Californian Data Privacy: What’s Changing and What Do You Need to Know?

California legislators enacted the California Consumer Privacy Act of 2018; can you share what had changed?

A little more than one month after the GDPR went into effect, California passed the California Consumer Privacy Act (CCPA), which is considered to be the most comprehensive data privacy law in the United States. The CCPA goes into effect on January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.  The CCPA was drafted, passed, and signed quickly to prevent California voters from facing a similar, yet more restrictive, ballot initiative in the upcoming election.  The CCPA broadly expands the rights of California consumers and requires covered businesses to be significantly more transparent about how they collect, use, sell, and disclose personal information.

The CCPA requires covered businesses to make certain disclosures in their privacy policies, or otherwise at the time the company collects a consumer’s personal data. Specifically, a covered business will be required to notify consumers of their rights under the CCPA, the categories of personal information the business collects, the purposes for which that personal information is collected, and the categories of personal information that the business sold or disclosed during the preceding 12 months.

Companies, therefore, will need to determine how they can monitor their data sharing practices and timely respond to consumer requests.

 

The CCPA also requires businesses to notify consumers if they sell consumer data to third parties and provide consumers with the ability to opt-out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page.

Under the CCPA, consumers have the right to request certain information regarding the processing of their personal information from covered businesses.  It also requires businesses to provide at least two means for consumers to submit requests for disclosure including, at a minimum, a toll-free telephone number and a website.  Disclosures must be made, free of charge, within 45 days of the consumer’s request.  Companies, therefore, will need to determine how they can monitor their data sharing practices and timely respond to consumer requests.

It is essential to note that the CCPA imposes some unique requirements; therefore, GDPR compliant does not necessarily equate to CCPA complaint.

How did these changes impact your clients? What issues did they face and how did you guide them?

The CCPA, as currently written, is not in its final form.  The California state legislature is continuing to refine and amend the CCPA before it goes into effect next year.  October 13 is the last day for the governor to sign or veto bills that survive both chambers of the state legislature.  Additionally, the California Attorney General’s Office has until July 1, 2020, to issue rules, procedures, and regulations to establish procedures to facilitate consumers’ rights under the CCPA and provide guidance to businesses for how to comply.   Implementing a data privacy compliance program can be a resource-intensive and time-consuming exercise; therefore, we have strongly encouraged our clients not to delay the process of developing the necessary programs and procedures.

Companies that have already gone through a GDPR readiness program are at a slight advantage as specific processes and procedures previously developed will also apply to the CCPA.  However, it is essential to note that the CCPA imposes some unique requirements; therefore, GDPR compliant does not necessarily equate to CCPA complaint.

Although not explicitly required, we encourage our clients to document its data privacy compliance program policies, practices, and procedures in writing as most businesses will find it challenging to comply with these requirements without written policies and procedures in place.

In any event, creating a data privacy compliance program can be overwhelming.  To fully comply with CCPA, a business must first know detailed facts about the personal information it collects.  This is most easily accomplished by creating a data map that traces the personal information ingested by the company and how it is collected, used, processed, stored, and sold.

Next, we work with our clients to review their current business processes and make modifications as necessary to ensure they have necessary procedures, practices and policies in effect to: (1) verify consumer requests; (2) make available two or more designated methods for consumers to submit requests; (3) create and maintain a tracking system to ensure compliance with response times and applicable time periods; (4) provide requested personal information in a portable and readily usable format; (5) update privacy policy to include necessary disclosures; (6) identify service providers who might have received personal information and develop procedures to effectuate deletion; (7) ensure any agreements with service providers include this obligation; (8) update website to prominently display opt-out button; and (9) tag, track and separately treat personal information who exercised right to opt-out.  This is not an all-inclusive list of requirements, but is merely illustrative.

Although not explicitly required, we encourage our clients to document its data privacy compliance program policies, practices, and procedures in writing as most businesses will find it challenging to comply with these requirements without written policies and procedures in place.  Additionally, having this documentation in writing may be beneficial if a company needs to defend its compliance activities.

