How to Address Emerging Privacy Compliance Risks

10 Steps to CCPA Compliance

The soaring cost of data privacy

European regulators wasted no time getting serious about the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018. GDPR gave EU supervisory authorities the power to issue fines of up to €20 million or 4% of a company’s global gross revenue, whichever is higher. In the first nine months alone, fines had already reached nearly €56 million.

The French watchdog agency CNIL issued the biggest hit – a €50 million fine (US $57 million) to Google LLC, the biggest such penalty levied against a US tech giant. Regulators said the world’s biggest search engine didn’t do enough to inform users about how it handled personal data and didn’t properly get their consent for personalized ads.

Blockbuster fines aside, GDPR could potentially be more painful for smaller firms than for the Googles and Facebooks of the world. Larger enterprises have deeper resources to apply to compliance efforts, while smaller firms will find it more challenging.

Meanwhile, the regulatory environment around privacy continues to heat up. In June 2018, California enacted the California Consumer Privacy Act (CCPA), which will have a wide-ranging impact on more than 500,000 companies doing business in California, including small and midsized businesses.

“It’s a unique and comprehensive consumer privacy law; there’s nothing like it in existing US privacy law,” said Reece Hirsch, a partner in the San Francisco office of Morgan Lewis & Bockius LLP and co-leader of the firm’s privacy and cybersecurity practice. “It includes certain GDPR-like consumer privacy rights, but it’s also quite distinct from GDPR as well. Most notably, it creates a new right of action for security breaches with potential statutory damages. … We’re all expecting a spike in security breach class action litigation in California in 2020.”

Furthermore, the CCPA defines ‘personal information’ more broadly than other US privacy laws, extending to include such things as thermal and olfactory data. It also builds on other recent California privacy laws, such as the California Online Privacy Protection Act, which requires online privacy notices, the Shine the Light law, which involves disclosures for direct marketing, and the reasonable security provisions of the Civil Code, which have been largely ignored since they were passed a few years ago.

The road to compliance: Top 10 principles

It’s never too early to start preparing for the compliance date, likely to be around July 1, 2020. However, the CCPA is still a moving target, with a number of amendments making their way through the state legislature. “Nevertheless, with a compliance date fast approaching, it’s important to begin getting your arms around some of the complex operational issues now,” said Hirsch. “Companies that have been through a GDPR compliance effort may have done much of the necessary data mapping and privacy assessment work already. But even if you have done that, the CCPA isn’t just California’s version of GDPR; it’s different in a number of important respects.”

If the details are still in flux, what’s the next move? “Don’t think too much about very specific laws, at least not at the outset,” said Maureen Dry-Wasson, Group General Counsel and Global Privacy Officer at the talent management firm, Allegis Group. “You have to drill down in each one of them and all the important details at some point, but it’s helpful to bucket the commonalities across the privacy laws and take an approach based on privacy principles.”

The 10 principles that frame the Allegis compliance effort are not meant to be all-inclusive for everything GDPR or CCPA, just a summary sense of how the firm has been thinking about compliance.

MKT-18528-CCPA-Graphic-1

1. Understand everything about the data you collect, use and disclose

A comprehensive data mapping exercise is the foundation on which everything else is built. How many of the data elements in CCPA’s broad definition of personal information does the business collect? Are additional data tracking mechanisms needed? Are you considering both self-reported information and data from tools that crawl and gather information? What operational issues arise with regard to deleting data to comply with the ‘right to be forgotten?’ Consider identifying the data inventory in a searchable, relational database.

2. Evaluate how the organization transfers and sells data

Are you selling personal data under the broad interpretation of the CCPA, and if so, do you need to make adjustments to privacy notices on your websites and other consumer-facing channels? Do you have data transfer issues under the GDPR, and if so, have you done a legitimate interest assessment and maintained the proper inter-company data transfer agreements?

3. Understand requirements for privacy notices

“Nearly every piece of privacy legislation requires some form of privacy notice to some constituent,” said Dry-Wasson. “We need to understand what needs to be in that privacy notice, when we need to provide that notice, who we need to provide it to, and how we distribute it.” For the CCPA, that includes notification of consumers’ privacy rights. Under the GDPR, it includes notice around data transfers and Privacy Shield certification.

4. Embed necessary privacy language into contracts with customers and vendors

For any personal data you collect, you are responsible for it downstream as it is disclosed to others. So you need contractual language that holds customers and suppliers accountable to appropriate privacy controls. Draft template contracts, with corresponding playbooks and training for personnel who negotiate contracts. Make sure the language follows CCPA guidelines while being broad enough to meet privacy laws worldwide.

