Episode 10: Understanding the New California Privacy Rights Act

Transcript:

Bill Tolson:

Welcome to the Information Management 360 podcast. This week's episode is titled "Understanding the New California Privacy Rights Act," otherwise known as the CPRA. My name is Bill Tolson and I'm the Vice President of Compliance and eDiscovery at Archive360 with me today is Jodi Daniels, founder and CEO of Red Clover Advisors. Jodi, do you want to give us a brief description of Red Clover Advisors?

Jodi Daniels:

Absolutely. Well, first thank you so much for having me, I'm really excited to be here today. Red Clover Advisors is a boutique data, privacy consultancy. We're all about helping companies comply with laws like CPRA, CCPA, GDPR, basically a law that has four letters, or maybe five, and all about simplifying privacy practices. We also serve as a fractional privacy office for companies who really don't need a full-time privacy person, but they need more than zero.

Bill Tolson:

Wow, that's great! That's great. Okay. Well, let's get into the discussion around the CPRA and maybe preparing for it. I'll kick it off with some background. Back in May, of 2018, the EU kicked off what I refer to as the modern day privacy movement, by implementing the GDPR, or General Data Protection regulations. Quickly after that, and by quickly I mean they created it, but it didn't come into effect until 2020, the state of California implemented their own privacy regulation, otherwise known as the California Consumer Privacy Act, or the CCPA, which like the GDPR had a global reach. However, before the CCPA even became law in 2020, California was already working on a new data privacy law called the California Public Records Act, or the CPRA, which was approved in November, of 2020, and it will take effect, I think in January 1st, 2023. Jodi and I'll be discussing the CPRA in today's podcast, so with that in mind, Jodi, a question I often get is what is the CPRA, and how is it related to the CCPA?

Jodi Daniels:

Absolutely, it's a great question! CPRA, the best way to think about it is CCPA was the first, most comprehensive state privacy law, that we have here in United States, and it had a variety of holes in it. We could have a cocktail conversation about all of those, and so if you fast forward, CPRA is meant to help close some of those and also strengthen the loss, so it brings it a little bit closer to GDPR in some respects. If you had a scale of one to 10 and 10 being GDPR, and one being every other state that had nothing, CCPA in my view, very unscientific assessment here, put it like a five, and so CPRA moves it more to maybe a seven. So, we moved upstream, not quite to GDPR. CCPA is a bit of the foundation and the bench line, and CPRA sits a little bit on top.

Jodi Daniels:

Some people are saying, "Well, will CCPA go away?" I don't think it's going to go away. Most people really anticipate that they're going to work together, but effectively speaking, you need to look at what CPRA is. It defines the definition of what personal information is. It expands upon what we had before with CCPA, and we're going to talk in more detail about some of those different requirements, so, that's a bit of the relationship between the two different laws. I think going forward, we're going to fast forward to probably two years from now, or January 2023, we're going to just be talking about CPRA, and CCPA will, in my view, be absolved into it.

Bill Tolson:

So the CPRA doesn't necessarily, right off the bat, invalidate the CCPA, or supersede it legally.

Jodi Daniels:

It absorbs it.

Bill Tolson:

Okay, okay.

Jodi Daniels:

So, for example, CCPA applies to companies, one of the criteria is if they're essentially collecting, processing, selling, buying, sharing data on 50,000 residents, households, I guess it's individuals' devices or households, CPRA raises that number to 100,000, so the 50,000 is gone and now it elevates it to 100,000. So, that's a bit of an example of it sits on top, it's the base of what CCPA is, plus a bunch of other things.

Bill Tolson:

Okay. As I recall, and tell me if I'm wrong, but as I recall, I read stories that the CCPA, the one that went into effect 2020, was rushed through the legislature, because they wanted to get the governor to sign it before he left office, and that they left out some stuff later, that they tried to amend into it, and then they started working on the CPRA to just do maybe a greater superset.

