If You’re Not First, You’re Last: Risks of Delaying CaCPA Compliance
— by Lindsey Ullian, Threat Stack Compliance Manager
After GDPR went into effect in May 2018, many companies reassessed their privacy program — implementing more transparency and giving more control of personal information to the consumer. Now, with the CaCPA (California Consumer Privacy Act) coming into effect in January 2020, even more companies are buttoning up their data privacy programs. The CaCPA is not a guideline — it’s an act, and all companies that fall within its scope must comply. If companies don’t abide by this regulation, they could be looking at fines of up to $7,500 for each intentional violation.
Since both acts are related to data privacy and aim to provide more control and transparency to the consumer, most companies’ first question is, “If I’m GDPR compliant, am I covered for the CaCPA?” The following article by Kevin Kish, Privacy Technical Lead at Schellman & Company, will give you a clear picture as to what you may have covered and what you’re lacking within your privacy program — outlining the similarities and differences between the two regulations. And what about companies that haven’t implemented proper GDPR data procedures? Short answer — they’ve got a bigger road ahead. Fortunately, this article details clear steps you can take to comply with the CaCPA.
It’s clear by the enactment of the CaCPA, shortly after the GDPR, that data privacy regulations are not going to go away anytime soon, so as a top level best practice, companies should aim to be proactive and build a privacy program that aligns with these regulations and allows them to maintain strict CaCPA compliance monitoring.
Overview of CaCPA
Privacy continues to fill headlines with endless coverage of data misuse by household-name companies, highlighting their unethical data management, collection, and sharing practices. With the frequency of data breaches, impacted consumers are cautiously contemplating whether they can ever safely release their personal information on the internet. Simultaneously, optimistic privacy advocates across the U.S. campaign for reasonable online privacy standards and corporate accountability. With powerful momentum, California’s Consumer Privacy Act (CaCPA) was passed on June 28, 2018, with the goal of increasing transparency, access, and control over a consumer’s personal information and handing out considerable penalties to organizations for infringement of the Act’s provisions.
As a result of the Act’s introduction, enterprises must now place particular emphasis on time-sensitive processes necessary for responding to California consumers’ information (access) requests. Rooted within the CaCPA’s consumer response requirements are the obligations to provide fair and accurate depictions of data collection, processing, and sharing arrangements over the trailing 12 months. And while enterprises may anticipate full alignment with the CaCPA’s requirements before the January 1, 2020 effective date, compliance will require immediate attention to ensure that accurate data registers are in place and contain a years’ worth of data collection, selling, and disclosure activities upon the CaCPA go-live date.
This post explains, from a privacy practitioner’s perspective, why enterprises shouldn’t delay the development of scalable data inventories and data mappings to help comply with CaCPA’s 1798.130’s requirements for providing requesting consumers with a trailing 12-month snapshot of their data usage.
The Twelve-Month Lookback Period
While the CaCPA’s textual requirements detailing the 12-month lookback period may not stand out during a first read through, it is important to highlight where this requirement exists and why it has been included in the Act.
The term “12 months” can be found 15 times within the Act. For purposes of this analysis, we will focus on the requirements described under 1798.130; addressing an enterprise’s obligation to “disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.” As further specified under this section, three specific cases are detailed in which the trailing 12-month period would apply, including:
- Personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in the subdivision.
- Personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in the subdivision.
- Personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in the subdivision.
Like most, you may be wondering why the 12-month period is stipulated at all. For this, we need to examine the fundamentals of the Act, including relevant events that prompted for privacy reform. These reasons center on the concept of reasonable ‘transparency,’ formally defined as “characterized by visibility or accessibility of information especially concerning business practices”. You will find that concepts of ‘transparency’ of data processing activities is commonly called out in other mandatory and/or voluntary privacy legislation (i.e., GDPR, APEC, OECD), and is a critical element of legitimate business relationships. At the same time, consumers most likely do not read an organization’s privacy notice through a pair of legal lenses as most are still not written in a clear and concise format, but do have reasonable expectations around the usage and processing of their data. Because of this, enterprise accountability around data usage has taken the spotlight to avoid deceptive, unfair, or illegal data collection, processing, and sharing arrangements, such as the negligence found under the recent Facebook / Cambridge Analytica case.
Since enterprises complying with requirements of the EU’s GDPR will already have a baseline data processing register, a formal review should occur to validate the effectiveness of the current documentation in accordance with the CaCPA. Where no prior preparation has taken place, management should immediately organize a cross-functional team to identify all points of data collection, data sharing activities, and any cases for disclosure.
Poor or no planning for building and maintaining data registers also has its own associated risks. While organizations may consider an ad hoc approach for managing consumer (or data subject) requests with little preparation, the enterprise exposes itself to real legal action by CA’s Attorney General (AG) and consumers alike.
About KEVIN KISH
Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. With nearly 8 years industry experience, he has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As an industry advocate, he is passionate about researching and writing on the fundamentals and concepts of sustainable data privacy; and, providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy designations from the international association of privacy professionals, including CIPP/US, CIPP/E, and CIPM.