5. Build a workflow for fulfilling data subject rights requests

Both the CCPA and the GDPR grant data subjects the right of access to their personal data – or the right to have it deleted. Implement a technology system to accept, track and fulfill those requests. Consider ways to enable self-help to address these requests, building Privacy by Design precepts into your IT systems.

6. Have a well-established protocol for handling incidents, complaints, and breaches

Under the CCPA, a data breach could open the floodgates for class action suits. You need a tested, documented security and privacy incident response process, preferably with tools for tracking it, and a tight partnership with your IT and Info Sec teams for incident navigation.

“Provide training to your people so they know without hesitation how to report something,” said Dry-Wasson. “That 72 hours can go by in a blink, particularly when things happen on a Friday, and we can absolutely concur that this is the kind of thing that tends to occur on Friday afternoons.

“Have vendors under contract for services such as forensics, call centers, and credit monitoring already established. You don’t want to do this in a crisis, and you won’t have time.”

7. Train everybody in the organization on CCPA and GDPR requirements

“I can’t reiterate enough how important it is to have solid training and awareness,” said Dry-Wasson. “That could be online, it could be in-person, but it should absolutely be both high-level and role-based.” At Allegis, this effort is led by a dedicated change manager in the privacy office. The firm also hired a data privacy officer – a GDPR requirement, but not mandated by the CCPA.

8. Adopt Privacy by Design concepts and data privacy impact assessments

The Privacy by Design framework embeds privacy into the design and operation of IT systems, networked infrastructure, and business practices. The GDPR requires it; the CCPA does not, but it’s a best practice that reduces the cost of future development by taking privacy into account early.

Article 35 of the GDPR requires an impact assessment before data processing activities that could post a high privacy risk. It’s not required by the CCPA, but it’s certainly a best practice.

9. Implement rigorous data security practices

“Security is obviously a critical element of every one of the privacy laws,” said Dry-Wasson. “While most of them don’t get specifically prescriptive about what you have to do, you should be considering appropriate controls to protect data, looking at places where you can do pseudonymization, encryption, or anonymization where appropriate.”

Consider pursuing certifications such as the ISO/IEC 27000 family of standards for information security. And make sure you have strong and well-documented information security policies in place.

10. Regularly revisit the organization’s CCPA and GDPR readiness

“A year into the life of GDPR, we’ve seen that compliance is a process, and it isn’t an event,” said Jeanne Kelly, a partner specializing in data protection and privacy at LK Shields in Ireland. “No company really ever reaches a point of which they can say, ‘I am now GDPR compliant.’”

However, you can demonstrate that you’re keeping pace with evolving requirements. Have strong research systems in place to stay current on data privacy laws. Be thorough about accountability and documentation. Consider third party audits or various readiness assessment tools so you’ll be able to show regulators the work you’ve done.

MKT-18528-CCPA-Graphic-2

Closing thoughts

“Companies had to re-engineer their entire business processes across the entire spectrum of their activity to comply with the law,” said Kelly of the impact of GDPR in the EU. “It has been a very large-scale exercise for a lot of companies. And it is rendered large-scale in part because it is a very broad-sweep privacy law and applies to employee data, consumer data, customer data, any personal data that you’re processing and controlling within your operations.”

Even before CCPA comes into force, compliance has – and will remain – an ongoing effort. “Week by week, we’re seeing companies having to revisit their compliance programs, maybe having another look at decisions they made last May in the flurry of GDPR preparedness,” said Kelly. “Companies who believed they would need a couple of people or a team of three or four to manage GDPR-related work have had to revisit those decisions.”

For all the cost and complexity, are these rules and compliance activities actually protecting important personal rights in a commercially practical way? Is there too much potential for privacy regulations to be abused as a litigation tool?

“My personal view is that most of these laws are guided by things that don’t work well in corporate America,” said Dry-Wasson. “Privacy is an incredibly important concept, and the US has probably lacked the right level of sensitivity towards it. On the flip side, you can take it so far that at some point it starts to not be manageable or achieving its purpose. Trying to run a business in line with some of these requirements is difficult and sometimes nearly impossible.”

Learn more

View the on-demand recording of the May 2019 webinar, How Companies Can Address Emerging Compliance Risks in Privacy, hosted by Bloomberg Law and sponsored by Ankura, Integreon, and Mindcrest.

Return to the Privacy & Data Security Law Resources page.

Top