Jodi Daniels:

Well, so I've heard a little bit different, but what you shared could be true. What I've heard is a little bit of the history of CCPA really emanated from individuals. It wasn't politically driven from the California legislature, and there was a proposal to be on the ballot, and then you had a variety of companies and a backlash of, "No, we don't want a law on the ballot," and so that was a bit of the pressure to create a law that would now require the potential valid initiative, to be removed, and then hence, that is how you got a very quickly put together law, and it was then removed from the ballot. However, because the law removed a variety of pieces, that were originally in scope, and there was so much confusion as it was also very quickly put together, then CPRA, for those who don't know, was actually a ballot initiative that was passed by California voters in, November 2020.

Bill Tolson:

Yeah. That was ballot initiative number 24, as I recall something like that. Okay, so the CPRA, and you've already touched on this, added some additional requirements, other things too, to the CCPA. I notice in reading the law, that there's a new enforcement agency that was actually created versus under the CCPA was basically the AG's office that was responsible. Is that correct?

Jodi Daniels:

That is correct, and that was actually one of the original intents is the preference to always have an individual body, a separate group, that was going to be the ones responsible for enforcement.

Bill Tolson:

Yeah, and I know there was some, I wouldn't say controversy, but some discussion in the press around all the fines being paid to the California AG's office, and not really disseminated much around. I think they're referring to it as the "New California Tax" more than anything else, but for the CPRA did they change the fines at all, or did they leave those alone?

Jodi Daniels:

I believe they're the same. I don't think there's been a whole lot of changes.

Bill Tolson:

Okay, and they were sizable though, and-[crosstalk 00:07:55].

Jodi Daniels:

There's some new fines, if you have children's data. So for-

Bill Tolson:

Oh, that's right.

Jodi Daniels:

-anyone who processes children's data that there's just no room for error on that one.

Bill Tolson:

Yeah, and I think the CCPA fines were sizable when looking at the totality of reach, or something. I think the maximum penalty was $7,500, but that was per violation, meaning per record, right?

Jodi Daniels:

That's right, it is per record.

Bill Tolson:

So, if you're talking about 100,000 records, you're talking about "real money" as the Congress says.

Jodi Daniels:

Yes.

Bill Tolson:

So the CPRA, one of my questions, and I think you've already answered it, one of my questions was, does the CPRA still include the right to be forgotten, which is one of those rights that people acknowledged very quickly with the GDPR and the CCPA, and I think you said it really doesn't, it doesn't invalidate the seat CCPA, so it's still there, right?

Jodi Daniels:

It's absolutely still there, and it actually adds more additional rights, or individual rights, I can't speak today. So, we certainly didn't take any way, instead we added, and that's one of the places where we strengthened towards a GDPR-like law. So, for example, the right to correct information is now an individual right. If you have my name, Jodi Daniels, and I think it's wrong, then I have the right to change the type of information that you have, so that's one example. Very specifically, the right to data portability, is also a right.

Bill Tolson:

And like we said, you still have the right to say, "Get rid of it," if there's no regulatory, or legal law, that says the collector has to keep it, and I think that I've heard it referred to as an absolute right. And when we're looking at computer storage and data archiving and backups and all kinds of stuff, we've gotten into these discussions... I've talked on GDPR with European law firms and stuff on this, around this absolute right, and it really comes down to, if you get a request to delete personal information, is it an absolute right? Meaning all references to that data subjects, personal information must be removed. It must be deleted and obviously never used again.

Bill Tolson:

But then you get into the issues around, well that PI might be sitting on backup tapes, in Iron Mountain, somewhere, they could be spread around the enterprise in different files, and in my reading of the law and the law is somewhat bold, all the laws are somewhat vague in this, when they say, "You must delete the information," they don't take into account the duplications, and the backups, and all of this kind of stuff. Do you have any thought on that, or is it... I've also heard lawyers say, "Well, it's being able to document that you made a good faith effort to follow the law." Does that sound right?

