California’s recent passage of the Consumer Privacy Act of 2018 now places the world’s fifth-largest economy under European style data protection rules. Given the new law, US businesses that were previously hesitant to implement GDPR are now reconsidering their position.
Luckily, the GDPR and the California Consumer Privacy Act (CCPA or CaCPA) share some similarities. Both provide for consumer-facing privacy notices, data access rights, and data portability. As businesses automate their GDPR compliance processes, they should also leverage those same processes under the CaCPA to save significant time and expense.
Below, we have listed five common operational steps that all businesses should take in their GDPR and CaCPA privacy compliance programs:
1. Conduct a Data Inventory
Both the GDPR and CaCPA expand the definition of personal data beyond what is generally considered “personally identifiable information” under prior California state law.
Under the CaCPA, personal data is defined to include any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to normal identifiers, like name and email, this extends to internet browsing histories and inferences drawn from such information, among other information. (Learn more about the CaCPA’s definition of personal information here). The GDPR’s definition of personal data is even more expansive, and concerns any information “relating to an identified or identifiable natural person.”
To even begin to comply with the GDPR’s and CaCPA’s requirements, businesses will need to inventory their data processing operations, to locate where personal data is stored and shared across systems. At the beginning, this data inventory or data map need not be terribly complicated and can start as a simple spreadsheet of data processing activities. An example of a data inventory, endorsed by the UK’s Information Commissioner’s Officer (ICO), is available on the ICO website.
2. Draft Transparent Privacy Notices
The GDPR requires specific disclosures on a customer-facing privacy notice or policy, prior to the collection of personal data from customers. Similarly, the CaCPA governs customer-facing privacy notices, and supplements California’s previous laws in this area (CalOPPA and Shine the Light).
Some of the main disclosure requirements under GDPR and CaCPA/CalOPPA are listed below. These requirements share numerous similarities concerning the businesses’ use and sharing of personal data. In light of these similarities, businesses should draft their California and EU-facing policies in tandem:
|CaCPA (and CalOPPA)||GDPR|
• A description of a consumer’s rights under the CaCPA, including the contact details to exercise these rights
• A list of the categories of personal information it has collected about consumers in the preceding 12 months
• A list of the categories of personal information it has sold about consumers in the preceding 12 months
• A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months
CalOPPA (for websites and other online services)
• Categories of personally identifiable information collected through the site or service about users or visitors
• Categories of third parties with whom the operator may share the personally identifiable information
• Description of process for a user or visitor to review and request changes to his or her personally identifiable information collected
through the site or service, if the operator maintains such a process
• Description of process for notifying users and visitors of material changes to the privacy
• The operator’s response to a browser “Do Not Track” signal or similar mechanism
• The possible presence of other parties conducting online tracking on the operator’s site or service
• The identity and the contact details of the data controller and, where applicable, of the controller’s representative and data protection officer
• The purposes for processing personal data and the legal basis for the processing
• The legitimate interests pursued by the controller or by a third party for processing personal data
• The recipients or categories of recipients of the personal data;
• Transfers of data to a third country or international organization and disclosures concerning the adequacy of the third country or international organizations privacy measures
• The period for which personal data is stored, or the criteria to determine that period
• A description of data subjects’ rights
• Whether data is required to enter into a contract, and the consequences of not providing such data
• The existence of automated decision-making or profiling
3. Develop the Operational and Technical Capacity to Respond to Data Subject Requests
These privacy laws also expand consumer rights dramatically. Both the GDPR and CaCPA provide consumers with the right to request and access a copy of their personal information. The CaCPA also includes a limited right to data portability, which mimics the GDPR’s expansive right to transfer personal data from one entity to another. (See Section 1798.130: “The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.”)
Furthermore, the CaCPA provides consumers with the right to delete personal information that a business has collected from the consumer and to stop sales of their personal data to third parties. This right is similar to the GDPR’s “right to be forgotten” and right to restrict processing of information.
For all of the rights discussed above, the GDPR and CaCPA provide a short timeline for response – 30 days and 45 days respectively.
Though the GDPR provides additional consumer rights to the CaCPA, businesses have to incorporate similar timelines to assess and respond to consumer requests under both statutes. In addition, businesses under both regimes will have to find a way to educate customer-facing staff on handling and/or redirecting customer inquiries.
Thus, if a business is already undergoing efforts to streamline and responses to GDPR data subject requests, then it would be prudent to use those same processes for California requests.
4. Create an Internal Security Policy
Businesses are expected to implement reasonable security measures to protect personal data under both the GDPR and CaCPA. Neither of these two privacy regimes explain what constitutes “reasonable” security, nor do they set out specific technical requirements for businesses to follow.
Instead, each law discusses a risk-based approach to security. The CaCPA requires “reasonable security procedures and practices appropriate to the nature of the information protected.” Similarly, the GDPR requires “appropriate technical and organizational measures” while considering the nature of the processing “as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.”
In light of this vague, subjective language, it is up to businesses to develop their own internal security policies. These policies should look to industry security standards such as the NIST, ISO, or SOC 2 standards, but should be tailored to the businesses’ specific data risks. By explaining why the business implemented certain security measures, and documenting the good faith steps that the business will take to maintain those security measures, an internal security policy will provide evidence to the courts and regulatory authorities of the existence of “reasonable” security measures.
5. Incident Response Plan
Finally, it’s time to brush up those incident response plans! The GDPR and CaCPA each provide a private right of action to consumers that suffer a data breach. Businesses are incentivized to respond quickly under both regimes, or risk severe penalties for noncompliance.
For example, the CaCPA allows any consumer whose “nonencrypted or nonredacted personal information” is breached to sue for statutory damages between $100 and $750 per consumer per incident. The CaCPA provides a 30 day right-to-cure, however, which suggests that immediate mitigation of a data breach may protect businesses from expensive lawsuits.
As for the GDPR, businesses have 72-hour deadline to report any data breaches to a regulatory authority, unless “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Under Recital 85, this risk to consumers is assessed in light of immediate, remedial steps to protect the data. As a result, immediate mitigation of a potential data breach may protect businesses from their notification obligations, and subsequent regulatory scrutiny.
Consequently, businesses should revise their incident response plans under both regimes, to ensure quick assessment and mitigation of cybersecurity threats.
Though the GDPR and CaCPA each consist of a complex web of rules, it is possible to find commonalities between these two sets of laws. By considering both GDPR and CaCPA in the operational steps above, businesses can consolidate their efforts and minimize costs across jurisdictions.
Want to learn more?
Image Credit: Khanittha Yajampa via Dreamstime.com