Episode 16: Peggy Daley - California Consumer Privacy Act
Managing Director Peggy Daley discusses the California Consumer Privacy Act, the lasting impact of the General Data Protection Regulation, California leading the way on regulations, and how companies can prepare for the growing regulatory requirements around data protection and privacy.
Peggy, thanks so much for joining us on the Thinkset Podcast today. How are you?
I'm great. How are you?
I'm doing real well. On a scale of 1 to 10, how big a deal is the new California Consumer Privacy Act? Aren't we just talking about one state?
I'm going to say it's an eight and a no. The California Consumer Data Privacy Act is now the strictest data privacy law in the country, and it's going to go in effect in 18 months. For companies that are affected, it means they need to build new systems and implement new policies regarding how their data's maintained. They have to determine what kind of data they're selling or they're buying, from who and for what purposes, and how they're keeping those records. They have to figure out how to make that information readily available to consumers. They have to figure out how to implement the deletion requests that are going to come out of that because the law itself has a provision in it that will allow consumers to ask that their personal information be deleted. And they're going to have to build all that functionality, not only in their systems but through their websites. And if the companies fail to comply, there are very serious damages that are potentially available for consumers and to the attorney general of California. In data breaches, for example, under this new law, consumers may be able to sue for up to $750 for each violation, which doesn't sound like a lot for one consumer, but you have to think about the class-action bar who then would be suing on behalf of a class of individuals which can reach, as we've seen in other types of similar class-actions, millions of people when the state attorney general can sue for intentional violations of the Privacy Act for up to 7,500 each violation. So that can add up pretty quickly.
For both consumers and state lawsuits, companies are given 30 days to fix the problem. The Act was passed to head off a very strict ballot initiative in California, and the ballot initiative would have allowed suits for five times as many damages per violation. So it's very significant. And California isn't just one state. One thing to really keep in mind is how big California really is. It's the fifth largest economy in the world. Its economy's bigger than Great Britain. One in eight people in the United States lives in California. There's 40 million people there. So essentially, if you have to put together this rule for California, you're likely to try and implement it nationwide because as a company, they don't want to be keeping separate data security and data privacy rules in place for different states. It's too hard to do.
As a native Californian, we are very proud of that economy statistic. I think it's grown since I was in school. It used to be something like the seventh or eighth. I'm happy to hear that it's grown to the fifth largest. Broadly speaking though, you've listed a couple of the things, but what will the act require of companies, and how difficult will it be for companies to follow these new rules going forward?
Well, let me first talk about what companies are covered under the law because I think that's sort of the first step. And it only covers companies that have $25 million or more in revenue, or that trade with data of 50,000 or more people, or endpoints, or that derive 50% or more revenue from selling consumer's personal data. So your local plumber is not really going to be impacted here, and he's not going to have to worry about it and so forth. But when you get into the retail sector, it's going to be hugely impactful. What it allows is the consumer's to have a right to know what data is being collected on them, the right to access, download, or transfer that personal information, the right to refuse to allow companies to sell their data, the right to compel companies to delete private data that the companies collect on them, and it prohibits the selling of the data without consumer consent. And generally, it prohibits companies from penalizing consumers who exercise their rights under the law, so you can't punish. You can, however, incentivize your consumers. So you can give them an extra 10% off if you allow us to maintain your data. But one of the most important things is that the companies are going to need to have a button or feature on their website that is going to make it easy for consumers to access the data. And the button actually has to say, "Do not sell my personal information."
Some of the listeners may have encountered after May the implementation of the GDPR where you saw-- it seemed like on one day, all of a sudden, everybody updated their privacy policies. And every time you went to a website, that's what you were getting. Well, that's because that's exactly what happened. And you saw that it was implemented in different ways. There were different interpretations as to exactly what they had to do. That's because the GDPR allowed for that interpretation. This new act does not. It needs to have that specific button. Now, how difficult it is to follow these rules really depends upon how sophisticated the company is and how aware it is of its own operations. If it's a company that's already implemented GDPR, this is not going to be all that hard in general. Not saying that they're not going to fight it, but it's going to be easier. For companies that did not have to do the GDPR implementation because they weren't selling globally, this could be very, very difficult to do. Many companies don't even understand where their own data is and how it's located, and it may be maintained in places that are just not accessible. They may need to build entirely new systems. Oftentimes, they have no idea who they're buying data from because different parts of an organization may be buying data and storing it, and the general counsel's office may not have any clue that that's happening. So doing an initial assessment and some data mapping is really critical and doing it really as early as possible. Even if you think that the law may change between now and implementation, if you don't do that early assessment and really get a handle on how hard this is going to be for your company to comply with, you're going to get into trouble. And that's what we saw with the GDPR as well. A lot of companies waited till the last minute, called us up at the ninth hour, and it was really difficult to get them in under the finish line.
