Analysing the emergence of state privacy laws and its impact on US businesses
May 2019 | SPECIAL REPORT: BUSINESS STRATEGY & OPERATIONS
Financier Worldwide Magazine
May 2019 Issue
Over the last year, states have increasingly turned their attention to enacting far-reaching consumer privacy laws that will require businesses to provide substantial privacy rights to consumers. The push first began in California through the enactment of the California Consumer Privacy Act of 2018 (CCPA). It has rapidly expanded in 2019 with bills being proposed in numerous states, including Hawaii, Maryland, Massachusetts, New Jersey, New Mexico, Nevada, Rhode Island and Washington.
The genesis of this legislative push can be linked to a number of factors. The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018, raising the profile of privacy regulation in the US. News coverage of the data-sharing practices of large technology companies also brought privacy regulation to the forefront, as US residents were surprised to learn the extent to which their personal information was being disseminated to other companies. The federal government’s inability to tackle the issue also factors into the equation as state legislators have become convinced that they are the only option to protect consumers. State legislators in large states also have realised that, given the interconnected nature of the US economy, any legislation they enact can, in some respects, form a national standard.
The difficulty, however, of a state-based approach to privacy law cannot be overstated as state laws will inevitability create different, and perhaps conflicting, obligations. The first such law, the CCPA, will come into effect on 1 January 2020. It applies to “businesses”, which is defined as any for-profit entity that is doing business in California and that has annual gross revenues in excess of $25m, annually receives the personal information of 50,000 or more California residents, or that derives 50 percent or more of its annual revenue from selling personal information. The CCPA also applies to any entity that is controlled by, and shares common branding with, a business.
One effect of the CCPA’s broad definition of “business” is that large entities with tiered corporate structures will likely have one or more affiliated entities that will be subject to the CCPA. Once that obligation is triggered, entities will need to scrutinise not only how consumer personal information flows out of the corporate structure, but also how it flows between and among affiliated entities.
Further complicating matters is that the CCPA defines “personal information” incredibly broadly, to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household”. This includes not only information that may customarily be considered personal information (e.g., names, addresses, email addresses, social security numbers and driver’s licence numbers, as well as IP addresses, browsing history, search history, purchase history, biometric information and geolocation data).
Against this backdrop, the CCPA provides California residents with a set of first-in-the-nation privacy rights. Businesses will be required to make upfront disclosures about the categories of personal information that they collect and how the information is shared with third parties. Businesses will need to respond to verifiable requests from California residents to provide specific pieces of personal information they have collected about the consumer for the prior 12 months. Businesses also will need to respond to verifiable requests from California residents to delete their personal information (subject to numerous exceptions). Businesses that share personal information with third parties for monetary or “other valuable consideration” (an undefined phrase) will be required to allow California residents to opt-out of such transfers.
The California Attorney General’s office is charged with enforcing the CCPA and may seek statutory fines of $2500 per violation or $7500 per intentional violation. The CCPA does not define what constitutes a “violation”. If interpreted broadly (e.g., on a per consumer or per day basis), potential fines could be substantial. The California Attorney General’s office also recently proposed an amendment to the CCPA that would allow private litigants to sue for violations of their private rights.
The CCPA also allows private litigants to bring class actions for data breaches that are caused by a business’s failure to implement and maintain reasonable security procedures. That provision necessitates special attention from businesses because the CCPA will permit private litigants to seek statutory damages of between $100 and $750 per consumer, per incident. In other words, a data breach involving the personal information of 10,000 California residents would expose a business to statutory damages of between $1m and $7.5m.
A number of other states are now considering enacting consumer privacy legislation. The state that appears to have the most momentum to enact such a statute is Washington. As it is currently drafted, the Washington Privacy Act (WPA) is similar in some respects to the CCPA. For example, as with the CCPA, the WPA would allow state residents to request that businesses turn over all personal information in their possession to the resident. The WPA also would grant state residents the right to request that businesses delete their personal information.
Despite their similarities, there are a number of differences between the CCPA and the WPA that could cause headaches for entities operating in both states. For example, the WPA would require businesses to confirm whether or not they are processing personal information, would require businesses to correct inaccurate personal information, and would allow residents to submit requests to restrict the processing of personal information.
Additionally, while there are commonalities, the CCPA is different in scope and purpose from the European Union’s GDPR. Therefore, the fact that an entity is compliant with GDPR will not mean that it will be compliant with the CCPA and vice versa.
Organisations that are subject to the CCPA should undertake a number of steps to ensure compliance. First, organisations with complex organisational structures should analyse whether each entity within that structure constitutes the same business, separate businesses or a third party. Given that the CCPA impacts the flow of personal information between and among entities, that threshold analysis will be essential to ensuring that an organisation’s ordinary data flow practices do not violate the CCPA’s provisions.
Next, a data inventory and data map should be developed. These documents identify what personal information flows into an organisation, where it is stored, the business and commercial purposes for receiving that information and how (if at all) it flows inside and outside the organisation. This step will allow for accurate up-front disclosures and a swift response to verifiable requests.
Once the data inventory and mapping is completed, organisations should examine whether any of the personal information that they collect is subject to an exemption under the CCPA. For example, the CCPA provides an exemption for personal information that is collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act and its implementing regulations. Similarly, organisations should examine whether they can employ de-identification and aggregation of personal information to minimise compliance burdens.
Organisations should then focus on developing policies, procedures and work flow processes to handle verifiable requests and opt-outs. It may be possible to leverage existing policies (e.g., policies developed for GDPR requests) or these policies may need to be developed for the first time. In doing so, it will be important to analyse issues such as who in the organisation will have responsibility for responding to these requests, whether different departments will be responsible for different types of requests and the role of legal in the response process.
There will also be a need to address how to handle the flow of personal information outside of the organisation. The CCPA allows consumers to opt-out of certain transfers of personal information to third parties. However, the opt-out does not extend to transfers of personal information to service providers. To qualify as a service provider, there will need to be a written contract between the two entities that addresses a number of issues.
Finally, organisations will need to review and revise their consumer facing notices (e.g., their online privacy notices), train employees, and address information security issues in light of the CCPA’s statutory damages for data breaches. In the end, what is perhaps the most critical takeaway is that the US is on the threshold of a fundamental change in its approach to privacy law. The issue for businesses is no longer whether the US will embrace privacy law changes, but how these changes will take place and what businesses will be required to do to ensure compliance.
David Stauss is a partner at Husch Blackwell LLP. He can be contacted on +1 (303) 892 4429 or by email: firstname.lastname@example.org.
© Financier Worldwide
Husch Blackwell LLP