It can be difficult for businesses to comply with global data privacy and protection laws, as requirements and regulations fluctuate from region to region.

Lastly, we work with our clients to ensure they have adequate training programs in place so that employees who handle consumer inquiries have a general knowledge of the company’s CCPA obligations and can instruct consumers how they can exercise their CCPA rights.

Jurisdictions have some level of data security laws, but these laws can vary widely from one state or country to another; what issues can this cause? Do you think there should be a more homogeneous set of regulations and laws?

It can be difficult for businesses to comply with global data privacy and protection laws, as requirements and regulations fluctuate from region to region.  This can cause some businesses to think twice before expanding to a new market.  Unless a company’s legal department recognises the multiple data privacy and security laws that apply, companies have a very real risk of subjecting themselves to fines and other penalties.  There is currently no federal data privacy and security law in the United States.  Consequently, several states are implementing their own laws.  This will make it even more difficult for companies to ensure full compliance with applicable laws and regulations.

It is critical to obtain outside counsel because (at least in most cases within the United States) it is possible to protect the actions and communications of a breach response with the attorney-client privilege and its related work product doctrine.

Data breach: what should be the first course of action a client should take?

Despite your best efforts, data breaches happen.  The minutes, hours, and days after a data breach can be hectic, stressful, frustrating, and confusing.  Hopefully, when the dreaded day comes, you and your company have already prepared and have in place a practical, fact-based and realistic data breach response plan that is tailored specifically to your company’s specific needs.  If that’s the case, you are ahead of the game, and you should follow this breach response plan step-by-step.

If, on the other hand, you do not have a well-crafted plan in place, then the most critical first step would be to check your insurance policy and then engage qualified outside counsel to guide your response efforts.  Several insurance companies now offer cyber risk insurance (also known as data breach insurance).  Depending on your policy, your insurance company can help you retain qualified outside counsel that specializes in this complex, ever-evolving area of law, often at a reduced hourly rate.

It is critical to obtain outside counsel because (at least in most cases within the United States) it is possible to protect the actions and communications of a breach response with the attorney-client privilege and its related work product doctrine. This protection is crucial because it allows for the free flow of information between an attorney and his or her client, allowing for the fastest response possible.  Additionally, an attorney that specializes in this area of law can advise whether the breach triggers any of the many and varied notification obligations at the state, federal, and international level.

Certain business impacts are immeasurable while remaining incredibly impactful.

What are the impacts of a data breach and how do you work towards ensuring the impact isn’t as detrimental?

There are three main business impacts of a data breach: (1) costs, (2) reputation, and (3) intangibles.

The most apparent business impact of a breach is the associated costs.  This can come in many forms, such as ransom, theft or diversion of funds, legal fees, fines, settlements, etc.  The cost of a breach alone is enough to cause many small and medium businesses to close their doors permanently.  According to a study conducted by IBM Security and Ponemon Institute, the average cost of a data breach is $3.86 million.

While harder to measure, a company that suffers a data breach also has to deal with reputational damage.  Breaches have a massive negative impact on a company’s customer base, particularly if the breach involves sensitive data. Immediately after a data breach, companies often see a sharp decline in their customer base and find that news of a data breach causes some potential customers to think twice before doing business with your company.   It can take ten months to more than two years to restore a company’s reputation following a breach of customer data.

The most important thing a company can do to reduce the impact of a data breach is to react as swiftly and systematically as possible to mobilize your incident response team, secure systems, and conduct a thorough investigation.

Certain business impacts are immeasurable while remaining incredibly impactful.  For example, personal data may be lost or sold on the dark web.  The theft or loss of your company’s (or your clients’) trade secrets and other intellectual property could be detrimental to the future success of your company.  These are only a few examples of intangible business impacts, as they vary widely.

