New laws bring much tougher data protections
The California Consumer Privacy Act and the EU’s General Data Protection Regulation grant more rights to consumers and impose obligations on businesses.
Sweeping data protection laws are in the process of reshaping the landscape for consumer data and rights in the United States. On Jan. 1, 2020, only a couple of months from now, the California Consumer Privacy Act of 2018 (CCPA) will take effect, less than two years after the European Union's General Data Protection Regulation (GDPR) went live. The United States traditionally has had weaker data protection rules for consumers than Europe, but the strong data protections required by the CCPA and GDPR apply to every organization doing business in California or Europe, no matter whether the organization has a physical presence in those locations. This article assists practitioners and business professionals with understanding the new data protection measures required by the CCPA and the GDPR and also provides implementation recommendations for businesses.
CALIFORNIA CONSUMER PRIVACY ACT OF 2018
The CCPA, which was signed into law on June 28, 2018, is the most comprehensive consumer data privacy and protection law in the United States to date. It provides significant new privacy rights for consumers and imposes significant mandatory obligations on businesses. It broadly expands the definition of "personal information" to include any data from which inferences can be drawn to create a profile of a consumer as well as any "information that identifies, relates to, describes, is capable of being associated with, or reasonably could be linked, directly or indirectly, with a particular consumer or household," and "biometric ... geolocation ... audio, electronic, visual, thermal, olfactory, or similar information."
Relying on the express right to privacy contained in the California Constitution, the CCPA grants five new statutory data privacy rights for consumers to:
Know exactly what personal data is being collected;
Know whether their personal data has been shared or disclosed to others and, if so, with whom;
Prevent the transfer of their data to anyone through an opt-out procedure;
Access their personal data anytime; and
Enjoy equal services and prices as other consumers notwithstanding the exercise of their rights under the CCPA.
The following new obligations are imposed on most large entities conducting business transactions or activities in California or collecting data on California residents.
Right to know and data portability
Consumers have the right to make two free requests per year to:
Access all personal information or data that is held or collected by the business;
Receive a copy of that same data; and
Delete their information and data.
Businesses must respond to each request within 45 days and must provide both a toll-free telephone number and a website where consumers can submit their requests.
Right to be forgotten
California consumers have the "right to be forgotten." A consumer's personal data must be erased upon demand both by the business and by any third parties with whom the data has been shared.
Right to prevent the sale of data
Consumers must be given the affirmative ability to opt out from their personal data being sold, transferred, or shared with third parties. Any third parties receiving the data must also provide consumers with the same opportunity to opt out of any further sale, transfer, or sharing of their data. This, of course, impacts all entities storing consumer data with a cloud vendor.
Minor's personal data and consent
Affirmative or "opt-in" consent is required for the transfer or sharing of the data of a minor between the ages of 13 and 16. Affirmative "opt-in" consent from the minor's appropriate guardian or parent is required for those under 13 years of age. Notably, this statutory provision impacts the video gaming industry and exceeds the requirements under the federal Children's Online Privacy Protection Act of 1998 for children between 13 and 16 years of age.
Right to be free from discrimination
As a general rule, the law prohibits businesses from charging different prices or rates, or providing different services, to consumers who exercise their rights under the CCPA. However, the law does permit a business to provide financial incentives to consumers who allow the business to sell their data. Consumers must affirmatively opt in to these financial incentive programs, which also must be described on the entity's "Do Not Sell My Personal Information" webpage. The act declares that any attempt to require a waiver of these rights is void and unenforceable.
The CCPA allows persons who learn of violations of the act to request the state's attorney general to commence a civil action and, if declined, to then file a civil action for penalties.
Enforcement and private rights of action
The CCPA allows enforcement both administratively and through a private right of action brought by consumers. The act allows regulatory enforcement with penalties up to $7,500 per violation. Also, private lawsuits by consumers are allowed for the unauthorized access to "nonencrypted or nonredacted personal information" resulting from a violation of the act's duty to implement and maintain reasonable security procedures and practices to protect data. This provision clearly reinforces the business necessity to encrypt all personal information and data. From a practical standpoint, this statutory obligation read as a whole essentially requires all entities doing business in California, or collecting data on California residents, to now encrypt the personal information collected or held.
To whom it applies
The CCPA applies to any large or national organization doing business in California, collecting information on California residents, or transferring data concerning large numbers of consumers, households, or devices to third parties. This includes any organization with a national website allowing consumers to establish accounts to transact business that then shares the data. The act applies to any entity that is engaged in any activities or transactions within the state and that also meets any of the following conditions:
Has annual gross revenues exceeding $25 million;
Annually transfers for commercial purposes personal information or data relating to 50,000 or more consumers, households, or devices; or
Derives 50% or more of its annual revenue from selling consumer personal information.
GENERAL DATA PROTECTION REGULATION
The GDPR was adopted by the European Parliament in April 2016 but did not go into effect until May 2018. The CCPA and the GDPR are quite similar. The GDPR makes the right to protection of personal data a fundamental right and freedom while providing a framework based on the broad principles that personal data should be accurate, secure, transparent, and obtained with positive and informed consent.
