Complying with the California Consumer Privacy Act
December 2019 | FEATURE | DATA PRIVACY
Financier Worldwide Magazine
December 2019 Issue
Data protection regulation, such as the EU’s General Data Protection Regulation (GDPR), is increasingly common, with similar legislation introduced in Brazil, Australia and Japan. Approaches to data protection in the US are rather more piecemeal, however. There is currently no data privacy law applicable to all industries on a federal level. And while most states have their own data privacy laws, they vary dramatically in scope and penalties, and most are focused on specific privacy issues rather than general regulations.
Perhaps the strictest state legislation is the California Consumer Privacy Act (CCPA), which becomes effective on 1 January 2020. It brings sweeping changes to how companies must handle the data they hold and sell. Among other things, the CCPA requires that companies make extremely detailed and explicit disclosures to data subjects, and gives data subjects rights to access and delete their data.
Impact of the CCPA
The CCPA is already raising awareness of privacy risks. “Going forward, it will be highly impactful on privacy compliance costs,” says Rachel R. Marmor, counsel at Davis Wright Tremaine LLP. “But whether it will have the intended effects on actual protection of consumer privacy remains to be seen. The law does not regulate initial collection or use of personal information by a business; access and deletion rights may mean little when the business has already used the data and are only exercised by a limited number of people. There are a number of drafting and technical issues around opt-out rights, and businesses are facing choices as to how they will interpret key provisions.”
The CCPA will, however, have an impact on the proliferation of state laws, and attempts to adopt federal laws that cover some of the same ground as the CCPA. But this may cause some confusion. “Ultimately, the impact may be either the coordination of state laws, such as through a uniform law proposal, or a federal law governing privacy,” says Robert E. Braun, a partner at Jeffer Mangels Butler & Mitchell LLP. “However, it seems likely that any federal law will be limited, and that the states will push to retain their authority to impose their own regimes on companies. The other consideration is that the CCPA is likely to open the door for litigation that will both resolve some of the ambiguities in the law, as well as create additional questions.”
Preparation is key
With implementation day fast approaching, it is vital that companies adequately prepare for the CCPA. “Companies should take a comprehensive approach to CCPA compliance, which requires a comprehensive inventory of the company’s data,” says Mr Braun. “Once a company has that information, it can move on to develop the policies and procedures that allow it to comply with the consumer access requirements and the data security provisions of the CCPA.”
Companies must also review their relationships with third parties to whom they provide data to determine if they are indeed ‘selling’ personal data or not. “Companies might need to amend contracts with third parties to include language to restrict service providers from using the data for their own purposes and to include other CCPA proscribed language,” says Chiara Portner, of counsel at Hopkins & Carley. “Following these preliminary steps, companies should update their privacy policies with the required disclosures and user rights, and if required, add the appropriate ‘do not sell my personal information’ link to their website. Companies must ensure they have the infrastructure to implement and administer user rights. Lastly, they need to make sure their security practices are sufficient.”
Future developments
Following the passage of the CCPA, several other states followed suit, including New York and Nevada. “The Nevada law is an amendment to Nevada’s existing privacy law to allow Nevada users to opt-out of the sale of their personal data and ‘sale’ has a very different definition as compared to the CCPA,” says Ms Portner. “We expect other states will follow with similar ‘GDPR-like’ laws or their own unique requirements. With the patchwork of privacy laws in the US, we would hope for an all-inclusive federal law, but we are not optimistic we will see such a law in 2020. With the potential large fines for violation of privacy laws both abroad and in the United States, many would welcome a comprehensive approach.”
The reality is that there is widespread disagreement as to what the contours of law should be in other states and at the federal level. “Without the threat of a ballot initiative, which is what led to passage of the CCPA, legislators have had trouble building consensus,” explains Ms Marmor. “We are more likely to see states pass rules related to specific privacy issues rather than comprehensive legislation in the near term.”
The future of data protection in the US remains unclear. But with CCPA implementation day drawing nearer, it is vital that companies remain focused on compliance, particularly as there may be amendments that change current provisions, remove requirements or even add to the regulation.
© Financier Worldwide
BY
Richard Summerfield