9/28/18 - California Takes the Privacy Baton from Europe (with a US Twist)
Home > News & Insights > Insights & Publications

9/28/18 - California Takes the Privacy Baton from Europe (with a US Twist)

California enacted the California Consumer Privacy Act of 2018 on June 28 and adopted a set of amendments to the law in September. CaCPA, which becomes effective on Jan. 1, 2020, includes numerous new and expanded privacy requirements and obligations for businesses, making it the most comprehensive state privacy law in the United States. While CaCPA shares many themes and similarities with the recently passed European General Data Protection Regulation, it is very much a U.S. privacy law, grounded in notice, choice, and opt-out sharing restrictions. Nevertheless, lessons learned from GDPR implementation will assist many businesses with CaCPA compliance.

CaCPA was fast-tracked to preempt a similar ballot initiative, has already been amended, and will likely continue to be modified over the next 18 months. In addition, the California attorney general may release further guidance to clarify some of the provisions. Other U.S. states will likely use CaCPA as a framework to enhance their privacy protections, similar to how other states adopted data-breach notice laws following California’s lead. Given the depth and breadth of CaCPA, businesses should review the new requirements and begin preparation for compliance.

The California attorney general is responsible for CaCPA enforcement. For certain violations related to a business’s duty to implement and maintain reasonable security procedures, statutory damages between $100 and $750 per consumer per incident or actual damages apply, whichever are greater, in addition to the opportunity to pursue a private right of action. For general violations of CaCPA, there is a 30-day “cure” period, after which the California attorney general may bring a civil action that carries penalties of up to $2,500 per violation. When an intentional violation occurs, penalties can be up to $7,500 per violation. Further analysis is needed to understand when and how these penalties apply, as well as how they conjoin. 

Because California is the most populous U.S. state and the fifth-largest global economy, it may not be practical for businesses to segregate and hold only California residents’ personal information to a higher privacy standard. As such, many businesses will need to review and update their U.S. or global privacy programs and capabilities to be ready for compliance by 2020.

Of the many lessons learned from the last two years of GDPR implementation efforts, the following three are particularly relevant to businesses as they begin their CaCPA compliance efforts:

Lesson One: Establish clear leadership, governance, and key-stakeholder engagement now. Given the depth and breadth of CaCPA, companies should review the new requirements and begin preparations for compliance sooner rather than later. By and large, companies that succeeded with GDPR implementation identified appropriate senior sponsorship, established appropriate governance, and identified and included the right set of stakeholders — including business, privacy, technology, operations, data-strategy, and legal-team participants — prior to commencing project work. Furthermore, establishing and maintaining an appropriately coordinated global privacy framework and program, including appropriate escalation and reporting channels and routines for updating senior management and boards, will be critical.

Lesson Two: Allocate sufficient time and resources to document records-of-processing activities. While CaCPA does not have a records-of-data-processing requirement, comprehensive data-process documentation throughout the organization, such as data mapping, will be foundational to CaCPA compliance efforts. For example, data-process documentation would support accurate privacy-notice content, data-access requests, and data-sharing controls, and would also help establish a mature structure for data governance. Poor records-of-data-processing initiatives often require numerous revisions that waste critical time and resources, so businesses that are GDPR compliant should consider leveraging their existing GDPR frameworks to meet CaCPA requirements. Businesses that are not subject to GDPR (or that applied compliance initiatives to European data only) should consider developing a records-of-data-processing strategy and documentation framework prior to beginning CaCPA compliance efforts.

Lesson Three: Develop risk-tolerance and risk-acceptance criteria as soon as possible to ensure the most critical areas are addressed by the compliance deadline. During GDPR implementation, some businesses rushed to tackle every aspect of the regulation at once, only to realize months later that key resources and time could have been better spent on critical core items. Developing a sound and usable risk-based approach will require an assessment of key business processes, CaCPA requirements, and the business’s risk tolerance. While compliance is required for all areas, businesses should focus on certain key areas to ensure comprehensive remediation.

In addition to specific provisions covering broad privacy themes, such as notice, choice, sharing, portability, information security, and deletion, CaCPA also includes provisions that prohibit businesses from discriminating against consumers based on their exercise of any CaCPA rights. However, CaCPA also allows companies to value personal information and charge for different levels of services. While these sections will require further review and interpretation, they could spur markets for personal information and new, innovative business models.

Another area that will need more consideration and analysis is the interrelation of CaCPA with other laws. CaCPA contains certain exemptions for information protected under existing laws, including the U.S. Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, clinical trial data subject to the Federal Policy for the Protection of Human Subjects, the U.S. Gramm-Leach-Bliley Act, the Driver’s Protection Privacy Protection Act, and the California Financial Information Privacy Act. Health institutions and financial institutions will need to perform a thorough analysis of CaCPA in parallel with existing laws to identify areas that extend or add new requirements and obligations. Notice and choice processes established to meet other U.S. or California privacy requirements could be leveraged for CaCPA compliance.

How Promontory Can Help

CaCPA will certainly be the subject of more commentary, analysis, and guidance over the next 18 months. Our consultants, who possess deep industry knowledge and regulatory expertise, have the skills and experience to assist organizations in mitigating the operational impacts of CaCPA while achieving compliance, including by leveraging current and past GDPR efforts. Promontory, an IBM Company, has been at the forefront of privacy consulting since 2010, and we have developed and fine-tuned our service offerings through our work with some of the world’s largest and most prestigious firms.

In addition, as part of IBM, we have experience helping firms integrate technology into their privacy-risk management frameworks. We can help organizations assess innovative technologies — such as IBM Watson's machine-learning capabilities — and leverage those technologies as they come to fruition to support better analysis and decision-making.

Contact Us

Leigh Feldman
Managing Director
+1 212 365 6976

Robert Grosvenor
Managing Director
+44 207 997 3407

Massimo Maltempi
+44 207 997 3418

John Bowman
Senior Principal
+44 7961 478 873

Ryan Smyth
Senior Principal
+1 619 572 3074

Tom Widgery
Senior Principal
+1 720 250 8182