Report: Race on for CCPA compliance

By Michael McCaw | 2 December 2019

With the California Consumer Privacy Act (CCPA) going into effect on January 1, firms with activities in the world’s fifth largest economy are fighting against the clock to get their houses in order to comply with the requirements, according to lawyers and market participants.

“There’s so much to do and we’re running out of time to do it in,” says Steven Roosa, head of Norton Rose Fulbright’s digital analytics and technology assessment platform. “Companies are really angsty over this. There’s a genuine attempt at rigour but because of the amount of data it’s such a big challenge."

On the face of it, CCPA creates a number of new obligations for firms with more 50,000 clients or who derive more than 50 percent of their revenue from selling information. Those obligations include an updated privacy policy, personal information access and deletion procedures, an opt-out process that forces a business to stop selling a consumer’s data on, a prohibition on discriminating against those who invoke CCPA rights, and further data security requirements.

Although the law will come into effect from the beginning of January, final rules are not expected until spring next year with the Attorney General’s office saying it will enforce CCPA from July 1, 2020. The office has suggested it could backdate enforcement at the time, to the start of the year. In October, a draft of the rules were issued, containing new aspects to those released earlier with public comment open until December 6.

“The goalposts could move - which is quite a concern,” says Roosa, who says he has seen a number of different approaches to firms dealing with the rules.

Given the volume of data many firms have at their disposal, a huge amount of work has been involved.

“We’ve put in a significant effort, we’ve assembled a collaborative cross functional team involving security, legal, product and engineering, and compliance,” says Allison Amadia, general counsel, Personal Capital, an online financial advisor and personal wealth management company in Redwood City, California.

“Our methodology has been to build processes that are very nimble and flexible, being mindful that we’re still waiting for guidance from the Attorney General on a number of issues that could alter our understanding of what’s required – so we’ve needed to build in that flexibility,” she says.

After the gold rush

“Data is today’s gold,” says Xavier Becerra, California’s Attorney General. “Everyone is rushing to mine data and California as you know, is not unfamiliar with gold rushes. But there’s a big difference between 170 years ago when gold was being stripped from the land, to today when data is being stripped from you and your privacy. There’s a rush to mine, use and sell our personal information.”

By creating CCPA, the state has set itself to be a frontrunner in US consumer data protection. Even though rules have been discussed and are in place in Nevada and other states, California – a state that contributes significantly to national gross domestic product (GDP) – CCPA has meant others have been watching closely.

The CCPA contains requirements for the collection of data - before or at the point at which that collection is made - which should also include the business’s privacy policy. Should the rules remain unaltered after the comment period and into Spring 2020, a list of the categories of personal information must be provided as well as information as to whether each category is being used for business or commercial purposes – and a “do not sell my information” page, with the company’s privacy policy clearly stated. In that policy, firms must essentially include categories of sources from which information is being collected, the purposes upon which they are collecting them, and the third parties the business plans to share them with. The rules also contain instructions that businesses must facilitate a method for consumers to be able to opt out of the third party relationship. Businesses that engage with more than four million California-based consumers must be able to produce reports on this information for the previous calendar year as well as the median number of days it took them to respond to requests to know how the information is used and shared, deleted or opted out.

Among the preparations, authentication hurdles exist when requests for information are received, says Personal Capital’s Amadia.

“When we receive these data requests we need to make sure that the person asking for the data is actually the customer that we have a relationship with,” she says. “The processes and methodologies around authentication to respond to those requests are going to be very important. We need to strike a balance between CCPA requirements and ensuring it’s not a bad actor making an access request.”  

For Roosa, the complexities exist in making sure the data is easily accessible.

“On the one hand there’s a lot of effort to look at what’s going on in the back end in terms of internal databases and flows – similar to GDPR data mapping. But there’s also a very big emphasis on getting an inventory of what needs collected directly from the interfaces that consumers interact with the businesses through – websites and apps, etc. I think a lot of companies feel like they’re flying blind because although they might be very well acquainted with what’s going on with the back end in terms of the consumer facing data collection, there's also a lot to do on the front end,” he says.