The most important thing a company can do to reduce the impact of a data breach is to react as swiftly and systematically as possible to mobilize your incident response team, secure systems, and conduct a thorough investigation.  Reacting slowly will only make the effects of the data breach worse.  A company must also be as open and transparent in its communications with individuals affected by the data breach as possible.

 

About Anthony

What is your favourite aspect of working in law?

There are always exciting things happening in the U.S. and international privacy law, so the topic never gets boring.  The constantly evolving area of law provides new challenges and learning opportunities every day.

What do you want to achieve in 2019?

I plan to publish my first book on legal issues in the area of data privacy and information security.  I also hope to spend more time presenting on these complex legal issues and sharing my knowledge with others new to the industry.

How do you overcome the challenges you often face in this field?

Privacy law is relatively young and not fully understood by a majority of businesses.  Despite the near-constant news coverage of data breaches, government fines, lawsuits, and investigations into companies’ data privacy practices, several companies are still hesitant to place the attention and resources necessary to implement adequate data privacy and protection programs.

To overcome this challenge, I must digest complex, technical jargon and translate it into a language that stakeholders understand and care about.  I also provide regular updates to my clients on the latest news and trends in this fast-paced, ever-evolving area of law to keep this important issue at the forefront of decision makers’ minds.

What is a motto you live by?

Always aim high, work hard, and care deeply about what you believe in. And, when you’re knocked down, get right back up and never listen to anyone who says you can’t or shouldn’t go on, (Hilary Clinton).

What has been your biggest achievement in the past 12 months?

I was recognized as a Fellow of Information Privacy by the International Association of Privacy Professionals.

 

Anthony E. Stewart

Hall Booth Smith, P.C.

191 Peachtree St NE, Ste 2900

Atlanta, GA 30303-1775

(404) 954-5000

LinkedIn: linkedin.com/in/anthonystewartlaw

Twitter: @PrivacyLawUSA

 

Hall Booth Smith, P.C.

Facebook: facebook.com/HallBoothSmith

LinkedIn: linkedin.com/company/hall-booth-smith-p-c-/

Twitter: @HallBoothSmith

Website: hallboothsmith.com

 

About Anthony Stewart and the Firm

Anthony (Tony) Stewart is a Senior Associate in the Atlanta office of Hall Booth Smith, P.C. with a rapidly growing practice that focuses mainly on data privacy and information security issues. Anthony earned a Juris Doctorate degree from Emory University School of Law in Atlanta, Georgia. During law school, he clerked for the Honorable Richard W. Story with the United States District Court for the Northern District of Georgia and for the Honorable Jason J. Deal with the Superior Court for the Northeastern Judicial Circuit. He holds a Bachelor of Science from North Georgia College & State University and was an emergency medical technician (EMT) earlier in his career with more than a decade of clinical experience working in healthcare.

Tony is a Certified Information Privacy Professional and a Certified Information Privacy Manager.  Earlier this year, he earned the designation of Fellow of Information Privacy from the International Association of Privacy Professionals.  This designation is reserved for experts in the privacy industry and signifies that Tony has demonstrated a comprehensive knowledge of privacy law, privacy program management, and essential data protection practices.  Professionals awarded this designation have focused their careers in privacy, are considered industry-experts amongst their peers, regularly speak on related topics, and have a documented record of successfully assisting their clients with navigating the complexities of the privacy industry.

Tony is also well-versed in technology matters with a strong background in computer science and network security.  His practical expertise and formal training in computer forensics and ethical hacking consistently provide his clients with a unique perspective on common issues in this quickly-evolving area of law.

As a member of Hall Booth Smith’s data privacy and security practice group, Tony provides a broad range of legal advice to an array of entities from start-ups to large, global corporations.  He works directly with companies to develop and implement enterprise data privacy and compliance programs, develop and implement data security incident response programs, conduct data breach investigations, forensic analysis, breach notifications, and reporting and negotiates contracts involving technology or personal information.

Hall Booth Smith, P.C. (HBS) is a full-service law firm that was established in 1989.  Currently, it has over 230 lawyers in 17 offices throughout the United States.