New U.S. Privacy Laws Follow GDPR Trend
With the approval of the CPRA citizen’s initiative (Consumer Privacy Reform Act amending the CCPA – Proposition 24) and the introduction of new privacy legislation in New York and elsewhere all moving toward a U.S. equivalent of GDPR, it is time to face the fact that U.S. privacy compliance obligations are here to stay. When GDPR enforcement began in 2018, many U.S. businesses that were not operating in the EU considered it something that was happening “over there.” Enforcement of the California CCPA (California Consumer Privacy Act) began in January 2020. Now, the hope of avoiding strict privacy compliance obligations “over here” is now only a dream. The CPRA amended and strengthened the CCPA, moving it closer to the protections afforded to EU citizens, and post-Brexit, to UK citizens. (Proposition 24 approved November 2020; Effective 1/1/23.)
it is time to face the fact that U.S. privacy compliance obligations are here to stay
There are privacy bills pending before the New York Assembly that like CCPA/CPRA adopt many of the key privacy principles staked out by the GDPR: Consent, Privacy by Design, Data Minimization, Lawful Purpose, and Information Security. In addition, both the California law and some of the New York bills will have real teeth. They authorize a private right of action – giving a right to individuals to sue for some violations, backed by the power of the state attorneys general to investigate and sue.
The combined population of California and New York is about 59 million or 18% of the country. Both states are centers of tech innovation and international trade. Even without federal legislation, the impact of these two states (along with several smaller states adopting similar privacy compliance obligations) should compel businesses to wake up and smell the coffee on privacy compliance.
Privacy compliance obligations do not involve rocket science for most organizations. Protection of digital assets through data protection or cybersecurity programs is already a core function of any IT department. Many of the technical tools necessary to protect privacy may already be in place by using GDPR compliant IT products. The tools to protect Personal Information (commonly referred to as PI or PII or PHI under other privacy laws) such as encryption are already part of the information security toolkit used by IT departments to protect other important business assets.
Beyond the ability to protect all digital assets from tampering, unauthorized use, copying, disclosure, or other risks, privacy compliance obligations require a shift of organizational mindset concerning the security of important information assets. By way of comparison, a security breach disclosing trade secrets or confidential operations information is harmful but unlikely to trigger privacy law penalties. However, any unauthorized penetration of systems protecting Personal Information could trigger mandatory privacy law reporting obligations and fines.
privacy compliance obligations require a shift of organizational mindset
concerning the security of important information assets
Privacy compliance obligations require special levels of treatment of PI, with enhanced risk management obligations for “sensitive data” as defined by each particular law. The text of privacy laws and regulations are peppered with the legal term “reasonable,” indicating that the level of protection afforded to private data is subject to a risk management analysis. The fundamental first step for any organization hoping to achieve compliance therefore is to identify all of the PI that it collects, stores, processes, or otherwise touches.
This consent to lawful processing obligation not only requires clear and specific opt-in provisions but gives the individual various rights over his/her PI, including data portability, removal, correction, etc. As part of this second paradigm shift, privacy compliance obligations require organizations not only to identify where ALL the PI exists in its systems (cloud, backup, business continuation, HR department, eCommerce, vendor systems, etc.) but be able to trace, locate, correct, or wipe/sanitize the PI on request of ANY individual. This is a game changer so information technology solutions designed to bulk process data need to be modified to ensure this can be done, with an audit trail.
A third paradigm shift flows from the difficulty of adding privacy data controls to systems that were not designed to continually track individual consent to processing of PI. One of the key GDPR principles is known as Privacy by Design (PbD). This is not a new or radical idea; PbD was first proposed by Dr. Ann Cavoukian in the 1990s as part of seven foundational privacy principles. Going forward, the writing is on the wall that privacy compliance obligations cannot be ignored, especially in an increasingly data-driven economy. All operational and technology decisions should be considered in light of the PbD principles, where privacy is the default setting.
Does the CCPA/CPRA Apply Outside of California?
In general, if your for-profit organization does business in California, collects PI on California residents, and satisfies one of three requirements, it is covered:
- has gross revenue >$25m;
- derives >50% of annual revenue selling consumer PI; or
- deals in the PI of >50K consumers/households/devices per year.
This quick test is no substitute for an analysis by competent privacy counsel. Expect that the scope of any successful New York privacy legislation will similarly focus on interactions with New York residents. Similarly, the GDPR operates to protect the privacy rights of people in Europe. The obligations, restrictions, and penalties in each of these privacy compliance obligations apply to organizations outside of the respective jurisdictions. That is, you do not need to be headquartered in, have a satellite office in, or have employees in California to be subject to privacy compliance obligations created by CCPA/CPRA.
