On January 1, 2020, the California Consumer Privacy Act (CCPA) takes effect and most companies are not ready to deal with its impact on their businesses. This is largely because it has been poorly rolled out and under publicized by the State and media. Many companies do not believe it applies to them, either because they are too small, they don’t deal with consumers or don’t sell online. The California Attorney General’s office has issued a report that they believe 75% of companies doing business in the State will need to comply. That includes all companies with revenues greater than $25 million and 50-75% of those smaller than $25 million. The term consumer is a misnomer. While they are the focus of the regulation, it is better to think of them as individuals and their data, wherever they are, including your employees. Compliance with this last group has been given some exemption until 2021 but it does illuminate the scope of this law.
The penalties for non-compliance are severe and have the potential to put a company out of business. Cybersecurity has been a hot topic for 20 years, but there are few laws in place. Generally, Data Breach Notification Laws are the only ones that broadly apply. Every state has one and they are not all the same. In CA, a company must notify the State of all breaches where the non-encrypted data of over 500 individuals has been compromised. While the costs to repair a breach are significant, lawsuits and damages have been much less so.
That all changes with CCPA. Starting in January 2020, any individual subject to a breach of non-encrypted data may start an individual or class action to seek $100-$750 per individual per incident, actual damages or any other amount the court deems proper. This statement has been missing from other laws and gives added incentive to plaintiffs’ attorneys to pursue legal actions. If you are a small company with 50k people on your email list and get breached, you could be out $37.5 million, before you even add the costs of fixing the problem. In 2018, it is estimated there were over 1,200 breaches in the USA, affecting 4.5 million records. So far in 2019, the CA Attorney General’s office has reported 350 breaches in CA, under the notification law. It is clear that politicians are putting teeth into what they view as weak cyber risk responses by businesses.
So, what do they want? First, I would say that companies must have a comprehensive cybersecurity strategy. You cannot have a data breach without first having a cyber breach. The latter is usually managed through a MIS or IT function, while the former impacts broadly across a company. California is not the first with a DP law. The gold standard for Data Privacy laws is the GDPR, in Europe, but laws or proposals also exist in Washington, Nevada, New York, India, Brazil, Japan and more. These laws are coming and if a company Is not subject now, it will be soon. There are some common threads:
- Let individuals know what data has been collected on them and how it is used.
- Give them the right to manage or completely delete that data.
- The individual can exercise these rights without impact to their price, availability or service.
- Companies should reduce the amount of personal data they collect or store.
- Companies should secure all personal data through encryption or some similar method.
The first three are the focus of the laws. The latter two points will greatly decrease your exposure if you do them. With a strong data deletion policy, a company can greatly reduce its exposure. Similarly, a breach of encrypted data does not need to be reported, as it is viewed that the data has not been compromised.
CCPA is far too complex to be fully explored in this note but here are a few starting points.
- The first task to comply with any Data Privacy law is a Data Map. This map includes every way that data is collected, who has access, how is it routed, where is it processed and stored and how it is used. Internally this may include sales, marketing, HR, shipping, accounting, MIS & IT and others. It will also include any outside vendors you use that have access to any of this data. Under CCPA you will need to train all these people on the handling of this data.
- Vendor assessments or vendor audits are needed to check if your vendors are ready to comply with their requirements under CCPA. If a consumer wants you to change or delete their data, you must also notify your vendors to do the same.
- Most companies have a privacy policy available online, that is unreadable. CCPA now requires the addition of a Notification of Rights and a Notification of Collection (NOC) and that they must be in plain English, any other language you normally communicate with consumers in and be ADA accessible. This also applies to physical stores. Online, the NOC requires a link that says “Do not sell my personal information” be on that first page where any data is collected, including cookies. This link will start the user notification process to manage their data. The definition of “sell” is still being debated but no link is required if you do not sell data, but the consumer’s rights are still intact. Marketing may want to put “We do NOT sell PI” in its place, if you do not sell data, though it is not required. Some consumers may look for it and view you as higher risk if it is not there.
I started this note because of the number of conversations I was having with executives that had no idea of the scope of CCPA or their risks. I also heard stories from execs that they were getting resistance from their technology teams, saying they could do it all or even they didn’t need to. The scope of CCPA is beyond most departmental teams. A large company may have a Data Privacy Officer to manage these processes and oversee all cybersecurity but for the SMB business it will likely land on senior management.
This note has barely touched the requirements under CCPA. Some of the issues still being worked out include verifying individual requests and handling the data of minors. The law will also affect many customer loyalty programs and questions about “Bring your own device” policies have been raised. Cybersecurity risk assessments are now common in the due diligence for mergers and acquisitions. Data Privacy audits are now common in Europe for M&A. Any compliance risks have long tails in M&A and regardless of being a buyer or seller cybersecurity, CCPA and other data privacy risks could affect a deal.
I am not a lawyer. These viewpoints are from practical experience with these laws, as a consultant on strategic issues and as an interim President and COO. I took a deep dive into the topic because of the conflicting interpretations of CCPA and GDPR I was getting from lawyers and technology people. I also realized that their advice highly segmented the issues. It did not capture the full range of cyber issues companies were facing, their interaction and the breadth of their implications. There are still many areas of CCPA that will change through regulation or interpretation. The final regulations under CCPA are not expected until Spring 2020, but the law takes effect January 1, 2020. In CA, the original CCPA author is already starting a campaign to toughen the law and you can expect more laws in more states. It is time to pay attention to data privacy and protect your company and your customers.