A US multinational with no sales in Europe may be unfamiliar with continent’s relatively new customer-privacy requirements in its GDPR, but that company likely does operate in California where similar requirements are coming, and it appears that the trend is unfolding nationwide.
A Gartner survey last summer highlighted Europe’s General Data Protection Regulation (GDRP) as one of two risks that could quickly escalate and damage a company. In light of the ever-growing number of major corporate data breaches that expose customers’ private data, the California Consume Privacy Act (CCPA) was signed into law last September and introduces similar requirements that must be complied with by January.
GDPR experience helps. Corporate risk managers whose companies have complied with GDPR—and some reportedly are still trying to do so despite passing its first year anniversary in May—will have something of a leg up. Dan Frank, principal, Deloitte Risk and Financial Advisory, said there’s a “fair amount” of overlap between the GDPR and CCPA requirements, but explicit requirements under the former are often implied in the latter.
“For example, GDPR requires developing a record of processing activities, documenting what personal information the company is collecting, how it’s using the data, who it’s sharing it with, where it’s being sent, etc.,” Mr. Frank said.
He added that there’s no such black-and-white requirement under CCPA. However, the California law has a very similar individual rights component, requiring companies to comply with customer requests, including revealing the data they hold, and amending, porting, deleting it.
“If the company doesn’t have the record of processing, there’s no way the it can comply with the CCPA’s individual rights requirements, because it wouldn’t know any of that information,” Mr. Frank said.
More complications. Rich Vestuto, also a managing director in Deloitte Risk and Financial Advisory, cautioned that selling personal data for “valuable consideration” is clearly not allowed under CCPA. However, the definition of valuable consideration is not defined, and regulators are likely to take a much broader view of such a transaction, beyond simply exchanging data for monetary compensation. Potentially causing a muddle in the near future, several other states are pursuing similar but different legislation. Nevada, for example, became the first state to give consumers the right to opt out of the sale of their data. A New York bill introduced in May would give New Yorkers the right to sue companies directly over privacy violations, a measure that was pulled from the California bill, and it would not include an exemption for smaller businesses.
Carve out questions. Mr. Frank noted that CCPA provides a carve out for some sectors that already have data privacy requirements—primarily the Gramm-Leach-Bliley Act (GLBA) requirements for the financial industry, and requirements stemming from the Health Insurance Portability and Accountability Act (HIPAA).
Companies in those industries “are weighing the pros and cons of utilizing their exemption,” Mr. Frank said. “So if a California resident asks for a copy of the data a company holds, will the company only produce the data that is not covered by the carve outs, or will it be transparent and say, ‘This is everything we have about you.’”
Third-party questions. For companies in sectors that do not have to comply with GLBA or HIPAA, or GDPR requirements, the effort and resources to comply with CCPA will be significant and may extend beyond a company’s own data systems. For example, Mr. Vestuto noted, a company may obtain customer data protected by GDPR or CCPA from third parties, and its contracts with those parties will likely have to be amended to ensure its customers’ data privacy.
“A company may not know where all of its data is and what others—maybe a marketing or benefits company—may be doing with it,” Mr. Vestuto said.