Yesterday, the Judiciary Committee of the California Senate held a hearing titled, “The State of Data Privacy Protection: Exploring the California Consumer Privacy Act and its European Counterpart.” The hearing included testimony by many experts on both sides of the issue.
What stood out most in this hearing was the perspective provided by Jessica Lee, partner at Loeb & Loeb, LLP and Co-Chair of the firm’s Privacy, Security & Data Innovations group. Below is a summary of Lee’s comments.
Differences Between European and United States Laws
Lee discussed the differences between laws in the United States and the European Union (EU). Related to the topic of privacy, the EU’s General Data Protection Regulation (GDPR) provides a baseline of principals regarding the use of personal data, but does not provide specific instruction about how a business needs to implement these guidelines. Laws in the United States, on the other hand, tend to outline specifically what a company needs to do how to comply.
Regarding privacy laws, Lee notes that they tend to be sector specific in the United States, e.g. the Health Insurance Portability and Accountability Act (HIPAA). Due to the intricacies of different industries, it is difficult to draft a law that encompasses a wide variety of industries but is at the same time specific enough to provide compliance clarity and to be operationally manageable.
A potential solution recommended by Lee is implementing a code of conduct, similar to the GDPR. This code of conduct would provide a guideline for companies about how to fit the intricacies of their sector into the framework of the CCPA.
Compliance with Privacy Laws
Lee then went on to discuss how GDPR compliance relates to what is ahead for companies in terms of CCPA compliance. GDPR compliance is a three-pronged process involving (1) taking stock and inventory of the data that is collected, (2) performing an analysis to determine gaps between the company’s practices and what the regulations require, and (2) remediating the gaps and implementation of new processes.
A similar three-phased process will be needed in order to comply with CCPA. Companies that are already subject to GDPR will be a step ahead, but companies that are not – including smaller regional companies – will need to start from the very beginning. This can require a significant effort and expense on behalf of a company and has the potential of having a disparate impact on smaller companies. Smaller companies that meet the CCPA threshold might find it difficult to shift their company’s infrastructure to meet CCPA’s requirements in the narrow timeline provided, whereas larger companies are better able to absorb the cost of such effort and the risks associated with non-compliance.
Challenge Faced in CCPA’s Timeline
One challenge with the CCPA, according to Lee, is the implementation timeline. Companies must implement practices to comply with the CCPA by the 2020 deadline. However, rulemaking from the California Attorney General is forthcoming and there are likely to be legislative amendments due to the lack of clarity in the law. Lee notes that a company that puts effort toward complying with the law prior to the rules being published might have to redo their efforts in case the Attorney General’s rules are contrary to the company’s interpretation. If, on the other hand, a company waits until the rules are published, then the implementation timeline is extremely compressed.
Lee suggests that clarifying the CCPA’s twelve-month look-back period is a potential solution. If the look-back period begins as of the publication date of the Attorney General’s rules, it will provide companies with the time needed to map out and operationalize the data.
Unlike the CCPA, the GDPR provided a two-year ramp up period where there were no significant changes made to the law, making it a lot easier for companies to operationalize the new law.
Challenge in Identifying California Residents for Certain Business
A challenge unique to the CCPA – and not applicable to the GDPR – is its limited applicability to California residents. With the GDPR, using an IP address can easily help identify whether a person is within the covered area. However, IP addresses only provide the physical location, not the residency, of a person. The irony with the CCPA, according to Lee, is that it would require the collection of even more data, such as a mailing address, in order to determine whether the company is dealing with a California resident.
insideARM previously published articles reviewing the Attorney General’s public forums on the CCPA, including the ones held in San Francisco, San Diego, and Sacramento. Many larger agencies that collect nationally are impacted by this law. If you think your company is off the hook because you only collection regionally and are not collecting from California residents, think again. It has long been speculated that GDPR-like laws will make their way to the United States. California is the tip of the iceberg. According to the Privacy Compliance & Data Security blog of the law firm Fox Rothschild LLP, several other states including North Dakota, New York, Utah, and Washington are also considering consumer data privacy laws.