Cyber risk, information security, privacy and compliance services to business thought leaders.
02 Aug 2018

Is Your Business in Scope for the California Consumer Privacy Act?

                                                                                                                                                                                                                          Image Courtesy of Pixabay.com

August 1st, 2018
Adam Stone, Principal and Chief Privacy Officer

Just as business leaders started acclimating to the data privacy requirements in the EU’s General Data Protection Regulation (GDPR), along comes a new and equally robust privacy law from the Golden State. Passed with impressive velocity and approved by Governor Jerry Brown on June 28, the California Consumer Privacy Act of 2018 (CaCPA, or “kak-pah“) raises the data privacy bar for businesses that profit from or otherwise collect, use and share personal data about California residents. In a borderless digital economy, where a business is domiciled no longer matters. The extrajurisdictional reach of CaCPA means that businesses of all sizes may fall under the statute if they provide goods or services to Californians. And who doesn’t nowadays?

Long the policy vanguard for data privacy, California generally sets the tone for the rest of the country. Once effective, many privacy experts believe that CaCPA will move organizations (especially tech-focused firms) towards a data protection regime similar to GDPR. Operating from the constitutional position that Californians enjoy an inalienable right to privacy, CaCPA enshrines many of the same rights that GDPR does for those in the EU. These include a right to be informed; to block the sale of personal information; to access, rectify and request erasure of personal information; and a right to exercise these privileges without prejudice.

If history is a guide, the state will take an aggressive stance on enforcement after the law’s January 1, 2020 effective date.

Though CaCPA covers the activities of a significant number of organizations across the US, some businesses can count themselves out of the statute’s scope. To do this, business leaders should conduct a scoping test based on the carve-outs defined in CaCPA. Here is a helpful decision-flow chart for this purpose.

In plain language, the decision flow above points to businesses that collect, process, use, share, and retain personal information about California consumers. To fall within scope, the business must meet certain thresholds for annual revenue and the breadth of processing of personal information. If the answer to one of the three questions below are “yes,” organizational leaders may assume that the business is in scope of CaCPA.

  • Do we have annual gross revenues in excess of $25 million dollars?
  • Do we alone or in combination, annually buy or receive, for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
  • Do we derive ≥50% of our annual revenues from selling consumers’ personal information?

With an affirmative answer to the decision flow above, business leaders should begin reviewing their business processes to ensure compliance with CaCPA on or before the effective date. As the date draws near, expect to find numerous articles and resources for deciphering CaCPA and implementing its requirements. For business leaders seeking an early edge on the competition, hire an outside expert who can help efficiently operationalize a CaCPA-compliant data privacy program.

Adam Stone is Principal Consultant and Chief Privacy Officer for Minneapolis,MN based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.

25 Jul 2018

Uncertainty of Privacy Shield

July 24th, 2018
By Adam Stone, Principal and Chief Privacy Officer

While many in the United States were recovering from summer vacations and fireworks displays, the European Parliament passed a non-binding resolution that could lead to the suspension of the EU-U.S. Privacy Shield Framework. For the 3000+ organizations participating in Privacy Shield, this resolution may have a profound impact on the way firms conduct business in the EU. If the Europeans follow through on their threat to suspend Privacy Shield after the first of September 2018, participants may need to scramble for an alternative mechanism for lawful transfers of personal data from the EU, lest they run afoul of the General Data Protection Regulation (GDPR).

Such uncertainty can’t be good for business. The US enjoys a top ranking among the EU’s trading partners with $1.1 trillion in annual bilateral trade. The threat of suspending or invalidating Privacy Shield creates fresh anxiety for senior executives whose firms rely on the digital and global economy to prosper.

Disappointingly, companies interested in learning about Privacy Shield will find, on privacyshield.gov site, no mention of the dispute or its potential ramifications for participants. The relative lack of interest in this topic means that fewer news outlets will pick it up. This summer’s Privacy Shield developments have also been drowned out by the passing of the California Consumer Privacy Act of 2018.

Thus far, it seems that the only public statement coming from the Department of Commerce (Privacy Shield’s oversight body) is a July 17 meeting recap claiming a “productive discussion” between the European Parliament’s LIBE Committee and senior US officials from the National Economic Council, the Departments of Justice, Commerce and State, and the Office of the Director of National Intelligence. The released statement includes a document blandly summarizing US responses to many of the EU’s long list of grievances. What the press release lacked was a clear signal about next steps. Instead, we must wait to see what comes of these negotiations in coming weeks.

The ongoing tariff dispute between the US and EU degrades public confidence in the future of the Privacy Shield program. The current “misunderstanding” between the parties may lead to a protracted argument. Like the Safe Harbor program before it, the EU may choose to invalidate Privacy Shield’s “adequacy” status under GDPR Article 45. The result of such a decision would mean that the sides must regroup and come to consensus on a new data protection accord. Just as privacy practitioners experienced a few years ago, the lengthy limbo period between old and new will lead to much frustration among business leaders.

Some argue that the EU’s recent threat is a strictly punitive measure in the face of a zero-sum game. Others note that Europe’s concerns stem from a view that the Privacy Shield program – like its predecessor – does not deliver on promises to enforce data privacy practices among participants. These issues magnify the culture clash that emerges from different histories and sociopolitical perspectives on national security, foreign intelligence gathering post-9/11, and the role of privacy as a fundamental right.

If the Privacy Shield is Suspended, What Options Remain for US Companies?

From a legal perspective, GDPR Articles 46 and 49 offer several alternatives for lawful transfers of personal data from the EU to US. These alternatives may lead to new operational challenges for privacy leaders. Add to this the hassle of dismantling a Privacy Shield-focused compliance program and starting anew (this activity is almost always an unbudgeted expense). Regardless, organizations may need to pivot to one or more of the following mechanisms:

  • Explicit Consent: Improves awareness through greater transparency; May not be appropriate for every type of business transaction.
  • Binding Corporate Rules (BCRs): Complex and expensive; Appropriate for the largest multi-national companies.
  • Standard Data Protection Clauses: Requires contract negotiations with each trading partner; Adds to firms’ contract management challenges.
  • Participation in an approved industry Code of Conduct: Limited to certain industries, such as pharmaceuticals, digital advertising and marketing.
  • Demonstrated compliance with an approved Certification program: Also limited; with uncertainty about which certifications meet EU standards for data protection.
  • Derogations (Exemptions) for Specific Situations: Promising alternative for some companies; Requires documented review and business justification.

Which option above is best for your organization? Privacy experts will probably respond with a lawyerly “it depends.” It depends on myriad factors unique to each business function and process. It depends on an understanding of risk appetite balanced with organizational values and goals. In short, the suspension of Privacy Shield may require some to go back to the drawing board to develop new data protection solutions to meet the challenge of transatlantic data flows.

Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.