As noted by Anju Khurana, Head of Privacy of the Americas, Bank of New York Mellon, “There are now over 100+ privacy laws in the world and GDPR is driving other countries to adopt similar regulations.” (corpcounsel.com, Oct. 2019). The California Consumer Protection Act (“CCPA”) which comes into effect on January 1, 2020, is the latest, and very likely not the last. Most data privacy experts anticipate additional states enacting data privacy regulations and think it likely that Congress will eventually do so at the federal level.
While modeled on the General Data Protection Regulation (“GDPR”), which came into effect in May 2018, there are differences, both small and substantial. A comparison of many of the key requirements from Thomson Reuter, Practical Law can be found here.
The CCPA establishes new rights for consumers and households resident in California — defined as domiciled in California for tax purposes — impacts businesses that control or process data that contains personally identifiable information (“PII”). The CCPA defines PII as information that” identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA gives California consumers more control over companies’ retention, sale and use of their personally identifiable data. Under the CCPA, consumers will have the right to know, among other things:
- What information is being collected
- If their personal data is being sold to or shared with third parties and who those are
- The sources of the information collected, and
- The purpose for collecting and selling their information
The act also grants consumers the right to access their personal data and say no to its sale. It further empowers California consumers with the “right to be forgotten.” Businesses must comply with a verifiable request to delete any personal information collected from that consumer and direct any service providers to delete that data as well. Businesses have 45-days to comply (an extension to 90-days is possible).
Exceptions to data erasure, include:
- When the data is required to complete an online transaction
- To comply with a specific legal obligation
- To identify and repair errors that impair existing and intended functionality
Consumers can request their data twice a year, for free. The act further requires at least two designated methods available for consumers to make such requests about exercising their data protection rights.
The Scope of CCPA
There is a threshold for businesses that are subject to the CCPA. The Act defines a “business” as a for-profit entity or sole proprietorship that collects, controls or processes PII, does business in California, and either:
- Has annual gross revenue exceeding $25M, or
- Sales of PII account for 50% or more total annual revenue, or
- Receives, buys, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices annually.
According to the International Association of Privacy Professionals (“IAPP”), the act will affect over 500,000 U.S. companies.
Companies that are found negligent in securing data, lack reasonable security policies and procedures, steal data, or disclose data through an unauthorized breach, can be sued. The CCPA will be enforced by the California Attorney General via consumer lawsuits (private right of action) for data breaches.
Companies will have 30 days to make a change upon receiving a notification, and if they remain non-compliant after that, a civil case will be initiated. Should a company be deemed in violation, they will be fined up to $2,500 per violation. The math is daunting. This means that if just 1000 users are affected, the fine could be $2,500,000. (Consider that from 2014 through 2018 Marriott International had a data breach impacting 500 million consumers.)
CCPA Impact on eDiscovery Firms
There are two key components of the CCPA (and the GDPR) that intersect with the core competencies of eDiscovery vendors. One implicit, the second, implied. In fact, leading eDiscovery firms and Alternative Legal Services Providers (“ALSPs”) have already begun doing work for clients in this regard.
1. What is known in GDPR terms as the “DSAR” — Data Subject Access Request.
What the CCPA calls “consumers,” the GDPR refers to as “Data Subjects.” Whether the California consumer/household or EU Data Subject, in both cases, the individual has been granted the right to request all information pertaining to data being controlled, processed, shared, and sold by the business. In essence, Businesses are now (GDPR), and will be (CCPA) subject to FOIA-like requests from consumers with fairly strident response criteria.
These requests require finding all the data, (both structured and unstructured), relevant to the consumer request. Once all this data is identified it must be:
a. collected
b. processed
c. reviewed
d. redacted for privileged and other information that requires safeguarding
e. and produced in a format that is readable by the requestor
Sound familiar. Exactly. eDiscovery.
In fact, leading ALSPs and eDiscovery firms have already been helping businesses effectively respond to DSARs and meet their obligations under the GDPR. It is likely that they will do so for data access requests resulting from the CCPA.
In short, for forward-looking firms, there is an opportunity to turn their expertise in data mapping, data identification, forensic collection and processing, review and production into engines for managing these requests efficiently and effectively.
2. Data management, including its protection, consumes significant resources.
It requires the skills across a diverse set of disciplines including IT, InfoSec, Cybersecurity, Breach Response, Infrastructure, Privacy, Risk & Compliance, Legal, and others. The cost of management is high. The cost when there is an event is even higher. The introduction of privacy regulations like GDPR and now CCPA continue to up the ante.
Yet, many organizations cannot tell you with certainty where all the relevant data resides or even precisely what data exists among its myriad systems – to say nothing of their service providers for which they are responsible. The CCPA will require a more sophisticated understanding of the data footprint of any organization.
Ultimately, the silver lining here may be corporations addressing a long-standing problem — namely, data hoarding. As Wooden McLaughlin LLP’s John Babione put it, “The private right of action in the CCPA, which allows for statutory damages, will thus serve as a further incentive for businesses to rid themselves of historical data backlogs and legacy systems. The new reality of CCPA and GDPR may just alter the risk/reward calculation sufficiently to tip the scales in favor of sound data retention/destruction policies.
Here again, eDiscovery Firms and ALSPs can play a significant role in devising defensible, certified data destruction policies and procedures and carrying them out.
There are challenges ahead. eDiscovery firms are definitely in a position to help clients meet them.