DATA PRIVACY: California bound

As data privacy continues to be a major issue for organisations around the world, companies are being urged to prepare for another set of wide-ranging new rules emerging from the US state of California. Joe McGrath investigates

Home to the world’s largest technology giants, including Google and Facebook, the US state of California is a significant player in the global economy. The state is the largest in the US by economic output. If it were a nation on its own, it would boast a gross domestic product of more than US$3 trillion, equivalent to the world’s fifth largest economy.

Due to its economic significance, the state has historically been influential in steering the international regulatory agenda. In the months ahead, it looks set to affirm this role again as companies prepare to comply with the incoming California Consumer Privacy Act (CCPA).

Signed into law on 28th June 2018, the CCPA will from 1st January 2020 affect companies based in, or conducting business with, firms in California, if they have revenues of US$25 million or California-based customers exceeding 50,000.

This new legislation which has been tipped to “change the privacy landscape” both in California and beyond and has been likened to the European Union’s General Data Protection Regulations (GDPR), which came before it.

“CCPA is setting the benchmark for privacy laws to come,” says Fouad Khalil, vice-president of compliance at Security Scorecard. “This all signals a significant shift in US privacy law and will greatly impact how businesses collect, use, store and share the personal information of California residents, including non-consumers, job applicants, employees and business-to-business partners.”

Khalil explains that CCPA will apply to all ‘for-profit’ entities that do business in California, as well as any entities they control and those that control them. “This simply extends the reach of CCPA to global businesses across all industries,” he says. “There are additional requirements in the legislation, but it is best to comply rather than attempt to scope yourself out of compliance.”

First of many

Within the US, the CCPA is the first of several data privacy regulations which are expected to be adopted at state level, within the country in the coming years.

Earlier this year, Washington State had attempted to pass a similar set of rules, but saw its proposed legislation fail to pass committee stage in April. Despite this, industry figures believe that similar rulesets can be expected both across the US, and internationally.

“We can expect many US states and other countries to follow suit,” says Mathew Lewis, senior vice-president at Axiom Law. “CCPA and Europe’s GDPR put privacy protection front and centre and make it very expensive to get wrong.”

Peter Galdies, managing director of data governance group DQM GRC, agrees, noting that the global rulesets around data privacy are becoming far more complicated and widespread.

“Many other US States and national legislatures are implementing new data privacy laws, which are leading to a complex worldwide set of regulations that global organisations must manage effectively. The CCPA is just another example,” he says.
“It’s important to consider the global damage to trust that an organisation will suffer should they indicate non-compliance.”

New obligations

For those businesses that have already started data mapping within their compliance processes under GDPR in 2018, it is likely that they will have a rolling start with the rules emerging from CCPA.

Under the CCPA, businesses are expected to adhere to a set of conditions whereby they must explicitly seek and manage the consent from individuals about their data preferences. To meet this comprehensive set of requirements, companies must develop privacy programmes to mitigate risk by the January deadline.

“CCPA has a mix of prescriptive requirements as well as simply raising the bar on the care required collecting, storing, sharing and processing of personal data,” says Axiom Law’s Lewis.

He explains that companies will need to build a robust privacy programme to mitigate risk, which will include compiling a data inventory that tracks the data captured, stored, processed and shared. “Companies typically have hundreds if not thousands of internal systems and outside vendors with access to personal data,” he says.

“This is critical to managing customer data requests, addressing the right to be forgotten, and securing your supply chain with the right contractual terms to protect the data.”

Lewis says companies should be looking to update their existing privacy policies and templates for data protection agreements, while refreshing their understanding of the data held and training staff on their new obligations under the CCPA and GDPR regimes.

Under CCPA, there are also some exceptions, however, which may mean that businesses do not have to apply the new rules to all datasets. Companies in the insurance market, for example, may be able to take advantages of relevant exemptions relating to information collected under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

“After considering the exemptions, if companies determine they still have obligations, they will need to identify – starting from the baseline of their GDPR compliance efforts – the steps they may have to take to comply with the requirements of the CCPA, and the options for taking those steps,” says William Long, co-leader of Sidley Austin’s privacy and cyber security practice.

“This may involve changes to privacy policies, notices and disclosures, amendments to contracts and insurance policies, a process for responding to data subject requests, employee training and a review of information security procedures and practices.”

Lessons from GDPR

Ultimately, companies should be mindful of the explicit and implicit costs of non-compliance. GDPR has shown that regulators have little appetite for companies that don’t meet their obligations when it comes to data privacy.

Among the highest profile cases were the fines issued to hotels group Marriott International and British Airways which collectively totalled some £300 million. In July, the UK’s Information Commissioners’ Office confirmed its intention to fine Marriott just shy of £100 million for data breaches and British Airways £183.39 million.

While these fines were among those to make the biggest international headlines there have been hundreds of others. The European Data Protection Board released statistics on the number of enforcement notices and warnings it had issued back in February 2019. It confirmed that some 206,326 cases had been reported to authorities across 31 jurisdictions in the European Economic Area since GDPR was brought in.

“Almost half of these cases were related to complaints (96,622), while over a quarter (64,684) were related to specific data breaches,” says Teresa Troester-Falk, chief global privacy strategist at privacy software group Nymity. “The GDPR has created a groundswell of privacy regulations or amendments to existing legislation around the world. Businesses can best protect themselves by ensuring they don’t adopt a ‘wait and see’ approach.”

Enforcement differences

While the substantial fines that have been issued under GDPR may offer food for thought, there are some noticeable differences in the Europe regime compared to that of the CCPA.

GDPR granted data protection authorities substantial enforcement powers, including the power to impose fines of up to the greater of four per cent of annual worldwide turnover or €20 million for failure to comply with the data protection obligations. By contrast, under the CCPA, the California Attorney General can bring a civil action for each violation.

“In such a civil action, a company can, depending on the violation, be issued an injunction or a penalty of US$2,500 for each violation or US$7,500 for each intentional violation,” explains Sidney Austin’s William Long.

There are a significant number of other differences too, but far too many to list here. That said, industry experts are advising companies to operate at the highest possible standard, globally, given that additional regulations are likely to be implemented in the coming months and years.

Cory Cowgill, chief technology officer at Fusion Risk Management, explains: “I fully expect there will be more privacy regulation in the future. GDPR consolidated the patchwork of privacy laws across the EU into one piece of legislation.

“In the US, to avoid a patchwork of CCPA and similar state laws, we should expect a similar federal law with the same goal of consolidating a patchwork of laws into one privacy law for the country.”


This article was published in the September-October 2019 issue of CIR Magazine.

Download as PDF

More interviews and analysis


Contact the editor


Follow us on Twitter

    Share Story:

Recent Stories