The primary requirements and consumer rights granted in the California Consumer Privacy Act of 2018 (CCPA) will likely remain unchanged despite expected amendments prior to its implementation in 2020. As was the case with the European Union’s General Data Protection Regulation (GDPR), which recently turned a year old, waiting for the last minute to implement the CCPA mandates is not an effective strategy. Both regulations can and will have significant repercussions for the ways in which private banks handle customer information, and some multinational firms will have to reconcile each regulation to ensure they remain compliant.
CCPA and GDPR have similarities in many areas, however, the CCPA has some specific requirements that go beyond those found in the GDPR, and the GDPR has some requirements not covered in the CCPA. Significant work may well be required to achieve and maintain a proper level of compliance with each regulation, both from a technology and operational standpoint. But first, organisations must understand each law’s expectations when it comes to protecting consumer privacy.
CCPA and GDPR at a Glance
Passed in June 2018 and subsequently amended, the CCPA is a first-of-its-kind regulation in the United States that gives California consumers greater control over how companies may use their personal information. Specifically, the CCPA empowers consumers with new rights to data access, data deletion, opt out, to know the sources of data and to whom it is sold, and to non-discrimination. The law also imposes new requirements on businesses regarding the collection of children’s and teens’ data.
Even though the law was amended to provide a six-month extension to the California Attorney General to draft and adopt the law’s implementing regulations, it will go into effect on January 1, 2020. The amendment also delayed enforcement by six months after the publication of the implementing regulation. That being said, the law has a 12-month lookback period. Civil penalties range from $2,500 to $7,500 per violation. Furthermore, the law gives consumers private right of action to recover statutory damages of $100 to $750 per breached record for a business’ failure to implement and maintain reasonable security procedures and practices that result in a data breach.
The GDPR, which was enacted in 2018, is a similarly revolutionary piece of legislation. It is aimed at harmonizing data flows between European Union (EU) member states and strengthening the rights of data subjects who are within the borders of the EU at the time of data collection. In furtherance of its goals, the GDPR sets out rules and obligations for both data controllers (companies responsible for determining the purpose and means of processing) and data processors (companies that process the data according to a controller’s instructions) and regulates the way in which they must work together. Unlike older data protection laws, the GDPR specifies that both the controller and the processor may be held liable for damages incurred by data subjects. The GDPR is also similar to the CCPA in that data subjects have several rights relating to their information, including the right of access and the right to erasure. A range of sanctions are possible under the GDPR, including fines up to €20 million or up to 4% of the offending organisation’s annual worldwide revenue, whichever is higher.
Do These Regulations Apply to Your Business?
From the outset, it is important to understand that both the CCPA and the GDPR have extraterritorial application, meaning their obligations apply to companies located outside the state of California and the European Union, respectively. Therefore, a private bank’s physical location is not a jurisdictional defense for noncompliance.
The CCPA is applicable to firms and their business partners if they meet at least one of the thresholds delineated in the regulation. Additionally, due to the sectoral approach to privacy law in the U.S., organisations must also determine whether an exemption or an exception applies. For example, the CCPA does not apply to the following categories of data:
- Publicly available information, which is defined very narrowly
- Medical information governed by California or federal health information privacy laws
- Personal information regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act of 1994, with some exceptions
On the other hand, even though the GDPR has some limited exemptions, it is an overarching regulation with expansive reach. Private banks not located within the EU that “envisage offering goods or services” to data subjects within the EU will need to ensure compliance with the GDPR. The Article 29 Working Party, an independent advisory body, has indicated that the mere accessibility of an organisation’s website or contact details to EU data subjects isn’t enough to prompt GDPR applicability and has provided several factors to assist companies in this analysis.
Building an Information Security Program for Defensible Compliance
Since the implementing regulations of the CCPA are yet to be promulgated, it’s vital that organisations take early action and as much as possible, establish initial compliance with sections of the CCPA. Compliance with the GDPR, while daunting, is a clearer undertaking due to the many pieces of guidance released by various data protection authorities over the past year.
Many businesses, including private banks, should review and if necessary, update their policies and processes, including those related to website usage, to ensure compliance with both laws.
