As high-profile cases and ever-increasing regulations highlight, we are entering a new age of dealing with data that’s causing companies to rethink everything—from how they collect data to storage, retention, access, disposal, and more. The General Data Protection Regulation (GDPR) set the stage for a new era of data protection and privacy compliance and effectively sparked a regulatory movement, beginning with the hasty passage of the California Consumer Privacy Act (CCPA) in the United States. That trend continued in November 2020 with the passage of the California Privacy Rights Act (CPRA).
Since then, we've seen a four more states pass comprehensive privacy laws: Virginia, Colorado, Utah, and very recently Connecticut. All of the laws give organizations time to prepare their information governance and data retention programs to comply with the laws... but that time is rapidly running out. On January 1, 2023, CPRA comes into effect (as does Virginia's law), with the other ones following in mid- to late 2023.
Failure to comply with this increasingly complex terrain of privacy regulations could result in litigation that is damaging, both reputationally and financially. Companies must develop a defensible approach to data privacy regulations and ensure that their e-discovery preservation and information governance programs are up to par.
THE COSTS OF FAILURE
Organizations’ obligations to manage data—and the costs of failure—are growing exponentially. Just look at recent examples from data breaches. A well-known retailer paid almost $70 million in a settlements with banks, states, and class action suits stemming from a single data breach. LA Tan settled a Biometric Information Privacy Act (BIPA) lawsuit, and now there are more than 200 class action suits.
Organizations with gross revenue in excess of $25 million, that collect personal information of more than 50,000 customers (100,000 or more under the CPRA), or derive more than 50% of their annual revenue from selling California resident information will have to comply. At a high level, it’s important to understand the consumer rights granted by both laws:
- Right to know data collected and purpose
- Right to access and alter persona data
- Right to delete data
- Right to know categories of third parties
- Right to consent to collection, sharing & use
- Right to opt-out
- Right to equal treatment
For an intentional violation, companies will have to pay $7,500 (if it’s considered an accident, it’s $2,500 per violation) to the state of California. What’s considered a violation is still in question; whether the state decides to take a more expansive view is yet to be seen.
In the event of a data breach in which a company is found to have unreasonably allowed data to be accessed and acquired by an unauthorized party, the law now provides for statutory damages that will range from $100 to $750 per data subject. In cases like this, a single lost laptop with unencrypted data could result in a significant legal risk. And whereas the CCPA as originally passed didn't have specific rules regarding data retention, as the GDPR did, the CPRA will augment the CCPA in creating enforcement around organizational retention standards.
Important CCPA & CPRA Regulations & Details
In August 2020, the California AG's office announced that the CCPA regulations were finalized and in effect. In November 2020, California voters again approved a privacy measure. The CPRA augments the CCPA in many ways, most notably to include data retention provisions. That law becomes effective January 1, 2023. In this section, we'll go over the most important regulatory requirements surrounding those laws.
There are four main types of consumer notices that companies are now required to provide. These notices must be easy to read, visible enough to grab the consumer’s attention, accessible to consumers with disabilities, and available in languages that are spoken where an organization regularly conducts business.
- Notice at the time of collection. The use of personal data is allowed for purposes identified at the time of collection only. A company requires explicit consent to use personal data for a new purpose
- Notice of the right to opt-out of the sales of personal information. Consumer can opt-out of having their personal information sold by an organization to another organization.
- Notice of financial incentives. These notices must include a description of the incentive, material terms, how to opt-in, how to withdraw, and why the incentive is permitted by the CCPA.
- Sensitive Personal Information and retention. Under CPRA, businesses must identify whether any collected information may be sold and shared, the categories that sensitive personal information falls under, and the retention period of that information.
The CCPA requires that organizations offer two methods for submitting requests. One of those must reflect how the business primarily interacts with consumers (an online form, or toll-free phone number, for instance). If the interaction is typically offline, a paper form may also be necessary. Put simply, the law was designed to make it easy for consumers to request their data, which puts the onus on businesses to make it easy for consumers as well.
