By Tsutomu Johnson

Each new year brings new data breaches that affect a growing number of people. Some of the largest data breaches in history occurred during 2017 and 2018. Equifax lost information belonging to 148 million people. Facebook lost more than 87 million records by providing information to Cambridge Analytica and Marriott Starwood Hotels lost information belonging to 500 million people.

In response, U.S. Senators Marco Rubio and Ron Wyden proposed broad privacy legislation. Problematically, Congress has failed to reach consensus on privacy and has been slow to pass meaningful legislation. In the shadow of Congress’ inaction, state legislatures have enacted their own privacy laws. During 2018, California passed the California Consumer Privacy Act (CCPA) and Ohio passed the Data Protection Act (DPA). During 2019, Utah’s, Oregon’s and Washington’s state legislatures proposed privacy legislation.

The labyrinth of privacy regulations can make it difficult to understand how to determine an organization’s obligations, much less comply with those obligations. In this article, I focus on the CCPA and how companies should address their privacy obligations.

The CCPA is based on the premise that companies must inform consumers how and why they gather personal information. To achieve that goal, the CCPA requires companies to post a public notice explaining the following:
1. Why the company is gathering personal information
2. What the company does with that information
3. Whether the company shares that information with third parties
4. Whether personal information is being used for a company purpose or being sold to third parties
5. What the company does to protect personal information
6. What rights, if any, a consumer has regarding the processing of personal information
7. How to contact the company about the handling of personal information

The CCPA provides California consumers with four rights:
1. The right to access personal information
2. The right to company disclosure of personal information
3. The right to delete information
4. The right to restrict the sale of consumer information

Regarding access, companies must provide information listed in the privacy notice as well as provide information to consumers upon request. When a consumer requests company disclosure of all information the company has gathered about the consumer, the company must account for all information gathered about the consumer for the 12-month period prior to the request. Companies must also provide requested information in a common electronic format within 45 days of the request.

Many companies are concerned about the right to delete or restrict personal information as it triggers an obligation to remove or restrict personal information from the company’s network as well as partners’ networks to whom the information was sent. There are, however, exceptions to those rights. Consumers cannot ask companies to delete or restrict processing when personal information is needed to perform a contract between the company and the consumer.

To inspire compliance with the CCPA, the law grants consumers an individual right to file lawsuits against companies that fail to secure information. By statute, a consumer who is suing a company can request between $100 and $750. Alone, these numbers are small, but there will likely be a flood of class-action suits against companies that do not comply with the CCPA. Under a class action, a relatively minute data breach of 1,000 consumers could cost a company between $100,000 and $750,000. Given these privacy obligations, what steps should a company take to address the CCPA? At a minimum, companies need to draft policies and procedures explaining how the company governs personal information, preserves privacy, allows consumers to exercise their rights and monitors their privacy objectives.

To provide governance, a designated executive should provide regular reports to the board about security assessment results, progress addressing security matters, audits of the security system, privacy and security awareness campaigns and data breach incidents. Executives and board members should have an opportunity to review these items, recommend solutions and communicate regular privacy directives to employees. To fulfill duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their fiduciary obligations to the company.

Companies should also post clearly-written privacy notices explaining how an organization gathers information, why the organization gathers that information, business partners who receive that information, an explanation of consumers’ rights and contact information that enables consumers to reach the individual at the company responsible for privacy.

About Tsutomu Johnson
Tsutomu Johnson is Of Counsel at Parsons Behle & Latimer where he co-developed GDPRIQ, an application that helps organizations comply with a majority of the GDPR’s regulations.