, that while attending a cocktail party in California, a Google employee stated the following to Alistair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.” Mactaggart, a real estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world. Between the GDPR going into effect in May of this year and the Cambridge Analytica scandal that consumed everyone’s attention this spring, privacy has become an inescapable topic.
Mactaggart’s main claim is that in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal? With this, he worked to develop a privacy initiative addressing these issues focusing on transparency, control and accountability. These three principles form the basis of the ballot initiative created by Californians for Consumer Privacy, the California Consumer Privacy Act (CCPA). This ballot initiative received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot. Overall, this act provides consumers with three fundamental rights:
- The right to know what personal information is being collected;
- The right to know what personal information is being sold and/or shared with third parties as well as the identity of those third parties; and
- The right to request that their personal information no longer be sold (i.e., the right to opt out).
In addition to honoring the consumer rights listed above, businesses would be required to provide notice via the privacy policy regarding whether personal data is sold and instructions to opt-out of the selling or sharing of this data. Further, businesses must allow consumers to exercise their right to opt-out through, at a minimum, two methods, including a toll-free number and a URL. Should a consumer exercise one of the rights listed above, businesses would be required to respond within 45 days of the request.
Cutting a Deal to Make It Work
As originally crafted, the CCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year, or makes 50 percent of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside of the European Union.
Since California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018, Mactaggart agreed to a deal that would keep this initiative off the November ballot. Instead, Mactaggart and various stakeholders and state lawmakers drafted a bill that varies slightly from the CCPA, but still provides consumers with certain rights to protect their data and requires businesses to develop and implement various new policies and procedures to comply. The CCPA is slated to go into effect on January 1, 2020 and certainly figures to alter the privacy and consumer rights landscape for California and perhaps the entire nation.
The new law, which is an amendment to Assembly Bill 375 (AB 375), provides similar rights to consumers to protect their personal data, but also brings key differences from the CCPA. AB 375 provides the following rights to consumers:
- The right to know what personal information is collected;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to opt-out of the sale of their personal information;
- The right to access their personal information;
- The right to request the deletion of their personal information; and
- The right to equal service and price, regardless if they exercise their privacy rights.
As originally proposed, businesses have 45 days to respond to consumer requests to exercise any of their rights. The key differences between the CCPA and AB 375 are that AB 375 provides the additional right to deletion and that AB 375 does not provide for a private right of action for any violation (more on this below). Instead, AB 375 provides businesses with more allowance to limit penalty amounts. Businesses are provided a 30-day window to “cure” any alleged violations. If the business can prove the violations have been “cured” and that no further violations will occur, the state attorney general will not be able to pursue legal action. Overall, violators are facing a maximum penalty of $7,500 per intentional violation. Consumers are not provided a private right of action for violations of the rights listed above.
Additionally, AB 375 provides amended rules regarding data breaches. Consumers are provided with a private right of action and can seek damages in the event of a breach where the business has failed to implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Damages that occur as the result of a breach are limited to a maximum of $750 per consumer per incident.
AB 375 will apply to a slightly different array of businesses than the CCPA as it applies to any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information. As with the CCPA, AB 375 applies to any business collecting or selling personal information from California regardless of the physical location of the business.
Businesses will now be required to implement various new policies and procedures ensuring the protection of personal information, including updates to privacy policies, “reasonable” security protections, and facilitation of consumer rights. Each request from consumers must be formally analyzed as various scenarios may exist in which a business does not have to honor a consumer’s request to exercise one of his/her rights.
Businesses subject to these requirements must begin to map out all personal information collected and shared from Californians. This analysis should include the categories of personal information collected, why the information is collected, and to whom the information is shared/sold. This will allow businesses to more easily respond to consumer requests as businesses can probably expect a high number of requests initially. Lastly, businesses must determine how they will comply with this new regulation – will the business honor these rights on a nationwide basis or will the business implement a process to determine the location of the consumer making the request and only honor those requests coming from California? How will it determine this? It is likely this is the first of many data protection laws to be enacted in the United States and companies should prepare for additional state and maybe even federal changes to how businesses can handle personal data.
(d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
About the Authors:
Greg Sparrow is the Vice President & General Manager of CompliancePoint’s Information Security Practice. Greg has over 15 years of experience with Information Security, Cyber Security, and Risk Management. His knowledge spans across multiple industries and entities including healthcare, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies, and key management.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.