I can imagine the amount of workload that would go into that. Especially given California's economy with so many tech companies with the amount of data to exchange between them and collected, it's probably going to be a tough hill to climb. This isn't the first time though that California has been out front when it comes to regulation. As a state, it kind of has that reputation. Wasn't California also the home of the country's first data breach notification law?
Absolutely. And the thing that's very interesting about California is it really tends to be in the forefront of consumer protection. That may be as a result of its ballot initiative that the citizens can get if they get enough signatures…kind of initiative on the ballot to be voted on. And that tends to, I think, push consumer protection at the legislative level to the forefront. And you see time and time again that California leads the nation in terms of those kinds of consumer protections. You see it in employment law, and you certainly see it in data protection. All the way back in 2003, they implemented the nation's first data breach disclosure laws. And it used to be, up until then, if a company held your data, and they got hacked, and somebody got all of your information, you would never know about it because the companies were not required to tell you. And California enacted the very first data breach disclosure back in 2003. Now, since then, 45 states have followed that lead, Puerto Rico, District of Columbia. So I think there's a reasonable expectation that the same thing may well happen here with the Consumer Data Privacy Act. What happens is, as a consumer, you may sit there in Nebraska or here - I'm in Illinois - and you ask your legislators, "Why is it that California and just those citizens are protected in such a way that I'm not?" And there becomes a demand, a drumbeat, that there is some parity in terms of how the consumers are treated. And generally, once the companies have had to implement something at the level of a California state with that many people, there's less resistance to it.
How does that process sort of look? You described a little bit about California having the ability for ballot initiatives to get on to sort of…the legislative agenda a little bit sooner than it might, but what effect does the data breach law, or for example, the data breach law have on the rest of the country? Do they all keep tabs on California as a state that might be sort of the forbearer for things coming forward, and how do they adjust? Are there other states like that that you have to keep an eye on that sort of lead the way in certain areas whether it be data or other issues?
If you look at the blue versus red states, you tend to see that that kind of follows the same path in terms of which states are going to be more consumer-focused and put together more initiatives. So essentially, I wouldn't be surprised to see something like this act being picked up in New York or Massachusetts next. So it does follow that path. But eventually, when so many of the states start to follow that lead, it really becomes a snowball that you really can't stop. I don't know why those five states that haven't bothered with the data breach notification-- but I can tell you that, more than likely, those states, those citizens, are in fact getting the notifications because I doubt that the companies are choosing not to disclose to Louisiana, whoever that may be, because it's harder not to. At a certain point, you've got the consumer lists up, and you just hit the button, and you send the notifications. I think you'll start to see this more and more, and that doesn't mean that there isn't going to be some changes to this law. There likely is. There's 18 months between now and when it's supposed to be implemented, but I wouldn't expect to see it gutted because of that ballot initiative. If they try to gut this law, the ballot initiative will just come back. They were able to get 350,000 people to sign that, and it was set to be on the ballot in November, and it was only withdrawn because this law passed. So there may be some tweaks, and there may be some lobbying. In fact, I would absolutely expect to see your Facebooks, your Googles, the companies that are going to get really affected by this to lobby, but I would also expect on the other side that the class-action lawyers will start lobbying to make it easier for them to sue for violations. So stay tuned in terms of what this law will ultimately look like, but I wouldn't expect big changes.
Something that I wanted to ask about, Peggy, given that you are a lawyer, and someone who has a firm grasp of the politics, what are the different avenues available to influence these new rules?
