For chief data privacy and technology officers who think that the new California Consumer Protection Act (CCPA) is just a mini-version of Europe’s General Data Protection Regulation (GDPR) answering these three simple questions could make them change their minds. Getting them wrong could also cost their firms plenty from regulatory fines and litigation.
The goal of the two regulatory measures is similar: to give customers more control over protecting their data and companies more reason to safeguard their data. Akin to the GDPR, effective in May 2018, the CCPA allows customers to ask firms to explain how their personal data is used and to require them to delete it upon request. The timetable for an inquiry or deletion is either one month or two months under the GDPR while the CCPA has a deadline of 45 days for an inquiry. The CCPA’s text is unclear about the deadline for deleting data.
Although the CCPA is technically effective this January, California’s attorney general can only begin enforcing it in July 2020 or earlier depending on when final implementing regulations are issued. Legal experts are hopeful there will be badly needed clarifications on hastily drafted language primarily intended to address concerns about the access and sale of personal information from data giants such as Facebook and Google.
At first glance, regulatory penalties for non-compliance with the CCPA appear minor compared to those for the GDPR. However, financial firms following the CCPA could face mega financial whammies from investor lawsuits for data breaches which can amount to multimillions of dollars based on a fine of between US$100 and US$750 per investor per incident of a data breach.
The GDPR mandates that a national enforcement body in each member state of the European Union can impose sanctions for non-compliance reaching up to four percent of the company’s annual revenues or E20 million, whichever is greater. By contrast, the CCPA allows for California’s attorney general to impose fines of up to US$7,500 per violation, only if intent to violate the law can be proven. Otherwise, it is capped at US$2,500 per violation. The CCPA’s text is unclear on defining the term intent.
“Being prepared for the GDPR, will likely go a long way to fulfilling the requirements of the CCPA,” says Greg Ewing, a partner specializing in blockchain and cybersecurity law for Potomac Law Group in Washington DC. “Financial firms will likely rely on the same IT staff; however, there are subtle differences in the definition of personal data and its sale, which will require data privacy officers to get up to speed with the CCPA and business line data managers to be retrained.”
With so little time left to prepare for the CCPA, chances are that there are plenty of firms that aren’t ready to deal with the CCPA’s expansive definition of the term personal data and its unclear definition of what constitutes a sale. Of course, firms that never geared up for the GDPR are in the worst shape. They can only pray that nothing goes wrong.
“Making life more stressful for data privacy and other IT managers, the California law has a look-back provision which allows customers and employees to ask how their data was used up to twelve months before the law is effective,” says Robert Cruz, the San Francisco-based senior director of information governance for Smarsh, a Portland, Oregon-headquartered firm specializing in email archiving, monitoring and documentation. “Practically speaking that means that firms should be prepared from now, if not yesterday.”
The CCPA might appear to have a narrower application than the GDPR. However, using just one of the criteria allowed under the CCPA will result in the same pool of large buy and sell-side firms affected. The CCPA also defines personal data to include information that can be associated with specific individuals such as data on devices and pseudo-anonymized data. That spells IP addresses, browing history and information regarding a consumer’s interaction with an internet website.
The GDPR affects all businesses that process data of European citizens, regardless of their location or size. Firms with European customers, which have offices in Europe or market their services in Europe must follow the pan-European legislation. To apply the CCPA, a financial firm must first have customers which are California residents. Once that factor is established, one of three thresholds can be used. They are: having US$25 million in annual revenues, or obtaining for commercial purposes; selling or sharing personal information of more than 50,000 households, devices, or California residents; or deriving at least 50 percent of annual information from the sale of personal data of California residents.
“The second criterion of selling or sharing of personal information from households, residents or devices is likely to capture almost any company that conducts business online, has an application or even has a consumer-oriented website,” says Doron Goldstein, a partner and co-head of the data, privacy and cybersecurity practice at the law firm of Katten Muchin Rosenman in New York. “The firm just needs a website that is accessed by more than 50,000 California visitors, households or devices and the Act doesn’t specify that the devices have to be located in California.”.
Fulfilling the basics of the CCPA will be hard enough. Financial firms must know exactly where their data is located and who has access to the data to respond to a request on its use or deletion. “Chief data privacy officers can’t click a retrieve or delete button because the data isn’t in a single centralized location,” says Cruz. “The data could be in multiple locations either internally, collaboration tools such as Slack or Microsoft Teams or third-party providers using the cloud.”
Each data storage site has its own methodology for storing data. It’s harder to retrieve data from collaboration tools than other locations, says Cruz, because the information is contained within persistent chats that take place over periods of time with multiple participants.
Financial firms that don’t have systems in place to store and retrieve data collected on any device had better get them soon. Smarsh says that its platform can store and retrieve emails, text messages, collaborative content and social media from a variety of sources including computers, mobile devices, kiosks and trader terminals that can communicate with Smarsh’s capture technology.
Storing and retrieving data collected on devices and households could end up being the most challenging technical aspect of complying with California’s legislation. The reason: the data might not be easily attributable to a specific individual. “One consideration is whether the firm will have to go back and identify the customer associated with data obtained from a device,” says Joseph Facciponti, a partner with the law firm of Murphy & McGonigle in New York. “The degree to which the California legislation will require firms to attribute all information to an actual person is unclear.”
