The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and official enforcement only just began at the beginning of this month. But privacy advocates are now seeking to build on the protections of the CCPA and further protect consumer privacy rights.
Californians for Consumer Privacy (CCP), the same advocacy group that championed the CCPA, has its sights set on a new set of rules known as the California Privacy Rights and Enforcement Act (CPRA). CPRA is only a proposal now and the group received over 900,000 signatures to place the CPRA on the November 2020 ballot.
According to by CCP, nine in 10 Californians would vote to support a ballot measure expanding privacy protections for consumers’ personal information. If it does pass in November, it takes effect on January 1, 2023.
Karen Schuler, a Practice Leader at BDO’s Governance, Risk & Compliance National Practice and Principal at BDO Digital, spoke to Card Not Present about what merchants need to know about the possible passage of this legislation.
Could you briefly outline the new data privacy law (CPRA) that California has added to the November ballot? What are the stated goals of the law if passed?
Schuler: The California Privacy Rights and Enforcement Act of 2020 (CPRA) is set for the November 3, 2020, ballot. CPRA would not only provide broader rights to Californians, it would also do the following: establish the California Privacy Protection Agency to handle enforcement independently of the California Attorney General’s office; add a right of correction for consumers; provide an expanded right to know and to opt-out; and provide additional rights for ‘sensitive personal information’. Additionally, this new law would extend the current January 1, 2021, business-to-business and employee data exceptions to January 1, 2023. Finally, this new law, if passed, would become effective January 1, 2023, and it likely would not impact information a business collects before January 1, 2022.
Will it work in tandem with CCPA? Or enhance it in some way? In other words, why isn't CCPA enough?
Schuler: The California Consumer Privacy Act (CCPA) is viewed as a first step in protecting the rights of California residents. Privacy advocates fought to enhance CCPA by introducing CPRA to further protect against the sale of sensitive personal information and children’s data, and to establish an independent enforcement arm to increase transparency and to give consumers back control over their data.
For merchants that collect data, already stressed by CCPA compliance, what might the implications and challenges of this new law be?
Schuler: There are multiple challenges that merchants already face. Typically, they are not only dealing with CCPA compliance, but they are also faced with a global market that specifically impacts their obligations in the EU, Canada and other regions such as Brazil, where further regulations are pending. For merchants that operate in regions outside of the United States, and specifically California, they may be able to apply practices and policies that were previously instituted as a result of the EU’s General Data Protection Regulation (GDPR). However, for merchants that primarily operate in the United States and heavily service California, they will be required to institute privacy programs that allow for the following:
- Enhanced individual rights or consumer rights response programs, including but not limited to the ability to locate, catalog, redact and then produce records within a stated amount of time;
- Ability to erase records that no longer have a legitimate need for business, legal or tax purposes;
- Managing children’s data in a segregated manner, such as data handling practices that are commonly used for Controlled Unclassified Information (CUI) or commonly used when handling data related to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). In those cases, data must be protected and segregated in separate environments that are costly and require great lengths to manage in accordance with these regulations;
- The term “sold or shared” is much broader than within the confines of CCPA and, as a whole, the definition changes so that sharing personal data with a service provider will be more narrowly addressed by the new definition of a third party. Ultimately, Data Protection Agreements, similar to those required by GDPR, will require contract updates and new provisions in privacy policies;
- Consent will be required in certain situations where it was not previously required under CCPA;
- Sensitive personal information will be defined and requires disclosures, opt-outs and purpose limitations, whereas CCPA did not contain a separate provision for sensitive personal information;
- Automated decision-making was not previously addressed under CCPA, but CPRA introduces the concept of ‘profiling’. It calls for regulations requiring business responses to consumer requests for information to contain meaningful information about the logic involved in profiling decisions. This alone could be costly, and businesses may be faced with unveiling IP and trade secrets;
- Previously the CCPA did not address consumers’ rights to correct information whereas the CPRA gives consumers the ability to correct inaccurate information;
- Opt-out functionality has been added to the CPRA that restricts targeted marketing. I could see that impacting merchants on multiple levels, especially those that aggregate such data to promote sales or specials to their loyalty members;
- The CCPA did not contain requirements around data retention, but the CPRA requires a business to disclose when they collect the data, as well as how long they intend to retain each category of personal information (and sensitive information) or, if that is not possible, then the criteria used to determine the retention length must be disclosed and businesses can no longer retain personal information for longer than is reasonably necessary for the disclosed period;
- The California Privacy Protection Agency would have a broad scope of responsibilities and enforcement power, such as bringing actions against companies for security breaches and violating children’s rights. The violations involving children’s personal data will be tripled;
- And, finally, GDPR language is now included to ensure that companies minimize data, propose limitations on data collected and that there is a duty to avoid secondary use of data.
Should companies start to prepare for this new law, even though it has not been passed? If yes, why?
Schuler: Companies should have already prepared to become compliant with the CCPA. However, if they have not implemented privacy programs to address CCPA, then yes, they should certainly start to prepare. Privacy regulations – not only in California – have become commonplace and will continue to be on the rise. In general, C-suite executives are focused on data privacy regulation compliance as well. BDO’s 2020 Digital Transformation Survey found that 95 percent of respondents have either already begun providing training for employees in data privacy or planned to in the next 12 months. Respondents are also planning on or already in the process of revising privacy policies and processes (89 percent), updating privacy disclosures (87 percent), automating compliance processes (91 percent), performing readiness assessments (84 percent), performing data mapping exercises (86 percent) and reviewing third-party agreements (86 percent).
Steps that companies can take should include exercises that identify sources of personal data, and they should leverage existing tools inherent within Microsoft, Amazon and other suites. These tools provide the ability to scan a network to identify dark data to highlight where personal information, health information, credit card information and other types of sensitive information exist. Additionally, companies should focus on revisiting their privacy policies and overall privacy and data protection programs.
How should companies, specifically merchants with an online e-commerce strategy, prepare?
Schuler: E-commerce merchants should follow a process that allows them to develop a holistic privacy and data protection program in a cyclical manner and not a linear one. In other words, develop a program that compares privacy and data protection obligations between regulations or laws, identify the most stringent requirement and adapt to that requirement. From an overall perspective, it is important for companies to conduct the following steps:
- Identify personal and sensitive data sources;
- Understand third parties that either access, use, purchase or manage each of those data sources;
- Revisit policies to meet compliance obligations;
- Once data is identified, determine how the organization will respond to consumer requests for a copy of their information;
- Ensure that Privacy by Design (a GDPR term) is adapted to ensure that sensitive data and children’s data are handled in a special manner from the introduction of their data to the systems or processes;
- Conduct Privacy Impact Assessments (PIA) on all systems and processes to determine when a more detailed Data Protection Impact Assessment (DPIA) is required;
- Develop a training program for all employees and ensure that they are well versed in their data protection role;
- Ensure that sensitive data and children’s data are protected using anonymization, encryption and/or special storage locations so they are not intermingled with other data types;
- Limit access to personal data, especially sensitive data;
- Ensure that Acceptable Use Policies are updated accordingly;
- Improve upon existing data classification and records retention schedules to ensure that obligations are met;
- Update website privacy notices and audit those on a regular basis;
- Ensure that consent and opt-out functionality are enabled.