Organisations will likely also need to augment their staff with individuals specifically trained to understand and properly respond to consumers’ requests. Many companies are finding that partnering with experts in CCPA/GDPR compliance matters can help minimise the impact of the organisation’s preparatory efforts with current personnel and shorten the length of the project. Areas which can benefit from an independent expert’s insight include assessing current levels of compliance, updating policies and procedures, establishing and implementing new processes, and building new compliance functions to effectively monitor privacy processes in action.
Both regulations have raised awareness for data protection and cybersecurity. Compliance and information security professionals will play an integral role in developing and monitoring the effectiveness of controls that organisations establish to protect consumer privacy. Regardless of whether an organisation hires an expert or undertakes the project alone, it will likely undergo a fundamental transformation to embrace cybersecurity as part of its culture. Notwithstanding the mandates that may result from the anticipated CCPA amendments and the implementing regulation, information security professionals should take steps to address the following:
- Information Security Program
When it comes to information security programs, both laws share significantly similar expectations. The CCPA requires organisations to “implement and maintain reasonable security measures”, whereas the GDPR expects them to “implement appropriate technical and organisational measures.”
Historically, many EU companies have gravitated toward the ISO 27001 information security framework. California has previously endorsed the 20 Critical Security Controls™ from the Center for Internet Security® as minimum reasonable security measures. Whilst both frameworks are widely accepted and designed to protect an organisation’s data and systems, they are not the only ones available today. Whichever risk controls a private bank selects, it must be ready to defend its choice under each regulation. Therefore, initial due diligence and appropriate documentation of the selection rationale are highly recommended.
- Data Mapping and Data Inventory
Having precise knowledge of the data it collects, “processes” (GDPR) or “sells” (CCPA) is the foundation that will enable an organisation to comply with the requirements of each regulation. Recognizing and analyzing the definition of what is considered personal information is the next step in the process. Protected information under the GDPR is any information relating to an “identified or identifiable natural person”. The definition of protected personal information under the CCPA is broader and includes any information that “identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.”
There are many other differences between the data inventory requirements of each regulation that must be considered prior to conducting a successful data mapping exercise. For example, the CCPA applies to data that is held for continuous use (including sale of the data) but does not cover data that is used once and not sold. The GDPR has a special category of sensitive data which requires companies to adopt additional protection measures. At a minimum, private banks will need to identify the specific categories of data elements in their records, sources of data and business purposes when cataloguing the data.
A thorough data inventory will help an organisation to identify gaps in its governance and information security practices, highlight where extra controls or procedural changes are required, and assist in establishing new processes for responding to regulatory inquiries and consumer rights requests.
- Consumer Rights Request Processes
Both the CCPA and GDPR give consumers rights related to, among others, data access and data deletion. Even though the type and scope of each right may be similar, there are several differences in the laws that organisations need to identify and address. For example, under the GDPR, the right to deletion only applies if the request meets certain conditions, whereas the right under the CCPA is broader. Even so, this right is not absolute under either regulation. Consumers with a loan, for example, cannot demand that all records of who owes the money (i.e., them) be erased. Likewise, the rights to disclosure or access are similar under the regulations, but the GDPR allows consumers broader access to their data, whereas the CCPA only requires a written disclosure.
Best practices call for organisations to minimize the consumer-related data they collect and be prepared to justify (operationally) every element of data that is stored. Information security and information technology teams should work with other business units, such as compliance, legal and operations, to establish proper processes that can effectively address consumer requests under each regulation.
- Deidentification, Anonymization and Pseudonymization of Personal Information
Both regulations address a company’s opportunity to “deidentify” (CCPA) or “anonymise” (GDPR) personal information – GDPR promotes this, whilst it is currently only an optional strategy for compliance with the CCPA. True deidentification and anonymization is an extremely high bar and will require companies to implement technical controls to ensure the information cannot be re-identified. The GDPR also allows for data pseudonymization, which means that data cannot be linked back to a particular consumer without additional information. Pseudonymized data is still considered personal data, whereas deidentified and anonymized data are not.
Information security professionals can assist senior management in determining whether implementing deidentification, anonymization and/or pseudonymization steps will be feasible for the business.