Well, I think the very first one is, of course, to change the law before it goes into effect. That's the easiest and best way to do it. Although, it certainly isn't going to be a cakewalk to get any significant changes into it for the reasons that I've just stated. But once the law goes into effect, it then becomes subject to interpretation, right? So whether or not a particular word requires or mandates that something happen, whether or not the 45 days is an absolute barrier if you haven't got it done, I mean, it always comes down to what's a reasonable interpretation. And believe me, there's a distinction in what that means, what various words mean, and what various parts of laws mean when you're asking corporate defense lawyers and class-action compliance lawyers. So it ultimately comes down to court decisions, and this is likely and will be mainly litigated in California. And if it's not litigated in California, it'll be litigated in another state applying California law. So you're going to see the California the state judges interpreting the various aspects of it, and it's typically a very pro-consumer judiciary as well. That's why it's a pretty hot place to file class-actions. It doesn't mean that you won't get legal interpretations that are favorable to companies, but they're not likely to be very strict in terms of interpreting the consumer protection aspects of the law.
Now, you've also mentioned how this new law mirrors a law that just went into effect in Europe earlier this year, the General Data Protection Regulation or as most people know it, GDPR. Are there any major differences that people should be aware of between GDPR and the new rules in California? So if they are prepared for GDPR and they've already gone through this process, are there any additional things that they need to worry about or any things that they're already covered for because they've already gone through that process?
Yeah. There's some important distinctions. I mean, it's certainly this act was modeled on GDPR, but it is not a mirror image of it at all. One of the important distinctions is the idea of a legitimate interest exception. The GDPR accepts data that is maintained for a "legitimate interest of the business." So if you need it for tax purposes or something like that. So a lot of companies are relying on that legitimate interest exception to be able to maintain all kinds of data that they were maintaining before, but there's no such language in the California law. It doesn't exist. The California law explicitly states that a consumer has a right to be informed as to the categories of data that is shared and stored, and that personal information is defined in a way that is much broader under the California law than it is under the GDPR. The personal information includes sort of standard categories that we all have seen in other cases like people's names, or email addresses, social security numbers. But it also covers unique personal identifiers such as IP addresses; geolocation data; shopping, and browsing, and search histories; and consumer profiles that are based on inferences from personal information. So it's much, much broader. It's essentially the data and the metadata, and it's very specific. And that's one of those areas where companies just may not know everything that they're tracking, and they may not have an easy fix in terms of quickly compiling it and producing it.
One of the things that we see all the time with our clients is that when they get sued and they're asked to-- for example, we do a lot of work in the TCPA defense, and so these giant dialer databases that have millions of telephone calls recorded, it's very difficult for the clients to actually export that data and get it out to their own lawyers, let alone to consumers. So this could be a very difficult thing to do because it is so expansive and more expansive than the GDPR. The California law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under this jurisdiction as well. So it's much larger. And, the damages that are specified in the California law don't exist in the GDPR either. The California law also mandates, as I talked about, that a clear and conspicuous link titled do not sell my personal information-- and what we've all seen, I think, under the GDPR when we ran into the websites after the main implementation day, they'd say, "Hey. We've updated our privacy." And you'd go in, and some of the new privacy policies were very clear, and you could quickly say, "No. I don't want my data, so do not track me." And some of them were very intentionally laborious to go through, and it was really, really kind of designed to wear you out, and just say, "Oh, you know, forget it. I really just want to read this news article. Go ahead and just take my data."
And you're not going to be allowed to do that under the California Act, at least with respect to selling the personal data because you are required to have this red button that says, "No," and it's got to be easy. So they're anticipating corporate America's desire to make it difficult for consumers to opt-out. And so that's sort of the differences, as well. And then we've talked about enforcement as well. The penalties and the attorney general issue, that's sort of a much more frightening specter for companies than what you're seeing under the GDPR.
Yeah. Everybody's always got a reasonable fear of the federal government coming in when something like this is involved. And you've talked a little bit. I wanted to just go back a step about the data that people do sell. Having worked in a few tech companies, I appreciate the value of data. And a lot of times, when we were negotiating contracts, that was a big part of how much we'd be willing to pay for certain things, or we'd partner with certain companies because they had information that we were looking for. Could you give our listeners a little bit of a background as just an example of how data moves and who's interested in buying it? What industries are really the biggest ones involved in purchasing and selling of data?
