The California Consumer Privacy Act: GDPR with extra litigation
What companies need to know as new data-privacy rules look to reverberate past the Golden State
Peggy Daley and Michael Bandemer
Here’s a prediction you can bank on: Come Wednesday, January 1, 2020, legions of internet users will be at their computers hunting for the personal data companies have collected about them, ordering the companies to stop selling it and even demanding it be deleted—all rights granted to them by the California Consumer Privacy Act (CCPA), a statute akin to Europe’s General Data Protection Regulation (GDPR) and scheduled to take effect that day.
While the bill has won praise for its consumer-protection provisions—State Senator Bob Hertzberg, a Democrat from the San Fernando Valley, called it “a huge step forward for people across the country”—not everyone is so enthusiastic. A top Google official said the bill’s ramifications are “really difficult to understand.”
Google’s brass and less technologically savvy business leaders—i.e., everyone—have more than a year to wrap their heads around what to expect from the coming regime. But whatever its finer points, one thing just about every executive, everywhere, can expect is a potentially staggering legal exposure if they haven’t complied when the calendar flips to 2020.
And complying with CCPA won’t be easy. The deadline is relatively tight. The technical requirements are demanding, particularly for companies whose core expertise lies outside of tech. Even those that try to do the right thing may have blind spots that leave them vulnerable to litigation, although as we explain below, there are ways to prepare.
The California Consumer Privacy Act vs. GDPR: How they compare
For many beleaguered compliance professionals, the CCPA is sure to feel like the second blow in a one-two punch. The act passed in June, just after everyone had raced to meet the May GDPR deadline. And while it would be nice if those efforts were enough to bring a company into compliance with CCPA, we’re looking at a different ballgame in California.
“The content of the laws are sufficiently different that you want to treat them individually,” Stephanie Malaska, an attorney at BakerHostetler, said in a recent webinar hosted by BRG.
Like GDPR, CCPA carries stiff penalties: Consumers can sue for up to $7,500 for each breach, which could be multiplied by thousands (or even millions) in the case of class actions. Both CCPA and GDPR endow consumers with similar rights: to know what data about them is collected and how it is used, to prevent its sale and demand its deletion. Both apply to not just companies that are physically located in the governing jurisdictions, but also any company in the world that does business in those jurisdictions. CCPA applies to for-profit companies that generate revenue over $25 million; derive at least 50 percent of revenue from selling consumers’ personal information; or collect, sell or share information from at least 50,000 consumers, households or devices.
But the GDPR and CCPA have key differences. CCPA defines personal information more broadly; it applies not just to natural persons but also to households and devices. While GDPR mostly governs online data, CCPA extends its reach to brick-and-mortar businesses. Likewise, CCPA mandates that companies display a toll-free number where consumers can opt out in addition to displaying a “clear and conspicuous” homepage link that reads “Do Not Sell My Personal Information.”
The California Consumer Privacy Act’s legal blind spots
But in reality, the biggest difference between the Californian and European laws stems from the US litigation environment. Litigious Americans and ambitious plaintiffs’ attorneys will pounce on any perceived gap in compliance, creating a risk of lawsuits, including class actions, and large payouts in California beyond anything businesses face in Europe. As currently written, however, it’s not a foregone conclusion that the class-action bar will reap a large payday. The law gives the California attorney general the option to block a plaintiff’s action, or the AG can choose to prosecute an action itself.
“The new consumer privacy rights created under the CCPA represent a watershed moment in US privacy regulation,” W. Reece Hirsch, a privacy attorney at Morgan, Lewis & Bockius, recently told Bloomberg Law.
Avoiding those risks boils down to a simple proposition: understanding your data. But that’s where the simplicity ends. Executives doing business in California will have to demonstrate that they know where their data lives, how they are handling it and what they are doing with it. They’ll also need to be able to show how they’ll comply when a consumer opts out and how they’ll purge an individual’s data when requested.
If you’re one of those leaders, your first step will be mapping all of the personal data you collect, as many companies have done for GDPR. If yours hasn’t, it’s worth doing as soon as possible, as it will significantly impact both liability under CCPA and your compliance budget. Again, the deadline is tight, and most companies will need to budget for the necessary forensics and technical work in 2019.
The simplified timeline on the previous page demonstrates why companies need to begin CCPA compliance efforts immediately.
If you end up in litigation, you should be able to easily identify, locate and produce data associated with the plaintiff, whether it’s an individual or a class of individuals with millions of people in it. This is fairly simple to do with databases that are formally developed and managed by an IT department. The real vulnerability exists with unstructured data—where someone extracts data from a database and manipulates it, for example by creating a spreadsheet or an Access database.
Employees might do this sort of extraction for many reasons: to conduct an internal analysis, share with another division, sell or transfer to a third party or establish an informal sales database. Any of those is likely to leave the data set outside of the company’s core compliance efforts. The best way to detect these vulnerabilities is by using analytical tools that are frequently deployed in litigation. The tools can search across whole universes of a network to find where such rogue data may exist.
CCPA may also create significant liability for companies that use third-party agents or purchase lead lists to market their products. In particular, large companies that rely on third parties that haven’t diligently complied with CCPA could become attractive targets for class action suits. There is precedent. Cruise operators have been sued under the Telephone Consumer Protection Act (aimed at preventing robocalls) as a result of travel agents who allegedly called consumers without consent in order to sell vacation travel packages. Ensuring your vendors take CCPA seriously will be critical.
Consumer privacy is a moving target
It’s important to note that CCPA may evolve before its enforcement deadline. The act, Assembly Bill 375, passed just one week after its introduction, in a frantic but successful effort to forestall a citizen ballot initiative that many business leaders viewed as Draconian and potentially damaging to California’s economy. The tech industry argued that the bill was bad for jobs and business but came around when it decided the bill would be easier to modify than a ballot initiative, which requires a large supermajority to change.
Lobbying by both consumer privacy and business interests is bound to be fierce in the coming months. Both sides have expressed dissatisfaction with the law. The Northern California ACLU contends that it “falls woefully short of protecting Californians’ privacy,” while the Internet Association, an industry group, is urging policymakers “to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
Either way, the California legislature is unlikely to significantly weaken the law, nor are lobbyists likely to encourage them to do so. Gutting CCPA would risk reviving the more stringent ballot initiative.
Another possibility, albeit remote, is that a federal law may emerge, superseding CCPA under the Commerce Clause of the US Constitution before the act goes into effect. So far, Congress has shown little appetite for digital privacy issues, but business lobbyists and other deep-pocketed interests now have an urgent incentive to change that.
Uncertainty aside, as many companies learned the hard way with GDPR, it pays to get ready—before it’s too late.
Peggy Daley is a managing director and member of BRG’s Global Investigations + Strategic Intelligence practice.
Michael Bandemer is a managing director and a leader in BRG’s Discovery and Forensic Technology practice.