“So much of that data collected by third parties is intermediated by the end users device. That makes it next to impossible for a company to guess or make a prediction about what that data is. Unless you test to see what’s actually being collected it’s like flying without radars."

According to Kaitlin Asrow, fintech policy advisor at the Federal Reserve Bank of San Francisco, the impact of CCPA across the fintech ecosystem will be varied, but work is required.

“For early stage fintechs without significant data infrastructure – ie in mapping what they’re collecting and being able to connect to consumers to comply with requests – they could still be building that out, or building their legal team. That could be challenging, especially if they want to get ahead of the curve, but then the law is tailored to focus on high risk cases so smaller firms will need to think really creatively about how they’re going to get up to speed like the larger incumbents who are prepared and how have been looking at GDPR already.”

Alchemists

Like any law of this nature, CCPA has gone through a number of iterations. Following hearings in August and September, lawmakers passed a number of amendments that while fundamentally leave consumer protection intact regarding the transparency of consumer data collection and dissemination, significant changes went through regarding key definitions and exemptions. Among the changes, CCPA will not cover the collection of information from business owners, directors, officers, medical staff, contractors, employees or job applicants until January 1, 2021.

The provision on employee data is one that needs thought out carefully, suggests Alastair Mactaggart, founder and chair of Californians for Consumer Privacy, an organisation that campaigned and worked on CCPA closely.

“If you’re an employee you have a certain expectation in regards to the firm,” he says. “If you’re a customer of Amazon you’re going to expect to be able to get or delete your data, but if you’re an employee of Amazon should you really be able to delete all your data, including your employee files, probably not. So it’s important to make that distinction.”

Federal states

For many firms working in California and with a presence elsewhere in the US, the rules mean complying with different regimes – an added layer of complexity, market participants and lawyers say. Pointing to multistate liquor and healthcare firms, Mactaggart says complying across states shouldn’t be an issue: “There’s a lot of whining from industry ‘oh we can’t possibly comply with fifty state laws’, and my point is it’s a convenient talking point... There’s nothing inherently impossible with complying with fifty state laws.”

Other states including Nevada, North Dakota, New York and Massachusetts are at different stages of implementing their own versions of CCPA, with some suggesting more states may reconsider privacy laws in 2020. According to Alan Friel, a partner at BakerHostetler, a law firm, Congress could be “forced to do something if we have a couple of states with significantly different laws”, firms are already anticipating a nationwide ruleset.

“Most of our clients who didn’t have GDPR or international privacy issues have been telling us they assume that the train has left the station and that there are going to be complex privacy laws with robust notice and choice provisions for data subjects in the US,” he says.

“They need to develop the type of information governance programmes that GDPR fostered. We’re not seeing many people say ‘this is never going to go into effect’ – at this point most people have accepted that it’s going to go into effect. It could be a lot more burdensome by the time it lands in a couple of years,” says Friel.

For the Federal Reserve Bank of San Francisco’s Asrow, a nationwide privacy law would help a fintech community already facing a multitude of state laws.

“In the digital and fintech space in particular there’s a variation in laws within a really interconnected country, which is very challenging,” she says. “The same kind of assessment that larger companies already did vis a vis European customers for their American customers, there’s got to be a consideration if there’s value just to comply across the customer base regardless of whether they’re residents of California, or if a firm is more narrowly focused on California should they be parcelled out and treated differently.”

One fintech market participant likened complaints they had heard about the amount of work required to comply with CCPA as an “anguished cry”, while lawyers say clients are finding it much harder to get data mapping, and front end requirements in place before January 1.

For Mactaggart, however, the law is essential given the growth of the tech sector in consumers’ lives over the past few years.

“We’re in the midst of a societal shift. Some of this technology is brand new. Surveillance capitalism is really a function of having smartphones that we all carry around and live our lives on now,” he says. “Really over the past five or six years there’s been this ubiquity and the computing power to analyse all the data combined with the algorithms to make use of it so you now have a handful of companies that have extraordinary power and reach. This is society waking up to that."

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development