Blueprint for Compliance with CCPA/CPRA
Compliance is not a one-shot deal. Initial compliance may or may not be a heavy lift but as CCPA regulations are further developed and as data driven technologies (AI, machine learning, etc.) are incorporated in more products and services, protecting the privacy of sensitive PI must become an ongoing process improvement. Generally, best-practices considerations call for compliance with the most onerous or comprehensive compliance obligations. Currently, the technical and organizational processes necessary to comply with the GDPR can, with modification serve the needs of CCPA/CPRA compliance. As the U.S. privacy legislation landscape changes, each organization should consider review of its compliance posture at least annually, to keep up with developments in the law.
Step 1 – Board Level Support is Critical to Success
- Advise Board of Directors regarding risks of non-compliance & privacy law trends
- Obtain management support at C-level to begin/modify compliance program
- Create program team; assign accountability; clarify reporting
- Budget for both technical and organizational components
Step 2 – Gap Analysis
- Review CCPA/CPRA requirements
- Review additional current and expected privacy compliance obligations
- Audit privacy and security programs for compliance
- Identify gaps requiring improvement
Step 3 – Data Mapping
- Identify CA consumers whose PI is being processed
- Identify types or categories of PI (e.g., sensitive, biometric, PCI/DSS, etc.)
- Can business purpose for PI be tracked?
- Identify all systems with PI (cloud, backup, business continuation, vendors, etc.)
- Identify all vendors & other third parties with access to PI
- Identify use and life cycle of PI
- Run data discovery tools to identify unknown/unstructured PI repositories
- Create data flow maps and complete inventory of types/locations of PI
Step 4 – Modify Data Protection & Privacy Policies & Procedures for Compliance
Privacy Notices Should
- Detail the categories of personal information collected
- Detail the lawful purpose for each category of information collected
- Detail the business purpose behind any sharing, disclosing, sale, or other use of personal information
- Detail what categories of personal information have been shared/sold/disclosed during the prior 12 months
- Clearly describe consumer rights under the CCPA
- Describe each of the ways a consumer can submit a request for information
- Detail the types of third-parties to whom the organization may share/sell/disclose personal information (e.g,, affiliates, subcontractors, data brokers, etc.)
- Detail the consumer opt-out rights
- Be updated at least annually
Access Request Obligations
- Develop clear and compliant methods through which consumers may submit data access requests
- Develop verification mechanisms, and audit trails, for identifying consumers requesting data access
If any Personal Information (PI) is Sold
- Develop processes, and audit trails, to timely respond to consumer requests
- Verify that personal information can actually be deleted/wiped/deidentified
- Identify all vendors and service providers with any access to personal information
- Verify that controls are in place to ensure deletion of personal info by vendors or service providers through contracts, certifications, audit requirements, or other methods
Step 5 – Implement Technical and Organizational Measures
- Can personal information be encrypted?
- Can personal information be deidentified, aggregated, or otherwise masked?
- Ensure that processes allow personal information to be updated/corrected/deleted across all storage media
- Ensure that IT systems are regularly patched/updated
- Ensure that IT systems are regularly tested for security weaknesses
- Evaluate risk management posture for adoption of a Cybersecurity Framework based on comprehensive compliance needs (e.g., NIST Cybersecurity Framework, ISO 27000 series, Secure Controls Framework, etc.)
- Develop and test mechanisms for data breach response, including notification timelines for law enforcement and consumers
- Meet all requirements of Cal. Civ. Code §1798.82(d) regarding mandatory consumer notices
- Develop policy and processes for legally valid opt-in for sale of children’s data
- Develop processes for data minimization
Step 6 – Develop and Document Training
- Update employee handbook
- Update company written information security program (WISP)
- Conduct mandatory training and updates for all staff regarding compliance requirements
- Develop and implement privacy code of ethics for staff and vendors
Step 7 – Audit
- Monitor compliance with training and implementation
- Conduct periodic internal audits of personal data life cycle – update data maps
- Audit change management to prevent non-compliant upgrades/updates to technology or organizational processes
The trend is clear, organizations everywhere increasingly collect and process personal information (PI or PII or Personal Data under the GDPR) that is or soon will be protected by privacy compliance obligations. Privacy laws and regulations typically require analysis of the amount and sensitivity of PI in order to determine what is “reasonable” in terms of security measures and other protections. Reasonable security is not a defined term. A reasonableness standard allows organizations to craft compliance in accordance with the risks of harm to individuals whose PI is exposed in a breach. Cybersecurity Frameworks should be considered a baseline for what constitutes reasonable security; compliance can serve as a shield. In risk management terms, a Framework might also be used as a measure of whether efforts to protect PI met the applicable standard of care. Because failure to meet minimum standards could be actionable negligence, it is critical to set achievable objectives.