How the new California data privacy act could impact all organizations

Register now

This Q&A with Matthew Nelson is the second in a series of interviews I’m conducting with thought leaders who take a unified governance approach to increasing the value of information to their businesses while driving down costs.

Nelson is currently associate general counsel, privacy and security, and vice president of advisory services at DiscoverReady LLC, where he is responsible for establishing and managing GDPR and privacy compliance programs for a services company representing many of the most well-known businesses in the world.

Nelson is also a faculty member of CGOC and a co-founding member and current annual meeting program chair of the Association of Corporate Counsel's Information Governance Committee. He is also a published author and nationally recognized speaker.

I asked Nelson about the impact of the newly amended California Consumer Privacy Act on businesses and how they should be approaching the evolving privacy landscape.

Information Management: The California legislature recently signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CaCPA or CCPA). Could you give us a quick overview of what it is and what the implication is for businesses that are not compliant?

Matthew Nelson: That’s the million dollar question. Right now, no one really knows the implications of CCPA for businesses or consumers, and the drama is still unfolding. However, the CCPA was already amended on September 23, so we are gaining insights into how the final piece of legislation may look. I’ll talk more about that later.

The reason for the drama is that the CCPA legislation was hastily put together by the California legislature to ward off a California Privacy Ballot Initiative. The reason the legislature acted hastily is that the California Constitution typically prohibits the legislature from amending or repealing a ballot initiative without voter input. That means the privacy ballot initiative could have moved forward and been passed by voters without much input from the legislature or other interested parties. Once the initiative was passed by voters, the legislature would have been powerless to make amendments or repeal the initiative independently.

To avoid that scenario, the California legislature basically cut a deal with the group sponsoring the ballot by passing AB 375. In exchange, the ballot initiative sponsor withdrew the initiative. Now it’s time to watch the rest of the drama unfold.

IM: What kind of drama do you expect to unfold?

Nelson: A lot of drama has already unfolded since AB 375 was passed. Even though the bill passed only a few months ago on June 28, 2018, it feels a lot like the top two heavy weight boxers in the world cancelled a long-awaited fight only to fight another day. Surprisingly, the rematch has already started.

Let me explain. Many expected the battle over the CCPA to begin in 2019. However, amendments to the CCPA, in the form of Senate Bill 1121, were already passed by the California legislature this summer and were signed into law by Governor Jerry Brown on September 23, 2018.

On one side of the battle are the Chamber of Commerce, the Internet Association (which represents big technology companies like Google) and other business-friendly lobbying groups. They are concerned the CCPA could result in costly consequences for businesses in terms of compliance costs and potential penalties. On the other side, privacy groups are trying to hold the line to make sure amendments don’t gut the purpose of the bill, which is to provide consumers with more privacy rights.

IM: Are the SB-1121 amendments significant?

Nelson: Many of the amendments are as simple as cleaning up some punctuation and providing clarifying language, but other amendments are more significant. For example, one amendment eliminates the requirement that a consumer bringing a private right of action notify the attorney general. It also eliminates the requirement that a business disclose a consumer's right to delete personal information on "its Internet Web site or in its online privacy policy...."

The penalty for a violation also includes an injunction, and the penalty is capped at $7,500 for each intentional violation and $2,500 for unintentional violations.

Lastly, SB-1121 makes the CCPA act effective immediately. However, the compliance deadline is essentially extended because the attorney general cannot “bring an enforcement action until six months after publication of the final regulations issued pursuant to this section or July 1, 2020 whichever is sooner.”

IM: What happens now?

Nelson: The amended law doesn’t mean the fight is over. Both industry and privacy advocates alike will likely seek additional amendments or at the very least, they will lobby hard to influence the regulations the attorney general is required to put in place to operationalize the CCPA. I’d say we are still in the 8th round of a 12-round battle, and we can expect more changes to the CCPA.

IM: What should businesses do now, if anything, considering the future of CCPA is uncertain? Do EU GDPR-compliant businesses need to be concerned?

Nelson: The easy approach would be to sit back and wait to see what happens. However, I think that is a big mistake. Barring unforeseen circumstances, some version of the CCPA will be enforced by the middle of 2020. Updating privacy policies and procedures to comply with CCPA now might be a bit premature. However, most organizations face fundamental challenges when it comes to privacy and security compliance that can be addressed now even if they have implemented an EU GDPR compliance program.

The fundamental challenges are the result of the explosive growth and mismanagement of company data over two decades. Organizations simply don’t know how many company files include personal data, personally identifiable information, personal health information or other types of sensitive data or where all those files are located.

In order to comply with the wave of new privacy and security laws, organizations need to establish a process to identify, secure, delete or otherwise manage files containing sensitive data. Most organizations don’t do this well because it requires a combination of skills, including legal analysis, establishing new standard operating procedures and policies and using technology. Only then can organizations identify consumer and employee information so that it can be properly managed.

IM: Thanks Matthew. Do you have any final advice?

Nelson: Assess and re-assess your organization’s level of privacy and security risk now by comparing written policies to operational realities. Similarly, realize that technology solutions are not a silver bullet.

Organizations often invest large sums of money in technology to protect the company’s crown jewels. In reality, the technology is rarely validated so employee, consumer and even trade secret data is not adequately protected, and the company’s risk exposure is still much higher than expected.

Lastly, finding your critical data in a sea of company data can feel daunting. Start by creating a data inventory to help identify potential “data hotspots.” Gaining visibility into these hotspots will help you prioritize protecting, retrieving or deleting consumer, employee, trade secret and other confidential data based on the level of risk.

For reprint and licensing requests for this article, click here.