A few additional steps were also added to the 45-day timeline period for fulling requests, including clarifying that the organization must confirm receipt of an individual’s request within 10 business days, rather than calendar days (the 45-day fulfilment timeline remains calendar days). Now, organizations must:
- Confirm receipt of the request within 10 business days
- Respond to opt-out requests within 15 business days
- Inform third parties to stop selling consumer information within 90 business days
- Maintain request records logs for 2 years
There’s a two-year recordkeeping requirement that follows this—companies need to have a well-documented process for reporting and tracking. That way, when regulators come knocking, there’s a paper-trail that proves you’ve been doing right by the statute.
Businesses will no longer have to respond to requests to know if:
- The business doesn’t maintain the personal information in a searchable or reasonably accessible format
- The information is maintained for legal or compliance purposes
- The business does not sell the information or use it for any commercial purposes
- The business describes to the consumer the categories of records that may contain personal information that meets the earlier conditions
That last point in particular makes it even more critical for companies to develop a granular data inventory that incorporates CPRA’s record retention obligations and harmonize with legal hold requirements.
Regulations like the CCPA actually create a greater potential for personal data breaches if the business doesn’t have a tightly-knit process to verify the identity of the requestor. Before a company can give up personal data, they have to be able to verify that the requestor is who they say they are! Otherwise, that’s a boatload of privacy and potential legal issues due to an unintentional compromise of personal data. Therefore, companies must establish, document, and comply with reasonable verification methods.
So what does a reasonable verification method look like? There are a few ways. It could be:
- Based on personal information already maintained
- Existing password-protected account
- Use of a third-party verification service
Businesses should also avoid gathering more personal information during the verification process. The statute is saying that gathering more personal information—an address, Social Security number, or other sensitive information—creates more privacy issues when it comes to verification. So verifying using existing information is ideal. And the more sensitive and voluminous the information, the more rigorous the verification process needs to be.
Data Breach Provisions
As we covered earlier, the CCPA’s data breach fines range from $100 to $750 per individual, depending on the parameters of the incident. Given the scope of some data breaches, a single incident can be severely damaging in both monetary and reputational terms.
Expanded Enforcement Under CPRA
The CPRA increases the CCPA’s fines regarding the collection and sale of children’s information (under the age of 16), and establishes a new enforcement agency with authority to issue fines. The California Privacy Protection Agency (CalPPA) will have administrative authority in enforcing privacy laws.
Expanded Consumer Rights
Additionally, consumer rights were expanded to include the compromise of an individual’s email address in conjunction with a security question or password that would allow access to that person’s account.
Data Retention & Minimization Requirements
With the enactment of the California Privacy Rights Act (CPRA), there are now hard requirements concerning data retention and data minimization: Businesses will now see requirements similar to those that EU businesses face under the General Data Protection Regulation (GDPR).
With the CPRA, data minimization is now codified into law; storing sensitive personal data that no longer serves a business use will be a penalty. The California Attorney General will be able to directly enforce the failure to minimize consumer data, regardless of whether this failure leads to other violations of the law. The CPRA essentially breaks this down two ways:
DATA MINIMIZATION: Under the CPRA, any information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose” similar to the context under which it was collected. The individual’s data can’t be used in another way without notifying and receiving additional consent from the consumer.
RETENTION OBLIGATIONS: Whereas the GDPR made a point to focus on records retention, the CCPA didn’t include rules pertaining to the length of time an individual’s data could be stored. Storing too much data is common (and vastly increases liability surrounding data breaches), but now businesses will have to find a way to focus on establishing and enforcing new data retention standards.
While some businesses were already required to have cybersecurity measures in place, those who are subject to the CPRA now must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosures.”
Third Party/Vendor Requirements
The CPRA obligates companies that are contracted by your organization to “provide the same level of privacy protection” required by the law. If the vendor isn’t able to meet its third party obligations under the CPRA for one reason or another, they can let the contracting organization know about it, which will allow the covered business to “take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.” But essentially, third parties aren’t allowed to sell, share, or otherwise disclose personal information for any purpose other than what’s outlined in the contract.
