California data privacy law creates complications beyond GDPR compliance

In many respects, the General Data Protection Regulation is, on the surface, a more complicated bit of legislation, and one with more moving parts to consider within its 99 Articles. By comparison, California’s law does, indeed, seem far more streamlined.

Appearances, however, can be deceiving, warns John Tsopanis, privacy product manager for 1touch.io, a purveyor of network mapping and automated data discovery software solutions. “If we are talking from an American company’s point of view, I honestly believe that California’s new law is more stringent and forces more work to be done by those companies than European companies are required to do under GDPR,” he says. “This is earth-shattering, groundbreaking legislation. The implications of it, and the work that needs to be done by almost all companies in America, is monumental.”

In late June, California, home to many of the world’s top tech companies, became the first state in the nation to enact a law that, in large part, attempts to mirror European data protection and privacy standards of the European Union’s General Data Protection Regulation. It will take effect on Jan.1, 2020.

Similar to GDPR, California customers will have the right to demand that specific data be deleted from an online enterprise’s databases.  

The legislation will:

• Grant consumers the right to request deletion of personal information and require the business to delete that data upon receipt of a verified request;
• Give consumers the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information it collects and the identity of third parties to whom it was sold or disclosed;
• Authorize consumers to opt out of the sale of personal information by a business and prohibit a company from discriminating against consumers for exercising their right to do so;
• Authorize businesses to offer financial incentives in exchange for the collection of personal information;
• Prohibit businesses from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized;
• Allow for the law’s enforcement by the California’s Attorney General; and
• Provide a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information.

A covered “business” is defined in the law as any for-profit entity that either does $24 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data. Consumers, for purposes of the law, are defined as California residents, specifically “every individual who is in the state for other than a temporary or transitory purpose.”

Failure to address a violation of the law within 30 days could lead to a $7,500 fine per violation, which could be defined as for record or customer file.

As detailed as the law may seem, plenty of opportunities for it to be reshaped remain, with even tougher privacy protections or more business-friendly amendments, says Laura Jehl a partner with law firm BakerHostetler and co-chair of its GDPR practice. She addressed the California law during a more general discussion of GDPR during a webcast last week. “There is no guarantee the law will take effect in its current state,” she said. “Almost immediately after the law took affect, the tech companies once again focused their money and energy on attacking it. Amendments have already been proposed, and there are more likely to be proposed by other groups.”

“This thing is not done yet. Before you waste too much time learning every provision and figuring how to comply with it—and whether it requires different steps than GDPR compliance, how much more budget you need to request in the next budget cycle, and whether or not your company will revolt and refuse to give you any more money because you just had GDPR—all remains to be determined. Hold your fire but do keep your eye on California.”

That there may be amendments to the law is, itself, a concession to California’s powerful and profitable tech sector. “One of the concerns about the ballot initiative is that it had a crazy supermajority, a 70 percent vote to change or amend the law,” Jehl said. “The tech companies were really unhappy with that, so both sides came together and agreed they would draft a less onerous bill. A supermajority is no longer needed for amendments.”

Although the legislation is often thought of as “California’s GDPR,” and there is indeed “a high degree of overlap between the two” the data privacy regimes are far from identical,” Jehl explained. She described it as a broader, consumer-focused piece of legislation than the personal data scope of GDPR.

Both similarities and differences can be found in even how the two regimes approach personal data.

In the California law, Jehl said, “personal information is broadly defined to include identification of or association with a consumer or household, including demographics, usage, transactions and inquiries, preferences, biometrics, employment information, predictions, inferences drawn to create a profile about a consumer, and education information. This excludes publicly available information from public government records.”

It remains unclear whether de-identified data and aggregate consumer information is included.

“This is earth-shattering, groundbreaking legislation. The implications of it, and the work that needs to be done by almost all companies in America, is monumental.”

John Tsopanis, Privacy Product Manager, 1touch.io

Under GDPR, personal data is broadly defined as any information that permits identification of a data subject, directly or indirectly. Examples include names, identification numbers, location data, online identifier such as IP addresses, or reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.

