Enterprises are less than three months away from the arrival of the California Consumer Privacy Act (CCPA) on January 1, 2020. Often referred to as ‘America’s GDPR’, the CCPA gives residents of California the power to ask companies to share all the data that has been collected on them. But what do UK businesses need to be aware of?
UK Businesses that collect or store the personal information of California residents, and additionally either: (a) have a gross annual revenue totalling over $25 million, or (b) buy, receive, sell, or share (for commercial purposes) the personal information of 50,000 or more consumers, households, or devices per year, or (c) derive more than half of annual revenues from selling California residents’ personal data. The CCPA also applies to entities that control or are controlled by such businesses.
UK Businesses without a physical presence in California aren’t off the hook either, so long as they are doing business in California. The act also applies to employees of covered businesses.
CCPA vs. GDPR
Much of the work put in for GDPR compliance will pay dividends again for many UK businesses. Indeed, GDPR and CCPA have their similarities. The notification/disclosure obligations, and the rights of consumers to access, limit the use of, and demand deletion of their data, are fairly similar under both regimes. The justification required to collect and use consumer data differs somewhat (‘Opt-Out’ under CCPA, versus a ‘legal basis for processing’; consent or so-called ‘Opt-In’ is only one of six justifications under GDPR).
However, while the impact of the CCPA on most UK businesses is likely to be less burdensome than was the case for the EU’s GDPR, according to Robert Cattanach, a partner at the international law firm Dorsey & Whitney, some of the ‘lighter touch’ aspects of the CCPA may actually create hidden, but significant, challenges for many companies, regardless of their size.
“CCPA creates private enforcement rights for data breaches, which GDPR does not include,” said Cattanach. “This is likely to create massive liabilities for US companies – but only for those unfortunate enough to suffer a data breach. More subtly, but relevant for all companies required to comply with CCPA, GDPR’s “action-forcing mechanisms” ensure that companies will be more than ‘paper compliance’ – specifically Article 30’s requirement for companies to maintain a record of all processing activities and Article 37’s requirement to appoint a Data Protection Officer. These have no corollary in CCPA.”
Less regulatory bandwidth
According to Cattanach, at first, this might seem to be one of the welcome ‘lighter touches’ of CCPA — two fewer regulatory obligations that a company will have to deal with. As a practical matter, however, this has the potential to lull companies into a misleading sense of regulatory security.
He explained: “Without a mandatory mechanism by which regulators can quickly check how a company is actually complying with CCPA equivalent to the GDPR’s Article 30, and with no requirement that a specific individual within the company such as a DPO be identified as accountable for ensuring that the company is, in fact, operationalising its regulatory obligations, actual – as opposed to paper – compliance, may risk stalling once the boilerplate documentation is in place.
The California Consumer Privacy Act: is the EU’s data privacy regulation having an international impact?
Matt Lock, Director of Solutions Engineers at Varonis, explores, in Information Age, how the California Consumer Privacy Act has been influenced by the GDPR and whether it could act as a catalyst for other US states to follow suit?
“In the EU, supervisory authorities can gain immediate insight into a company’s actual compliance by asking to see the record of processing required under Article 30. No similar ‘quick check’ is available under CCPA. And, California lacks the regulatory bandwidth to assess whether each, or almost any, company’s stated CCPA commitments have in fact been incorporated into their actual data collection and processing activities.”
“Similarly, the realities of budget limitations cannot be understated,” argued Cattanach. “Many companies that have gone through the arduous GDPR compliance process may be suffering from privacy fatigue, and are informally benchmarking the cost/benefit of GDPR compliance against competitors whose efforts were less robust, with significantly more modest budget consequences.”
According to Cattanach, companies may even be tempted to assume that the information governance actions taken to comply with GDPR will largely suffice for CCPA. That, he said, would be an incorrect assumption in virtually all instances.
“For those companies that have not been through the GDPR compliance process, the challenge may seem even more daunting,” he said. “Many operate under a siloed collection of legacy systems that make it difficult, if not borderline impossible, to understand completely how data is collected, used and shared.
How the CCPA fits into the bigger picture and best practices to reduce litigation risk
He argued that until that essential element of information governance is integrated into all operational activities, compliance with CCPA may be a slow and incremental process.
“Invariably, budget realities have to intersect with risk tolerance. Given the significantly less risk of CCPA enforcement in non-breach circumstances for all but the largest tech companies and data marketers, compliance officers are likely to be pressed to justify the major budget expenditures required in order to achieve compliance with CCPA by January 1, 2020,” he said.
What should you do?
“Traditional wisdom advocates a ‘bottom-up’ data mapping exercise. Great in theory, but all accounts extremely challenging in practice,” argued Cattanach. He believes in a “more pragmatic” alternative: undertaking a self-assessment of the major functional components of CCPA.
He said: “Evaluate whether compliance gaps exist, and then develop an action plan for coming into compliance. While various types of self-assessment tools are generally available in the marketplace, almost all come with a risk: if a company documents its area of non-compliance, and a violation subsequently occurs before that compliance gap can be addressed, that company may have provided a roadmap to regulators and exposed itself to substantially greater penalties for knowing violations of CCPA.
“An alternative with substantially less risk is a self-assessment compliance tool that embeds actionable legal advice. This can protect the results under attorney-client privilege, and allows companies to understand their compliance status without substantially increasing their exposure to knowing violations.”
Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today he is specialised in cyber security, data breaches, privacy and telecommunications, and international regulatory compliance.