WHY IS DATA RETENTION IMPORTANT?
Upfront, it is cheap to store data. However, when the organization is involved in litigation or, worse yet, a regulatory agency investigation, all of that ESI is now subject to attorney review for responsive documents—an expensive proposition.
Put simply, data you don’t have can’t be breached, and you don’t have to produce it during litigation. Outside of the CPRA requirements pertaining to retention of personal data, there are two other questions to consider:
- Could a demand for all documents pertaining to a specific person expose your organization’s over-retention of personal data?
- Can your organization delete excess data that would help minimize exposure to judicial and regulatory sanctions, as well as civil liability?
Leveraging proven retention methods and enforcement models is the most effective way to dispose of unnecessary records and data, while meeting regulatory obligations to avoid unnecessary risks.
You Can’t Afford to Over-Retain Data
The most egregious CPRA violations will hit companies that have over-retained data, which means that having an enforced data retention and deletion program is no longer optional. Most companies vastly over-retain records and information, and an average of 75% of that information contains some form of personal or sensitive data.
As we covered in the prior section, data retention is now codified into California Privacy law. Organizations now face a much heavier regulatory hammer should they experience a breach; not only will fines add up based on the number of data subjects exposed, but also for retaining data beyond its stated business use. Organizations must be extra diligent to ensure that they've established and are enforcing retention standards that are in line with the CPRA.
Preparing for compliance must be a priority CPRA preparation reinforces other Legal Governance, Risk and Compliance (GRC) objectives at your business that relate to data privacy and data management.
Use the following checklist to determine whether your business is affected by the CPRA, and to build action items that move the organization toward compliance.
ARE YOU REGULATED BY THE CPRA?
- Does your company’s annual revenue exceed $25 million, and does it store personal information on California consumers or households?
- Does your company buy, sell or share the personal information 100,000 or more California consumers or households?
- Does your company derive at least 50% of its annual revenue from selling or sharing California consumer information?
If you said “yes” to any of these bullets, you’re regulated by the CPRA.
UPDATES TO DATA MANAGEMENT REQUIREMENTS & DATA DISCLOSURES
Establish whether you store the following data:
- Social Security numbers
- Drivers licenses
- Financial account and login information (such as credit or debit card numbers combined with login credentials)
- Precise geolocation
- Race, ethnicity, religious or philosophical beliefs, or union membership
- Content of non-public communications (mail, emails, text messages, etc.)
- Genetic or biometric data or health information
- Sexual orientation
Ensure the data is used only for disclosed purposes
- Data is used only for purposes for which the user has granted consent
- Data is not used for any other purpose without notification and opt- out capability
- Data other than what is needed for the disclosed purpose is not collected
- Individual elements of data subject information can be restricted if the data subject wishes
Ensure that your business has the capacity to respond to a privacy audit
- Document the processes and the activities you undertake to fulfill your obligations to data subjects exercising their rights over their personal data
- Create a mechanism to report and document these activities
- Document the processes and activities you undertake to fulfill your obligations as a business that collects personal data
- Create a mechanism to report and document these activities
- Can this evidence and documentation be produced on demand for an auditor?
- Assign organizational responsibility for audit response
OPT-IN & OPT-OUT INFORMATION
- You have established “do not sell” opt-outs for each category of data, category of vendor/partner, category of business purpose, and for each person or household
- Your business has enabled opt-outs to stop sharing personal data for behavioral advertising
- Your business has enabled opt-out options for individuals that have already opted in
- You have ensured that consumers under 16 years of age are not asked to opt-in again until at least 12 months after opting out
- Your business identifies any automated decision making that is done based on personal data
- For each decision. you can provide a full explanation of the criteria by which the decision is made to a subject
- Individuals will have the right to individually limit the use of each type of sensitive data for each purpose with each type of third-party partner—and that permission can be revoked at any time. Businesses must be ready to surgically target information from vast data sets, remove it, and verify that third parties are no longer using it.
- The law specifically requires these fine-grained opt-outs for sensitive data.