In the wake of the EU’s General Data Protection Regulation (GDPR) the business world will soon have to reckon with similar California legislation. The California Consumer Privacy Act will take effect from 1 January 2020 and has deep parallels with the GDPR. The Act requires far higher levels of active data management than is currently the case (particularly around transparency and good security practices) and will pose a significant, further compliance challenge.
What are the Big Changes in the California Consumer Privacy Act of 2018?
Let’s first get the law out of the way and then we can dive down into what to do about it.
The Act will be a huge change for most companies that deal with the data of California residents. The new regulatory obligations are far reaching and will likely require a comprehensive overhaul of existing data management processes. Depending on how the Act is finally adopted and interpreted, it may prove even stricter than the GDPR. And since the application of the Act is based on Californian residency, in practice any company that deals with the data of California residents anywhere in the world will be affected.
Data transparency and accountability form the core of the Act. The essential rights are:
Right to know - a business must provide the consumer with information on the categories and specifics of personal information that they collect, including details on its sale and disclosure to third parties.
Right to access - when requested to do so by a consumer, a business must provide a copy of the personal information that they hold on them.
Right to deletion - when requested to do so by a consumer, a business must delete personal information that they hold on them.
Right to equal service - businesses must not discriminate against a consumer who is exercising any of their rights under the law.
Right to opt-out - consumers must be able to opt-out from the disclosure and sale of their personal information to third parties.
Several exceptions complicate the law further around the right to “opt-out”. While “opt-out” is fine for consumers over the age of 16, consumers between the ages of 13 and 16 are “opt-in” only, while consumers under the age of 13 require parental consent. These exceptions to the “opt-out” rule bring the Act closer to GDPR principles and in practice will probably mean that user experience designers need to provide “opt-in” for most workflows.
The Act applies to all organisations doing business in California that fall into any of the following categories:
The business has annual gross revenues in excess of $25,000,000.
The business deals with personal information on 50,000 or more (i) consumers, (ii) households, or (iii) devices.
The business derives 50% or more of its annual revenues from selling consumers’ personal information.
Overall the Act emphasizes proper management of companies dealing with personal data, how they manage that data, and how that data is presented to the consumer.
The scope of the law is potentially very wide. Depending on how the “selling” or “collection” of data is interpreted, the Act could impact anyone from a two person startup to a large corporation.
The new data breach provisions are severe. It is the duty of the business to demonstrate compliance with appropriate security controls for the nature of the data that they control. In the event of a violation the Attorney General may levy a fine of up to $7500. For a business with several million consumers, this could quickly add up, potentially to the billions of dollars. And of particular note is the new private action right against data breaches that potentially heralds sizeable and extremely expensive litigation.
Being Transparent with Consumers about Data Usage and Recording Security Practices
The Act’s transparency provisions have the potential to significantly disrupt the advertising sector. Businesses will have to show exactly what data they hold on their consumers, how that data is being managed and whether it is being disclosed to any third parties.
Fortunately it’s not the first rodeo for many of us that have been in the data protection industry for an appreciable amount of time. The GDPR pushed the Venn Diagram of the worlds of lawyers and IT staff further together. There were significant learnings on how best to convey data usage to consumers (and how best not to–such as the largely unnecessary emails about updates to privacy policies) and how to get systems stood up to quickly and efficiently return personal data to consumers upon request.
Preparing for a Data Breach
Despite a business’s best efforts, data breaches happen.
The new law opens up the prospect of very large fines for businesses found to be in breach, with any potential violation to be determined against the risk posed by the data in question. It is essential that businesses take action to figure out what their potential risk exposure might be by identifying what personal data they hold, which categories that data falls into and the degree to which those categories are responsive to the Act.
Businesses therefore need to know what types of data they have and where that data is held.
A multitude of follow-on considerations then quickly come into play such as: is that personal data being used at all? Should certain data be deleted? Is other data sufficiently anonymised? etc…
Getting Started and Putting Systems in Place
As mentioned above, the best practices developed to deal with the GDPR in Europe can provide a good roadmap to respond to the California Consumer Privacy Act. As in Europe, compliance will not be a “one-shot game”. Rather, it is an ongoing process which needs to be continually iterated once it has been put in place.
Critical steps include:
Data discovery and mapping: finding what data is where and to what category it belongs.
Data evaluation: determining the risk / reward balance for your own organization in continuing to keep any particular piece of data.
Process implementation: ensuring that processes and technology are in place to manage data appropriately and report to consumers on data usage.
Ongoing monitoring and reporting: keeping records of what you are doing so that you can prove appropriate activities over time.
Data is Not Oil. Data is Uranium.
In the post-cloud world we have been storing more and more data because we can do so cheaply and because it might be useful at some point in the future. Data was thought of as an asset and not as a risk. But this requires a rethink.
Data is not only an asset but also a liability. If it can be controlled properly, it can be very powerful. If it is uncontrolled, it can be very dangerous, even posing an existential risk to the business. As a business you need to get control of your data and the first port of call is knowing what data you have and how it should be evaluated.
Ohalo builds tools that connect to your datasources in seconds and evaluate those data sources for risky categories of data. Please contact us if you would like to find out more about how we can help you get control of your data for the upcoming California Consumer Privacy Act.
Ohalo builds tools to automate data governance. The Data X-Ray scans for sensitive data on a regular basis so that you are always up to date with where your sensitive data is. Simply sign up here. Once you have established a baseline of where your most sensitive data is, you can track where that data is going with the blockchain-based Data Protection Router in order to assist your clients in Data Subject requests like access, rectification, erasure, and breach notification.
Ohalo is not a law firm and does not provide legal advice. Nothing in this article or on the Ohalo website (www.ohalo.co) should be construed as legal advice.