The California law comes at a precarious time for U.S. companies still struggling since GDPR’s May 25 deadline to “grapple with the practical realities of implementing their compliance programs, a BakerHostetler client alert states. “In almost all cases, many loose ends remain. As EU regulators issue new guidance and contemplate enforcement, businesses must be prepared to adapt their strategies to respond to new interpretations and changing circumstances,” it added.

While GDPR covers cross-border transfers, the Consumer Privacy Act applies to inter-state and international consumers served by a California business.

Tsopanis, the privacy product manager for 1touch.io, warns against taking a wait-and-see attitude regarding California’s law. “Although they may not realize it yet, every technology and Fortune 500 company in America is going to be affected,” he says. “It doesn’t matter what state a business is based in; if it collects data on California citizens or works with a third-party supplier based in California—and what large business doesn’t work with a California tech company? — it will be required to maintain compliance with the new law.”

California’s AB 375 goes into effect in 18 months, he says, adding, “ Ask any European company now grappling with GDPR: 18 months is no time at all. If U.S. companies are not preparing now, their risk exposure is poised to go through the roof in January 2020.” 

In action, Tsopanis says, the law will hone the focus on subject access requests. “It essentially allows upwards of 40 million Californians to easily access, on a company’s webpage, a link that says, ‘Do not sell my personal data,’ and they can request, from that company, a report on what personal information it has on them, who they have sold it to and why they are processing it. The citizen does not have to be a customer or have an account with that company to make that request.” That, he says, “is a huge obligation and a huge burden on all American companies.” 

To provide that report within 45 days, companies may will need to scour their entire organization to find out if they have any personal information on that one California citizen, then provide them with a full report on what that information is, who the sold it to, and the contact name and addresses of the people that they sold it to.

“The definition of personal information in this California Privacy Act is much broader than in the GDPR,” Tsopanis adds. “It includes unique identifiers— which are things like cookies IP addresses, and device numbers. What that means is if, in the course of the 12 months, 50,000 California residents visit your web-based storefront in Maine, based on your cookie settings you are liable under this legislation… It is almost impossible, if you are a business in a state outside of California—the fifth largest economy in the world—to not process the data of California residents.

Nearly every company, within their privacy notices, will need to have a second section for California residents, Tsopanis says. “It needs to tell them that you are not allowed to sell their personal data. The link needs to be clear, conspicuous and on every business home page.”

Tsopanis warns that what makes the California law potentially more serious than GDPR is that in the response to requests, a company will need to detail all of the entities it has sold data to. “This is not a requirement in the EU GDPR, which captures consent for third-party processing of data in the privacy notice before information is collected.”

“The amount of buying and selling of data is absolutely off the hook,” he adds. “Each company is going to need to disclose, for the previous 12 months, what their buying and selling of data practices were and what happens when that data is in the hands of citizens who game that information. This is going to blow open an entire system that U.S. consumers never knew existed.”

A nuanced review of the rule reveals additional challenges for companies, Tsopanis says. “It essentially says that when you get an access request you need to disclose which companies you sold that data to in the past year, and why you sold it,” he explains. “To legally sell data to a third party, the law says that there has to be a contract in place that prohibits the third arty from then reselling personal information or processing it for a reason that wasn’t explicitly named in the contract. This is going to be a major problem for the entire network of data sellers and buyers, because clearly there us a obliteration of selling data after the initial access to everyone.”

Also, if that third party is breached while using your data in a way that wasn’t specifically outlined in the contract, the initial company is also liable for that breach.

Monitoring these third parties is one of the major challenges imposed by the new law. “You’ve got to do really good and fast third party risk management and due diligence on your major suppliers and digital marketing agencies,” Tsopanis says. “You need assurances from the companies you sell data to that they are not being cowboys with it.

A similar lesson was learned post-GDPR. Companies are demanding third-party ISO 2701 updates and GDPR audits done by the Big Four accounting firms. “We are seeing a lot of professional services auditing and checking to provide assurances between third parties,” he says. “That’s already an established market here in Europe.”

The advice for company’s facing either a data privacy regime is to focus on the basics. “Companies need to answer basic questions: what data do I have, where is it, who am I sharing it with and what rules do I have,” Tsopanis says. “Keep it simple. Find your information, categorize it, and have some rules around it.”