Sure. It's a big question, but we're in the information age, right? So if you look at it with regard to marketing, okay, everybody has products to sell. And if you're looking at things like retail, you really want to get a lot of information. If you're going to have targeted marketing, you want as much information as you possibly can about individuals, so you're not going to have this database. Let's say you're a sophisticated company and you're buying information from lots of different places. You're aggregating that information so that you're creating a profile of all the potential consumers. You've got a database that's going to have your name. It's going to have your address. It's going to have demographic information about how expensive your house is. And they're going to be projecting what they think your wealth is, what you make in a year, how old you are. And they're going to be looking at your browsing history. I mean, when you get them now, I mean, it's-- as you go onto Google, and all of a sudden-- you're doing research and you're looking to go to Portugal, and then all of a sudden, you'll start seeing ads for Portuguese hotels because they've tracked what you were looking at, and they know, "Ah, this is somebody who's already interested in what I have to do." It's very interesting. You can actually go into Google and look at your own profile, and it will tell you what it has guessed your age to be and all kinds of other information based on what your browsing history is. So if a 22-year-old looks up prune juice, they're going to get it wrong. And if grandma plays Warcraft, they're going to get it wrong, too.
But all that information is really useful for companies who are trying to figure out how to very efficiently spend their marketing money because it's limited, and they want to make sure that the messages are getting to the people that are actually going to be interested in it. And nobody wants to be mistargeting their advertising. So that's, in general, what it's used for, but it's abused as well
Taking a quick step back though to the GDPR. And you talked about how some companies waited until the 11th hour to really prepare for this and then started calling and didn't realize the amount of work to be going into it. Based on what you saw in those instances, what can you tell us about companies who choose to take their time preparing for this new California rule hoping that it might get changed, what situation they might find themselves in?
Well, I don't want to be an alarmist, and certainly whenever you ask a consultant, "Should they be hired early," the answer is always, "Yes. How about tomorrow?" But I think that there's different phases to this work, and the real money, the real hard dollars that are going to be spent, are not at the beginning. And because this law may change because there's going to be some lobbying, I think there's going to be some incentives for some companies to just kind of hit the pause button and see how things play out. But I think that's a mistake in that I think it's important to get an initial assessment of what your data is, what kind of data you're maintaining, how you're maintaining it, what kind of data you're selling or buying, and get some estimates of what it's going to cost you to implement the law as is. And as part of that, you get a timeline. If this goes into effect the way it is right now in January 2020, when do I have to start working on this new database? Or when do I have to start changing all the programming on my website? How do I do that, and what's the timeline? And then, work backwards from there to figure out how much and when. I mean, you've got budgeting processes every year. I mean, a lot of this is going to have to go into next year's budget. So you need to figure that out this year, actually. I mean, you need to be looking at it now because I know, at least in my business, every year I have to put my budgets in November and December, asking for operating money to do various projects. That's for next year. So you need to figure out what it's going to cost you next year now, in order to get that allocated.
So that's a really important step to take. And then, if the law changes, within that breathing space that you may have depending on how sophisticated you already are, or maybe you're so small that it's not going to be that big a deal, then you can take a look at that timeline, see how things are working, and then push the button. But boy, waiting until the last minute is a terrible, terrible idea. We still have clients that have not implemented GDPR. They're working real hard on it. Companies try to comply. They do the best they can, but then, sometimes, there's systems issues that just are going to take time to deal with. I think you're probably going to see some of those kinds of arguments made. I wouldn't be surprised, for example, if this law gets pushed back. That the next year's lobbying is, "Can we have another six months? We can't do this in time." That would be the kind of thing that wouldn't necessarily start a new ballot initiative. They just need to push it back six months. But I think you’re going need to have that be a real scenario, something that's factually based. If you're a company that needs to put it into place and you just can't get it done, you're going to need to have some sort of report that says, "This is how long it's going to be." You can't just go in and say, "I can't do it. It's hard." You have to say, "No. Here, we've done this really professional assessment. We've looked at our systems. It's going to require these particular hardware changes, migrating this data from this database to that database, and protecting it along the way will take X amount of weeks, or months, or what have you. And therefore, we can't hit the start line when you're telling us to do it even if we wanted." But you need to have that information. You need to know what it's going to cost you in both time and money to get compliant.
Peggy, thank you so much for taking the time to join us today. We look forward to checking back in as this continues to evolve.
Oh, thanks for having me.