Data Privacy – California Style
Are you all settled in with GDPR and NYDFS? Got all that compliance handled so you think you can relax? Or, maybe you discovered that your business is exempt from GDPR and you serve no customers in New York, so now you think you are clear of Big Brother and his friends.
The great state of California (aka my former native land) signed into law a couple of years ago, a very restrictive data privacy regulation called the California Consumer Privacy Act (CCPA) which is the first United States law that follows directly in the footsteps of GDPR. Those of you who don’t have a business in the state better pay attention because all companies both inside and outside of California will be affected by its requirements. And it is sure to be a harbinger of similar regulations that will roll into law in every state in the union by 2023.
A Brief History of Laws Leading to CCPA
If you doubt this, just consider the amount of revenue a state could earn in fines for violations and non-compliance. It is essentially free money and no state government is about to pass that up. Following the lead of the NYDFS, in October 2017 the NAIC adopted its Insurance Data Security Model Law (NAIC Model) to establish insurance industry standards for data security, and for the investigation of and fines related to cybersecurity events. On May 3, 2018, South Carolina became the first state in the nation to adopt a comprehensive cybersecurity statute for the insurance industry, by signing into law the South Carolina Insurance Data Security Act (H4655) based on the NAIC Model, which became effective January 1, 2019.
This has been followed by similar legislation in Rhode Island, Colorado, Vermont, and Massachusetts leading to California’s creation of the broad-reaching CCPA.
The CCPA requirements officially went into effect on Jan. 1, 2020, and it extends privacy protections and rights to all California residents, which are defined as all natural persons “enjoying the benefit and protection of laws and government” of California who are in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”
The CCPA specifically applies to “for-profit” entities that a) collect and process the Personal Information of California residents and b) do business in the state of California. However, not having a physical presence in California does not excuse mandatory compliance as it is sufficient that a business simply sells a product or service within the state.
The good news for smaller “for-profit” companies is that if you generate less than $25 million in revenue annually, you are exempt. In addition, you are also exempt if you process PII for fewer than 50,000 California residents per year, or if you derive less than 50% of your annual revenue through the sale of this data. These conditions are “or” not “and” so any “for-profit” business that does not meet any one of these criteria is exempt.
All “non-profit” businesses are exempt as well.
What is PII?
Interestingly, the California definition of “personal information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include Social Security numbers, driver’s license numbers and purchase histories, and “unique personal identifiers” like IP addresses and any online tracking technologies invented or not. The term “household” is new and different from any other data privacy laws on the books including GDPR and essentially leapfrogs the need for information to be associated with a specific name or individual.
The broad interpretation of that clause would mean that the personal information of anyone living at a certain address is protected, thus making it much more challenging for current information systems to comply without significant modification. It also means full utilization for every data privacy law practice in the country, including those not yet formed.
Any publicly available personal information is excluded which includes data that is lawfully made available from federal, state, or local government records. However, government or publicly available biometric information collected without the person’s knowledge and personal information used for a purpose different from the one for which the information was originally obtained is included. One more exclusion: Any aggregated or de-identified data, including medical or health information collected by a person or entity governed either by California’s Confidentiality of Medical Information Act (CMIA) or HIPAA.
De-identification is the process used to prevent a person’s identity from being connected with information. For example, data produced during human subject research might be de-identified to preserve research participants’ privacy.
When applied to metadata or general data about identification, the process is also known as data anonymization. Common strategies include deleting or masking personal identifiers, such as name and social security number, and suppressing or generalizing quasi-identifiers, such as date of birth and zip code.
So, for the average California citizen concerned about data privacy, the good news is that the CCPA provides better control over the use of their personal information.
For example, a business must now notify consumers what PII is being collected from them, how that PII is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures need to be done through a public posting, and whenever requested by the affected consumer.
Easy, Simple, and Straightforward
In addition, businesses must provide an easy, simple, and straightforward process to opt out of having their PII sold to a third party, and by ‘easy and simple’, it does not mean a language model like those found in everyone’s ToU. In fact, ‘easy and simple’ means instead, that a business must actually post a “Do Not Sell My Personal Information” link on its homepage. For people under the age of 16, they must affirmatively opt-in to allow their PII to be sold and if a person is under the age of 13, the business must first receive the consent of a parent or guardian.
If a California resident wants to remove PII, the law insists that businesses must accommodate the request and proactively inform their PII owners that they have this right. This removal extends to third-party contractors with whom the business may have shared that PII and the onus falls squarely on the original business owners to ensure that the PII has been removed. There are in fact, a few minor exemptions, but the bulk of the regulation applies to most.
It is against the law for a business to discriminate against consumers who exercise their rights under the CCPA and can only raise their transaction rates with such a consumer or provide a different level of service if “that difference is reasonably related to the value provided to the consumer by the consumer’s data”, whatever that may mean.
As you can see, increased disclosure will become a huge part of compliance, and businesses affected will need to proactively explain privacy notices when PII is collected, which includes explaining the privacy rights, the categories of PII collected, the ways that the PII is used, and even the categories of PII that the business has sold to third parties in the past 12 months.
In addition, these disclosures must be updated annually. Failure to do any and all results in heavy fines.
Right to Sue for Violations
Now if you don’t think the class-action lawyers are trembling with anticipation, here’s the bombshell: This CCPA law provides consumers a private right of action (individual or class-action lawsuits) if their personal information “is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” This privilege carries with it a recovery fee of between $100 and $750 per incident or the actual damages themselves if they can be identified and documented. In addition, it provides individuals whose PII has been violated with the ability to seek injunctive relief and lays out stiff fines for companies found to be guilty.
Any failure to comply within 30 days of discovery results in fines of $2,500 per violation and $7,500 per intentional violation. 30 days is a virtually impossible time frame to recover from a breach regardless of how great one’s IRR plan might be. Let’s do some math. Say, a company is breached and the PII records of only 10,000 people are exposed. At the low end, the fine would amount to $1,000,000.
Case Study in CCPA Accountability
To make it real, in February of 2018, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future.
According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters. So, even if the Bee could successfully argue that the voter information was publicly available and thus exempt from avoiding a $2 Billion fine, the 53,000 subscriber records lost forever would at the low end of the range, cost the Bee $5,300,000.
Whether it’s 2 Billion or 5.3 Million, one would think that this kind of money would buy a lot of breach detection and prevention.
Incentive for CISOs to Take Charge
Perhaps now, companies will finally begin to do even the fundamental things required to protect their data assets from theft. As it is, California businesses are still trying to create information systems to map, track, and report on these new forms of PII, create complying privacy notices, policies, and procedures, and update their websites accordingly.
Armed with the CCPA, CISOs, and CIOs should have all the ammunition needed to mount a campaign to get the process, people, and technology in place to prevent future breaches. On the other hand, if we keep failing to take care of business ourselves, big government will continue to move into our houses with more draconian regulatory burdens that no business can afford. It remains up to us to act.
As always, money talks and the other thing walks.