January 1, 2021 will be the one year anniversary of the California Consumer Privacy Act (CCPA) going into effect, at least in theory. Forced into existence through privacy activism and the threat of a state ballot initiative, it remains the first comprehensive statute in the US to attempt government regulation of most personal information belonging to individuals processed by businesses. But it has not been without controversy; and delays in the finalization of implementing regulations from the CA Attorney General, as well as moratoriums on enforcement of several keys aspects of the CCPA, have made it a struggle for many businesses to understand if, when, and how they should invest in the implementation of technical and operational changes to achieve CCPA compliance.
Unfortunately, the 1st anniversary of the CCPA will be heralded by final regulations which will require further investment by most businesses to achieve and maintain CCPA compliance. In addition, the likely expiration of moratoriums on the classification of business contact and employee personal information as personal information subject to CCPA compliance are also likely coming to an end. This means that many businesses which achieved compliance with CCPA in 2020 will now have more work to do to meet these new requirements.
Existing CCPA requirements include fulfillment of consumer’s rights to request access to or deletion (subject to exceptions) of their personal information, requires an opt-out mechanism for most “sales” of personal information (and opt-in for “sale” of PI of minors), and new consumer notice requirements (including updated privacy policies and a clearly visible “Do Not Sell My Personal Information” link on web pages that collect PI which is sold). These CCPA requirements have been clear from the beginning, and most businesses subject to the CCPA should already have them in place.
CCPA penalties for failure to implement requirements or secure certain personal information can be severe. The CA attorney General can bring an action to enforce penalties ranging from $2,500 for a non-intentional violation to $7,500 for an intentional violation. Given that each failure to comply with a rights request, or each instance of collecting personal information without proper disclosure, could each result in a separate fine, a business that collects information on a large number of consumers could quickly find themselves facing astronomical fines. And the CCPA’s private right of action (PRA) for certain PI breaches - the right of private citizens to seek damages - is potentially even worse. The potential damages are stunning: a breach of one million records subject to CCPA’s PRA could result in a class action lawsuit with damages of up to $750 million for the plaintiffs. The minimum amount of damages a court award in such a case where a business was found liable under the CCPA PRA is $100 million, and the court may award damages of $750 million, or more.
Last October, AB 25 and AB 1355 were signed into law. These laws created exceptions for some CCPA requirements, notably those around privacy rights requests, with respect to the personal information of employees (including job applicants, directors and officers) and for business contacts (including, for example, sales agents). However, both laws included a sunset provision and the exception for those types of personal information will no longer be in effect as of January 1, 2021. Note that the requirements to provide notice and disclosure at the point of collection, and the private right of action for breach, were not impacted by AB 25 orAB 1355 and remain in effect. In order to comply with the new and existing requirements around data of employees and business contacts, businesses will need to begin assessing and tracking that data now, applying the same controls they should have already applied to other consumer data for CCPA compliance. This will likely involve systems and processes, such as those used by HR and procurement, that were separated from and not in scope for previous CCPA efforts.
This process should include a detailed understanding and documentation of the current state of personal information use cases in each system, including the business use case, and mapping data flows including all collection, processing, storage, and disclosure/sale/transmission to any third parties. A complete analysis based on the documented current state using the lens of the California Consumer Privacy Act should then be performed based to determine which requirements apply to each use case. A review of any existing controls or capabilities in each environment should then be performed to understand where there may be gaps with the requirements, and a risk based gap treatment plan and remediation roadmap should be created to address these issues. Testing must then be performed to ensure requests are fulfilled completely and correctly (if the wrong person’s personal information is provided, this could result in a breach subject to the CCPA’s private right of action). Achieving compliance is not an easy process, and requires extensive privacy-specific legal, technical, and business expertise.
For this reason a comprehensive risk based approach to privacy based on a proven methodology is recommended. These regulations can be difficult and expensive to implement, so businesses often utilize outside professional services firms with specialized experience and expertise in cybersecurity and privacy. Expert consultants from firms such as Truvantis know how to apply a risk based approach to determine which controls may be applicable, and how to quickly and cost effectively implement them with minimal impact to a business. These experts can advise on how other similar businesses are addressing similar risks, as well as what changes to privacy laws and compliance may be on the horizon.