The California Consumer Protection Act, the first comprehensive privacy law in the United States, went into effect on January 1, 2020. The law grants new rights to consumers in California regarding access and deletion of their personal identifying information (PII) collected by corporations.
While there is a six-month grace period before enforcement kicks in, companies that have consumers in California need to start taking steps now to get into compliance, and many are struggling with how to get started. The law is diffuse and vague, which makes adherence to the requirements challenging.
On January 30th, 1904labs held a roundtable breakfast with leading experts in the legal, risk management, and technology space to discuss how top companies are reducing their exposure to the hidden costs, deadlines, and risks associated with CCPA regulations.
- Moderator: Leslie McIntosh, CEO of Ripeta and internationally-recognized machine learning and data science consultant
- Pasha Sternberg, Associate at Polsinelli
- Eric Paulson, Manager, Advisory Services - Cyber Risk at Grant Thornton
- Jonathan Andrews, Senior Director of IT Information Governance at Charter Spectrum
Here are some of the key questions the panel covered to help add clarity to the new regulation and give examples of how top enterprises are tackling compliance.
1. Why do St. Louis companies care?
This law applies to any consumer in California, so if you have a website, it will apply regardless of where the company is headquartered. But more importantly, what’s the risk for St. Louis companies? In terms of enforcement, attorneys general may be more incentivized to go after companies outside of California, said Sternberg.
Moreover, California is setting the precedent, but this is only the beginning. Very likely, more states will be soon to follow, and it will be a nationwide problem and not specific to California.
2. What are the risks and obligations that companies need to be aware of?
Andrews pointed out that CCPA significantly expands what PII is and now also includes things like electronic communications, location data, and even browsing activity. And it also includes all inferences made based on that information. It’s very difficult to categorize that data within a large organization.
Sternberg said that many companies that come to him for legal advice about CCPA think it will be a quick conversation and complying won’t be a big deal, but it’s a really broad law which makes it very difficult to comply effectively.
The data definitions within the law include:
- Applies to any PII which could be any data that identifies a specific consumer, which even expands to things like IP addresses and cookies, etc.
- Consumers are really anyone in California.
- New rights include the ability to find out which information companies have on them, to delete it, to know if the company is benefitting from the sale of that data, and to be notified when data is being collected. The tricky thing with the provision around the sale of data is that it includes any benefit the company receives from sharing that data, which can also be an exchange of services, said Paulson.
- These provisions also apply to third parties that you might work with.
With the third-party provision, Spectrum had to do over 400 contract reviews as part of the compliance process, said Andrews.
3. How much data are we talking about?
In Spectrum's case, they have over 8,000 databases, 20,000 lower environments. The potential contamination of PII in that environment just with structured data is astronomical. They are dealing with 22 billion rows of data per day about transaction information.
“To fully comply with the law, it’s over a terabyte of data per request.” - Jonathan Andrews, Senior Director of IT Information Governance, Charter Spectrum
4. Given it’s not a well-written law, how do you deal with that uncertainty?
A risk-based approach is the best we can do at this point, said Sternberg, “Start at a high level, and ideally, by the time we get to the details, they’ll be there.”
For Spectrum, while it is unclear, it provides enough of a framework, and it’s so comprehensive as to what is PII that you can tag those identifiers to California and factor down as other states add data privacy laws. Right now, it’s about building the catalog that can work for future laws too.
“If there is a good side to this for businesses, it’s forcing them to create a good data map.” - Pasha Sternberg, Associate Polsinelli
The statutory requirement makes it easy to justify creating a solid data map to the CFO by asking the question: should we spend two hundred thousand dollars now or potentially $3.5M if we experience a data breach? The panel all agreed: you have to have the data map to do anything else in compliance with the law.
Some other good questions came in from the audience as well:
1. Is data mapping for GDPR different than CCPA?
For the most part, data mapping from GDPR can apply for CCPA compliance. However, there’s more emphasis on the sale of data and new categories of PII with CCPA. But at the very least, you’re at a great starting point for CCPA. Two key considerations if you’ve already gone through compliance for GDPR:
- Be sure that what you did for GDPR included all of your systems and not just those that relate to the EU.
- You should be doing data mapping every year to keep it updated and accurate.
2. Are you only fulfilling requests from California? What if someone was a recent California resident?
According to Paulson, “Companies can choose whether or not to respond, and typically, they are choosing not to since you aren’t legally obligated to respond. Some respond because they want to have that be associated with their brand.” Spectrum is following that same process. They’re tracking all requests from other locations but declining to respond. Logging requests, even if you’re not responding, is a critical procedure in order to have that documentation and be covered legally.
3. What volume of requests are you experiencing in the first month?
So far, Spectrum is seeing less than five requests per day with 20% from locations outside of California. However, Andrews’ perspective is that the amount could increase as there’s more coverage in the news and on social media.
4. Are breaches the primary concern for penalties within CCPA? Or is the concern failing to respond?
It’s both. “There are two avenues for penalties: 1) The attorney general can issue fines, and 2) consumers can also pursue private right of action suits. Unlike previous laws, the plaintiff doesn’t have to show any damages from a breach and can automatically sue for $750,” said Sternberg.
From a risk perspective, the new piece to request access and deletion is what might have more focus. And that requires new systems and procedures that most companies do not already have.
5. What department is actually responsible for the intake of CCPA requests?
Typically, it falls more under privacy or security rather than customer service. IT security typically owns these systems, so ultimately, the requests should go back to them, concluded Paulson.
For the panelists, their key takeaways for the audience were:
- Sternberg - “Work with someone who knows what they’re doing.”
- Paulson - “Start automating these procedures and mature your program. Data privacy isn’t going away, and investing in automation will save you money in the long run.”
- Andrews - “Don’t boil the ocean. Get processes and inventory in order. You’ll see other benefits beyond reduced risk and increased customer satisfaction. For example, storage requirements will likely also be reduced by eliminating redundant data. We’re only seeing the bleeding edge of data privacy.”
If you have other questions about CCPA, please email firstname.lastname@example.org and we can get those to our panel!