Protecting Personal Data: California Enacts First Comprehensive U.S. Privacy Law

THE STORY

On January 1, 2020, the California Consumer Privacy Act (CCPA) opened the door to a new era of privacy regulation in the U.S. The CCPA is now the country’s first comprehensive consumer protection law.

Likened to the European Union’s General Data Protection Regulation (GDPR), the new law provides California residents powerful privacy rights and protections across a broad range of personal information that businesses collect and could possibly sell.

Noncompliance risks regulatory fines and penalties, loss of consumer trust, brand damage, revenue loss and litigation costs, potentially involving class-action suits.

“The CCPA was enacted in response to public demand and outcry for a privacy law in the United States, in the wake of the enactment of the GDPR and other global privacy laws coming into effect,” says Caitlin Klein, deputy global chief privacy officer at Aon. “This is a landmark privacy law in the U.S. because of its comprehensiveness.”

WHY IT MATTERS

The CCPA is a law that commands notice: home to the high-profile tech ecosystem of Silicon Valley, California represents the world’s fifth-largest economy. And several U.S. states are expected to replicate the measure in some manner over the next few years.

The law’s definitions of personal information – and what constitutes selling it – cast a wide net.
“It departs from our traditional notion of what constitutes the sale of personal information,” says Klein.

The CCPA defines the sale of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating personal information to a business or other third party for money or other valuable consideration.”

The law also defines parameters around data subject access requests – inquiries from individuals about their data or requests that information be changed or deleted.

While the CCPA has been compared to the GDPR, as with various laws across jurisdictions, compliance with one does not guarantee compliance with the other.

Enforcing The California Consumer Privacy Act

The CCPA allows California’s attorney general to enforce the law through investigations, fines or civil suits against companies.

But the law also establishes a private right of action, allowing individuals whose data have been exposed to sue the businesses, even if the exposure has not yet caused harm.

How Businesses Can Prepare

Brad Bryant, chief privacy officer at Aon, suggests efforts to comply with the new CCPA could be guided by core principles, which can transcend specific laws:

Data comprehension: “Understanding what personal data you’re collecting and how you’re handling them is key,” Klein further explains. Companies are well advised to do that, even in jurisdictions where there are not yet comprehensive privacy laws. “Those laws are coming – and they’ll be coming at you fast.”

Data minimization: “It’s generally a best practice to minimize the amount of personal data you collect,” says Michelle Wright, global privacy senior director at Aon. “Only collect what is really needed for your business processes.”

Transparency: “You need to make sure your clients or customers know what personal data you’re collecting, how you’re using it and how you’re securing it,” Wright says. Companies collecting personal data should understand and document what data they collect and how they handle that information: why they’re collecting it, how they use it, whether or not it is transferred, where and to whom it may be transferred, the data’s life span and when the data will be deleted.

Request readiness: Finally, companies need to prepare to respond to data subjects’ rights requests. Companies that are open and honest with individuals making those requests might not always make them happy, but they’ll reduce the risk of regulatory complaints, says Klein.

Moving Forward: Proper Data Handling And Strong Cyber Posture As Best Practices

For businesses in California responding to the CCPA – and those elsewhere who might soon face similar regulations – it is important to continuously embrace data-handling best practices.

And as business continues to become more global and regulatory jurisdiction lines blur, repercussions from privacy breaches can become more severe.

“When a global organization with integrated networks across international borders experiences a breach, it can – and likely will – have repercussions outside of the territory in which the breach occurs,” says Stephanie Snyder, commercial strategy leader, Cyber Solutions at Aon. Regulations can become an opportunity, she continues, to continuously ensure that proper cyber planning and data handling is embedded within an organization’s culture.

“Examining data and cyber processes during a breach is not ideal. Diligence is critical well in advance to not only prepare for compliance with upcoming regulations but to prevent a breach in its entirety or best manage through one, should one occur.”