The California Attorney General Xavier Becerra has released the draft proposed regulations on how the state will enforce the California Consumer Protection Act (CCPA) that comes into force on January 1, 2020.
A period for written public comment will close on December 6, 2019. A second public comment period will follow for any subsequent revisions, meaning the final regulations may not be published until close to the July 1, 2020, deadline set by the legislature. However, Becerra made it clear that ‘the law is the law’, and covered firms need to be compliant from January.
Becerra’s regulations are important. CCPA was drafted after Europe’s General Data Protection Regulation and following the Facebook/Cambridge Analytica debacle — and possibly with too much haste. The AG’s regulations will provide guidance on the more challenging issues and ambiguities within the legislation, and potentially provide a checklist on how covered firms should treat compliance.
The guidance is in the form of a 24-page document comprising seven Articles. The first is general scope and definitions. The last is a standard severability statement. The meat is found in the intervening five Articles (the following is far from a complete summary of the content).
Article 2 provides a detailed discussion on the data collection notice that must be provided to consumers. This must be presented at or before any data collection. It must be in plain and visible language. It must explain what is collected and why. If information is sold, the notice must include a link to the ability to instruct, ‘do not sell my information’. ‘Do not sell’ and ‘do not track’ instructions must be obeyed.
Article 3 examines the requirements on handling consumer data requests. This must include at least two methods for the consumer to submit requests to know what data is being sold or to request that the data be deleted. Confirmation of receipt of such requests must be made within 10 days, and action must be performed within 45 days from receipt of the request (or 90 days if the company provides a notice and explanation for the reason for the extra delay). The required opt-out option must be obeyed within 15 days of the request.
Article 4 discusses the need to verify the identity of the individual when handling consumer data requests. It is obviously important that companies do not provide personal information to anyone other than the source of that information. So, for example, the AG’s regulations include, “A business shall implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.”
Article 5 looks at the special rules regarding minors. The CCPA includes regulation over the collection of personal data from minors under the age of 13, and those aged between 13 years and 16 years. For those under the age of 13, there must be parental authorization, such as a signed document provided by postal mail, fax, or electronic scan. For minors aged between 13 and 16, after complying with all the opt-in requirements of CCPA, they must separately be informed of their right to opt-out at a later date.
Article 6 examines the rules around non-discrimination. For example, it discusses the users’ right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Although chronologically CCPA follows the GDPR, the two are not the same, and compliance with one does not confer compliance with the other. “Whilst the intent behind CCPA is sound — the protection of personal data,” comments Steve Durbin, managing director of the London-based Information Security Forum; “it was written into law in a hurry and does not have the same level of robustness and teeth that its European cousin the GDPR has.”
GDPR applies to all firms handling EU residents’ personal data; CCPA is limited to companies with gross annual revenues in excess of $25 million, that handle the personal data of more than 50,000 consumers, or derive more than 50% of annual revenue from selling consumers’ personal information. Both, however, have the potential to deliver massive fines: up to 4% of global annual revenue for GDPR, and up to $7,500 for each intentional violation of an individual’s rights under CCPA.
Thus, if the Cambridge Analytica incident had occurred under GDPR, Facebook could potentially have faced a fine of up to $1.6 billion. Under CCPA, the theoretically maximum potential fine could have been 6.7 million times $7,500 — or more than $50 billion. (Facebook estimated that there were 6.7 million residents of California affected.) These are scary figures that are meant to scare — maximums are not likely to be imposed in reality.
One similarity between the two laws is that they apply to companies doing business in the regions concerned (EU residents for GDPR, and the state of California for CCPA). Their reach is consequently beyond their regional borders — GDPR to potentially any firm in the world, and CCPA certainly to any business in the U.S., and potentially beyond.
Given the size of CCPA’s potential fines, it will be important for all U.S. firms that operate a website that collects any personal data to ensure their compliance. ” As CCPA comes into effect,” comments Heather Paunet, VP of product management at San Jose-based Untangle, “customers will be able to act on their rights within California to control their data. Businesses will need to be ready to respond to customer requests such as requesting a copy of the information being kept about them, or asking that all information about them be removed.”
The new regulations provided by AG Becerra are an important aid to ensuring compliance. However, the current version is unlikely to be the final version. Robert Cruz, senior director of information governance at Portland-based Smarsh is hoping for more advice on data retention. “Firms in industries such as financial services, healthcare, energy, and others have a regulatory obligation to preserve information that can appear to be in conflict with some of the provisions of the CCPA. This is a similar situation that firms experienced in the EU with GDPR, and additional guidance would be useful to help firms adjust retention policies.”
Secondly, he adds that the language within the law that defines personal information to include devices that are associated with a specific individual, “would appear to be very complicated to implement and enforce given the variety of devices and modalities used by individuals today… This provision could be clarified, or guidance on practices that firms can implement should be provided.”
Thirdly, he said, “the ‘reach back’ provision of CCPA that requires firms to respond to requests going back 12 months prior to the date of the request will be extraordinarily complex for many firms to comply with. Considering that CCPA will be implemented in January 2020, this implies that firms will potentially have to identify and retrieve communications from January 2019. Suffice to say, firms that do not have regulatory obligations to retain information will be challenged by this requirement.”
The big tech companies lobbied hard to weaken the provisions of CCPA. One of the arguments has always been that such regulations damage innovation Becerra does not accept this. At a press conference announcing the regulations, he commented, “We believe innovation shouldn’t come at the expense of privacy. We know we can have both. California can walk and chew gum.”
Lobbying by the tech firms has now turned to Washington. With a strong California privacy law, those same big tech companies are now arguing for an overriding federal law. Their argument is that with so many individual states having or planning their own privacy laws, the result is a burden on all businesses that must ensure compliance with a large number of varying regulations. This is a valid argument, even though the opportunity to help shape a weaker law federal law is also attractive. Opinion on this possibility varies.
“We are still nowhere near a consistent approach to privacy and personal information usage in the United States and I do not anticipate this changing with a federal regulation any time soon,” comments Steve Durbin.
Robert Cruz agrees, but is not convinced. “Is there a chance of the CCPA being overwritten by a (weaker) federal law? Unfortunately, yes. There are currently a dozen state privacy laws either in draft or actively being considered, each with unique provisions around rights of minors, opt out requirements, biometric data, social media, and so on; which could create a very complex quilt of regulations for firms with clients in multiple states. This is why many organizations such as Facebook and Google are advocating for a consistent set of Federal rules. The likely result will be legislation based upon a set of common denominators across states, which would very likely be weaker than CCPA.” But, he adds, “The likelihood of such federal rules under the current administration is low.”
U.S. firms with any operation in California cannot afford to wait in the hope of a weaker federal law. CCPA should be treated as if it is here to stay. It comes into force in less than three months’ time. From that point, covered firms should be able to comply with the new law going forward; but also, be ready to provide details going back 12 months. In effect, those firms should already be complying.