June 4, 2019
The Storm You Can’t Ignore in Planning for CCPA Compliance
Posted by Pippa Akem
A Quick Glance at Recent Privacy Regulations
Companies are taking notice of the bevy of new regulations that establish new privacy obligations and grant consumers greater insight into and control over personal information that is collected on them and who can access it.
First was the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018 and monumentally changed how companies process and share the personal data of EU consumers and profile their online activity. In the same year, California enacted the California Consumer Privacy Act (CCPA), which gives additional privacy rights to California residents and impacts businesses serving or providing services to them and accessing their personal information.
Below is an analysis of the CCPA statutory fines and their implications for businesses.
Entities Within the Scope of the CCPA
The CCPA goes into effect on January 1, 2020. Entities must comply with the new law if they:
- Are for-profit;
- Have annual gross revenue exceeding $25 million;
- Annually receive/buy/sell/share the personal information of 50,000 or more California consumers, households, or devices; or
- Derive 50% or more revenue from the sale of personal information sourced from California consumers.
What Fines and Penalties Could Mean for Your Business
Much has been written and said about the set of new rights the CCPA triggers for California consumers, among them rights to access, delete and opt out of the sale of their personal information. Setting this aside, one could make a case that information security presents an even greater risk exposure.
Why? Because it can potentially lead to substantial statutory fines and penalties for breaches or noncompliance that results in measured loss to a California consumer. An entity could find itself dealing with legal costs and fines from a private action brought by an aggrieved consumer, and also a proceeding initiated by the state attorney general.
Unintentional Fines: Consumer Action
For the first time, a private right of action can be maintained by a consumer if companies fail to implement more robust data-handling practices for data that should be encrypted or redacted, but isn’t (e.g. unauthorized access to unencrypted personal information, or theft or disclosure due to lack of effective access controls). A company unable to manage these risks — to implement and maintain reasonable security procedures and practices — could find themselves subject to penalties of $100 to $750 per consumer per offense (violation), plus additional actual damages, and injunctive relief could follow.
30-Day Cure Period
The new law allows for a 30-day cure period following a complaint filed with the state attorney general, the details of which is covered in the statute. Keep in mind that the grace period is effective for a consumer seeking only statutory damages. Thus, following the filing of the complaint with the state attorney general, a company must address/cure issues identified in the complaint to stall further action by the consumer or state attorney general. However, it is worth noting that the law allows a consumer to recover for actual damages, bypassing the written notice process.
Intentional Fines – State Attorney General Action
In addition to the private consumer action, the state attorney general may impose fines up to $7,500 per intentional violation.
Key Points to Consider
Keep the following issues in mind when you consider the CCPA’s implications for your organization.
Worrying Point #1: For the purposes of calculating the CCPA levies, there remains to be clear guidance on how we interpret “per violation.” Should “per violation” refer to a single breach incident, or a series of occurrences forming part of a single reported privacy incident?
Worrying Point #2: Companies could potentially face extremely high penalties per offense (violation) under the separate actions pursued by a consumer and the state attorney general. This should also be measured against the number of people impacted.
Worrying Point #3: Also related to the violation issue is the fact that companies must contend with ambiguity in defining what “reasonable” security is or should mean when evaluating procedures and practices. Some guidance is given outside the statute (industry frameworks – e.g. NIST, ISO 27001 series) and the state attorney general has endorsed some security frameworks (see the 2014 Cybersecurity in the Golden State report).
Roadmap to Compliance
Begin your compliance efforts by documenting the data that lives in your environment. Know the data your company collects, uses, discloses or shares with third parties and sells to/buys from third parties.
Next, make sure you complete a full review of your business processes and data strategies. You will need to maintain the accuracy of your privacy policies and notices, test the current mechanism or solution in place to respond to consumer requests/complaints, embed privacy into your day-to-day operations, update your training and awareness initiatives, and watch for emerging risks.
If you are struggling or doubtful about your controls and require support for managing your privacy risks, Armanino’s Risk Assurance & Advisory team can help. We offer a full range of services, including gap assessments and process development, program enhancement, privacy risk management, technology solutions, and ongoing managed services support.