- June 14, 2020
This blog is not the first to highlight the fact that tomorrow, July 1, 2020, is the first day that California will begin enforcing the California Consumer Protection Act - CCPA. I’ve been writing about the general implications of the CCPA, how it affects organizations and how to prepare for it for two years. Today, on the eve of its enforcement, I want to highlight some potential gotchas, specific aspects of the CCPA that set it apart from the other privacy laws - including the GDPR, that most companies are still ignoring.
The CCPA took effect on January 1, 2020 but included a six-month delay in enforcement. One requirement of the law, that goes back to January 1, 2019, could catch many companies unaware.
Unlike the EU’s GDPR, the CCPA includes a surprising provision that requires a company to be able to “look-back” 12 months from the law’s effective date. This look-back requirement allows California citizens to demand to see (and demand the deletion of) any personal data stored by a company going back 12 months from the law’s effective date - i.e. January 1, 2019. However, because the law’s enforcement date was changed from January 1 to July 1, 2020, the 12-month look-back requirement is now potentially July 1, 2019. The CCPA regulatory authorities will have the final word on the look-back date. The California AG has not ruled on this issue yet so my assumption, in this blog, is that the look-back date is July 1, 2019.The delay in the enforcement date means that tomorrow, July 1, 2020, companies must be prepared to find and report on specific consumer data they hold, how it's being used, and if it's been sold to 3rd parties – going all the way back to July 1, 2019. Also, assuming the company is not required to keep it for regulatory or legal reasons, the data subject can demand its unrecoverable disposal.
What this means is that beginning on July 1, 2019 (12 months ago), companies should already have been managing consumer PII in such a way as to ensure it can be found, reported on, culled, and deleted quickly, if requested. The current requirement is that a business must respond to a consumer’s verified information request within 45 days (subject to extension under limited circumstances).
Because of this look-back provision, if a California citizen requests to see their personal data tomorrow, July 1, 2020, the company will need to be able to produce a report on all data-subject PII of that citizen that they hold or have sold, dating back to July 1, 2019.
As a result of the CCPA, companies should already be managing their PII much more granularly with the highest possible security protections. The CCPA, GDPR, and all emerging privacy laws will make information management an absolute necessity and one that, if not done correctly, will drive up the cost of doing business.
My concern is that many companies may not be prepared to meet this requirement, raising the possibility of significant fines, data-subject lawsuits, brand devaluing, and shareholder lawsuits.
Another CCPA provision that companies may not be aware of is that of “presumed damages.” The theory of presumed damages is that possible (but not proven) damages from an act (in the case of the CCPA, a data breach) do not require proof of injury or harm. The mere fact that a breach occurred and the data subject's data “could have been accessed” triggers presumed damages - damages that are presumed as a matter of the law.
The first major privacy regulation, the GDPR, did not include the idea of presumed damages. It alludes to the need to show that damages actually occurred. Here’s an excerpt from Article 82 of the GDPR:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Unlike the CCPA, under the GDPR, for a data-subject to collect money, they must show that damages were suffered. However, this does not mean that data controllers/data processors are off the hook. If data has been mishandled or not secured appropriately, it can trigger potentially huge fines by the GDPR authorities – which will not necessarily benefit the individual data-subjects. For the GDPR, security technology must be “fit to the purpose” and have been rolled out properly and be used correctly.
Given that the presumed damages clause of the CCPA focuses on the impact of data breaches, I recommend that organizations ensure they have solutions in place that make the PII of individual citizens unusable in the event that a breach occurs.
Done correctly, data – and specifically – PII encryption can protect companies from the potential fines and other losses associated with data breaches. What’s required is encryption that converts or encodes data into an unintelligible/unusable format in such a way that only authorized parties (with the correct encryption key) can view it.
Both the CCPA and GDPR include breach notification requirements, which are very costly obligations for companies. However, because encryption, as set out above, renders information unusable to individuals without a valid encryption key, encryption processes for PII can be extremely beneficial to your organization in mitigating risk and costs. Specifically, by encrypting data before storage in the cloud, you would not need to comply with the breach notification requirement. With the right encryption, even if an information system is breached, as long as the data is unintelligible to the hacker and the encryption keys are not available (because they’re stored onsite), the breach notification requirement is not triggered.
Note: assuming the encryption keys are maintained separately from the data, PII encryption of data while at rest, in transit, and while in use, is highly recommended in both the GDPR and CCPA. PII encryption could also have a beneficial effect on the cost of your company’s cyber-liability insurance.
If you’re reading this and your company’s yet to take any appropriate action to prepare for CCPA, you may be asking yourself if it’s too late. My answer: Not really - it’s never too late to start. Kicking off a project to begin getting better control of your company’s PII is always a good insurance policy against punitive fines. However, you should not delay. Documented intent and actions to comply could go a long way in the eyes of the California Attorney General.
Some CIOs I have spoken with have initially taken the attitude that they don’t need to worry about the CCPA because the chances of a California citizen asking about their PI from a small company in another state or country is particularly low. This is a bad idea. While the chances may be low, they are not zero. The benefits of CCPA preparation can provide distinct information and security benefits for companies beyond that of CCPA risk reduction.
The following prerequisites can help your company get ahead of privacy requirements to help bring your company into compliance.
Data mapping – knowing where all your company’s PII is stored is an absolute requirement. Creating an enterprise map of all data repositories, including all cloud repositories, and if they include PII, can help in getting better control of your company’s data. This also means that PII should NEVER be allowed to reside on end-user equipment, ever.
Access controls – controlling who has access to PII in your organization and what they can do with it.
Activity control – controls and limits on how the data can be moved and used, i.e., never letting PII be copied by an unauthorized individual and never allowing it to be copied/stored to a removable device or individual workstation/laptop.
Audit reporting – actively tracking who accessed PII, when, and what they did with it.
Enterprise Security – providing the technology and processes that protect against unauthorized access into the enterprise and data repositories
Data security/encryption – securing PII appropriately is the most basic requirement of both the CCPA and GDPR laws. As I mentioned previously, encryption of PII at rest, in transit, and in use (with the storage of the encryption keys away from the encrypted data) can immediately reduce your potential liability if a system breach does happen.
The CCPA will not begin enforcement until tomorrow, so there have not been any fines levied yet. But using history as a guidepost, let's review what happened with GDPR enforcement.
The GDPR came into effect in May 2018. In the second half of 2018, there was one significant fine (a fine over €100,000) with a total of €400,000 in that first year. To date, there have been a total of €497 million in fines. This points out the issue of relying on a strategy of being too small and overlooked. Don’t forget, end-user complaints drive these cases and fines, so just because your company is small does not mean a data-subject will not target you.
Starting and documenting your actions to become CCPA compliant, even now, will offer your company some protections, but driving to complete compliance is the surest way to reduce your risk.
To find out how Archive360 can help you can meet the compliance requirements for the CCPA, including effective information management, PII anonymization/masking, and appropriate encryption and key management, contact us today.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.