The GDPR also adopts a similar right to know, right to data portability, right to delete or erase (i.e., right to be forgotten), and right to private action, and likewise imposes an affirmative duty on businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the information collected. The GDPR provides more consumer protection than the CCPA in the areas of affirmative and informed consent, breach notification, and enhanced sanctions for violations. The GDPR further requires some businesses operating in Europe to designate a "data protection officer" for accountability and clear communication. Where these two new laws diverge, the prudent course is to always adopt the more stringent data protection policy so the business will always meet or exceed its legal duties and obligations. Summaries of the GDPR's key provisions follow.
Affirmative and informed consent
The GDPR requires an "opt-in" procedure for the original consent from the consumer that must be verifiable by the collector, stated in clear and plain language, and cannot be bundled with other terms and conditions. Consent must be given by a clear affirmative act establishing a freely given, unambiguous, and informed agreement allowing the processing of the personal information. Consumers also have the right to withdraw their consent at any time. This effectively precludes the use of prechecked boxes (i.e., a consumer must check the box) or any type of implied consent. Parental consent is required to collect personal data from a minor under the age of 16 years — three years older than the similar CCPA provision.
72-hour breach notification
In the event of a breach of personal information, the business must notify the appropriate supervisory authority within 72 hours of the breach. If the breach is likely to cause a high risk of damage to consumers (loss of credit card numbers, passwords, etc.), the business must also notify the consumer without undue delay and in clear and plain language. A safe harbor provision allows for no reporting requirement to the consumer if the information obtained cannot be identified because of technical security measures rendering the data unintelligible to the hacker (i.e., the data is encrypted). This requirement essentially encourages all entities doing business in Europe or collecting data on European residents to now encrypt the personal information collected or held.
Data protection officer
Under specific circumstances, entities must designate a "data protection officer" who has "expert knowledge of data protection law and practices." Businesses covered by the GDPR located outside the EU must designate a representative located within the EU as a point of contact for national supervisory authorities, consumers, and service of legal process.
Sanctions and private rights of action
As with the CCPA, the GDPR provides a private right of action stating that any consumer who has sustained "material or non-material damage as a result of an infringement [of the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered." The GDPR provides substantially enhanced penalties and sanctions for violations when compared to the maximum $7,500 penalty per violation under the CCPA. Administrative fines for GDPR infringements can reach a maximum of €20 million ($22 million) or up to 4% of annual worldwide revenue, whichever is higher.
To whom it applies
The GDPR applies to any entity: (1) doing business within the EU; (2) offering goods and services to customers within the EU even if the entity is not located in the EU; (3) monitoring or collecting information on the behavior of EU citizens; or (4) targeting EU citizens through marketing.
IMMEDIATE STEPS FOR BUSINESS
Every practitioner and business professional must stay abreast of rapidly changing legal and regulatory changes concerning data security or risk liability resulting from new obligations, shorter deadlines, increased penalties, and new private rights of action. In light of the recent sweeping changes in data protection and security, all entities should consider the recommendations and suggestions in the table, "Steps and Recommendations for All Entities." (For steps individual CPAs can take, see the sidebar, "Recommendations for Accountants").
PROTECTING THE BOTTOM LINE
Good data protection is good business. One need only consider the loss of stock market capitalization and the permanent reputational injury that follows any major cyberbreach. But lawmakers are now providing an additional reason to protect data — civil liability. The first step is identifying the cyber risk in your entity. The suggestions in this article are provided to assist all organizations to assess and address this risk before they run into trouble.
Steps and recommendations for all entities
Recommendations for accountants
Data breaches and cybersecurity threats pose substantial risks to businesses in terms of system and data destruction, data theft, and breach penalties and represent deficiencies in internal control. The California Consumer Privacy Act of 2018 (CCPA) and the European Union’s General Data Protection Regulation (GDPR) both increase the stakes and potential liability for clients. These issues can have consequences for financial reporting and auditing. Auditor responsibility is not yet clear but is receiving increased attention from the SEC, the PCAOB, the U.S. Department of Commerce, and the AICPA. The following recommendations may be useful first steps for public accountants and consultants:
1. Inform clients of the applicability of new consumer data protection laws if the client:
Has annual gross revenues exceeding $25 million;
Transfers data or personal information relating to 50,000 or more consumers, households, or devices; or
50% of more of its annual revenue from selling consumer personal information.
2. For entities subject to the new laws as determined above:
Determine if the client has a process in place to satisfy consumer “right to know” requests within 45 days. Consumers have the right to make two free requests per year to access all personal information or data that is held by the business, receive a copy of the same data, and have the business delete their information and data.
Determine if systems are in place to erase data on demand by the business and third parties and prevent the sale of data.
Determine if systems are in place to obtain “opt-in” consent for consumers between the ages of 13 and 16 and for the parents or guardians of consumers under 13 years of age.
3. Ensure managers and staff are conversant in SEC Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, published in 2018. This statement provides guidance to help companies prepare disclosures about cybersecurity risk and incidents, and stresses the importance of maintaining comprehensive policies and procedures relating to cybersecurity. The PCAOB is also monitoring cybersecurity issues and implications for auditing and sees this area as an evolving risk that requires continued oversight.