It stands to reason that once a financial firm has tracked down a customer or employee’s data it will also have a gameplan for quickly fulfilling a request for how it is used or that it be deleted. The request must find its way from the data privacy department to the IT department and that doesn’t mean just internal units. “To the extent that specific data is subject to the CCPA, financial firms might have to amend their agreements with third party providers– called service providers– to track the location of the data and delete it,” says Goldstein.
The CCPA mandates that businesses have written agreements with their service providers that expressly prohibit the service provider from using, retaining or disclosing personal data, except for the purpose of performing the contract for the benefit of the business client or as required by law. The service provider must provide a written certification that it will fulfill its contract and meet the CCPA’s obligations.
The good news: ensuring the appropriate language is used in legal contracts goes a long way to ensuring compliance with the CCPA. “If the service provider violates its contractual requirements [under CCPA] and the business did not have actual knowledge or reason to believe the service provider would violate those terms it will not be liable,” says Goldstein.
However, the benefit will come with a bit of pain– and cost. Financial firms typically rely on hundreds of third-party vendors for a wide range of services involving data transmission and retention. They must then ensure that the CCPA’s terminology is correctly applied. That’s a tall order when it comes to the term sale, which is ill-defined.
The CCPA allows a customer to request that its data not be sold to any third party. The legislation suggests that sale means compensation of “valuable consideration.” That phrase doesn’t always spell cash and it could even include a transfer of data from one subsidiary of a parent firm to another.
“The application of the definition of the term sale could be significant in the financial services industry where data is often collected by third-party systems handling front, middle or back office work,” says Joanna Fields, managing principle for Aplomb Strategies, a regulatory compliance consultancy in New York. She questions whether an introducing broker’s transfer of data to an executing broker or an introducing broker’s use of a third-party algorithm or smart order routing system might violate the CCPA. “Those scenarios could constitute a sale, if the introducing broker receives any payment for order flow or profit-sharing relationship with certain market venues or participants,” warns Fields, who specializes in data privacy and cybersecurity.
The CCPA also has a rather odd interpretation of the term discrimination when it comes to the sale of data. Financial firms cannot disciminate against customers– or charge higher fees– to those request that their information not be sold to a third party. However, the CCPA allows financial firms to offer perks, such as fee reductions, to customers in exchange for allowing them to sell their data to third-parties. “California doesn’t think those perks are discriminatory, even though customers who allow their data to be sold could be treated more favorably than those who don’t,” says Facciponti. “Financial firms will have to understand the value of the data to come up with the fee reductions.”.
Perhaps the saving grace for financial firms having to unscramble some of the CCPA’s confusing terminologies and requirements is that the legislation does include a carve-out or exemption if the data falls under the category of data covered under the Gramm-Leach Bliley Act (GLBA) or the California Financial Information Privacy Act. Enacted in 1999, the GLBA is a federal law requring financial institutions to explain how they share and protect customer’s private information.
Nonetheless, financial firms can’t be remiss. “Financial firms will still have to separate covered data from the exempt data and hope they get it right,” says Facciponti. The GLPA typically covers data associated with opening an account with the financial institution, data associated with the account itself, and any transactions made by the customer. However, the GLPA might not cover information the firm obtains for marketing purposes or in order to identify potential customers, explains Facciponti.
Even if a customer’s data is exempt from the right of access and the right of deletion, a financial firm isn’t entirely off the hook. “The California legislation does say that the firm can be subject to an investor or class-action lawsuit if there is a data breach unless it can prove it took reasonable steps to protect the data,” says Goldstein. The legislation never defines the term reasonable, but a firm following industry standards has a better chance of defending itself against litigation.
Since financial firms may not have sufficient time to digest the subtle differences between California’s law and the GDPR before California’s attorney general cracks the whip, tackling the basics is a good idea. Those are identifying exactly what data is collected on customers, where it is stored and whether it falls under any regulatory exemption. “The reality is that much of the data financial firms legitimately collect will fall under the exemptions, but there will be some data that doesn’t,” says Ewing. “Given the potential penalties for failure to take adequate precautions under CCPA, financial firms will be well-served to take these initial screening and assessment steps.”
As is the case with any regulation, training will go a long way to ensuring compliance. “Providing data users and data managers with an overview of CCPA requirements and an introduction to the chief data privacy executive will remove any ambiguity about the consequences of policy violations,” says Cruz.
Facciponti also recommends that financial firms make data security a priority. “Given that the CCPA provides a private right of action for customers when certain categories of their personal information is compromised in a data breach, firms should review their security practices and procedures to ensure that the protections they have in place are reasonable,” he says.
Firms griping about the stress in meeting the requirements of California’s legislation had better brace themselves for even more angt. Other states, such as Washington State, New Jersey and Texas may follow suit with their own versions thereby forcing data privacy directors to map out all the similarities and differences. “For businesses, it would be ideal if the US were to adopt a federal data privacy law,” says Ewing. “The chance of that happening is slim as the US heads into an election cycle.”