Jodi Daniels:

There's truth to both of those. The technical answer is it's supposed to be deleted in all places, presuming that you need to honor it. There are a few exceptions to the deletion requirement, and if you're going to delete it, it doesn't necessarily mean, well, you just deleted it in one place. It is, in theory, supposed to be deleted in all the others, and at the same time, there's practicality. You can't necessarily delete an entire backup because of one person's name, then you might erase everything else in the backup, so in the United States, we have the ability to balance it a little bit more and certainly the idea of showing good faith effort.

Bill Tolson:

Yeah. That's a great point. I wrote a paper around the idea of backups and the Rights privacy and those kinds of things and what it would cost, to actually remove just a single data subject PI from a backup tape. It is doable, but it is very expensive, so one of the things we have talked about with lawyers and law firms and stuff is this idea of that the request is put into queue, meaning the next time a given backup tape is accessed, then that data subject's personal information must be removed from it, but until the next time it's accessed, it's considered out of bounds and not in play. I think that's just an opinion by lots of people, so I think until, especially the EU for GDPR, but also California is able to set a precedent on this, it's going to be kind of an open question.

Jodi Daniels:

For sure, for sure.

Bill Tolson:

So, we've talked about in the past, both with GDPR and CCPA, and now I think the CPRA, includes something called the private right of action. Can you explain what that means?

Jodi Daniels:

Yes. The private right of action is where an individual can file, essentially a complaint and a lawsuit, against a company for not complying with a certain situation, so, here, we're going to have data subjects. So it's the concept of private right of action, and why I described it as such is because in so many other state laws that have been introduced, they're looking for a private right of action, some way that an individual can have the ability for damages, if the company violated one of its privacy obligations. In CCPA/CPRA, that private right of action really lends itself to the idea of a data breach, and it needs to be a data breach where the data was not encrypted and not redacted, and in those situations, then an individual can file an individual private right of action, which in the United States being very litigious society ends up turning into essentially a class action lawsuit.

Jodi Daniels:

We have, being in such a litigious society, a variety of attorneys who are waiting to pounce on these types of situations. It will be interesting to see how it plays out. There's a hundred plus different CCPA related suits. People have tried to extend the private right of action, in a variety of other places, and most of those continue to not come to fruition. So, it'll be interesting to kind of see what continues to happen, and the other interesting piece we'll need more cases to determine the precedent, but generally, what I've seen so far, is that the data incident needed to have taken place once CCPA was effective. So, that would be January 1st, 2020, or forward, as opposed to backward, like maybe you just learned about the issue, but they actually got data, or came in years ago. Some people have been trying to file a lawsuit in that situation, and the ones I've seen to date have not passed. Again, that doesn't mean that it won't in the future, but that's what I've seen so far.

Bill Tolson:

It just takes the right judge, right?

Jodi Daniels:

It depends, and qualified qualifier.

Bill Tolson:

Well, one of the other interesting things about the CCPA and now I think the CPRA, is this idea of presumed damages, meaning that if a breach occurred, say with CCPA/CPRA, the affected data subject doesn't have to show actual damages, the California attorney General's office assumes damages and can start applying fines to the data collector/data processor immediately. Is that correct?

Jodi Daniels:

I believe that to be a true statement, but I would need to defer to my privacy attorney data breach friends on that one.

Bill Tolson:

Sure. Yeah, and I've talked to my general counsel about that as well. I don't think presumed damages are included in the GDPR, but in the CCPA, and now the CPRA, that is something that basically says, "if the act of a breach actually occurred, then the authorities can presume damages and the individual data subjects don't have to prove actual damages," which I think actually speeds up the process, and I think puts data collectors and data processors more on notice that, you're not going to stall somebody for years, having them show damages. The fact that a system was breached, you can infer that, which I think is an interesting, legal concept, and I know there's been a lot of argument around it. Tied to that, and you mentioned CCPA- God I'm getting all these acronyms messed up now- went into effect January 1st, 2020, one of the other things it had involved, and it was a so-called look-back provision, and I think that talks about a period before it goes into effect, what data collectors and data processors had to be prepared to do with the data. Do you know about that?

Jodi Daniels:

I do, essentially when January 1st, 2023 comes around, and I want to go and make an individual rights request, it's going to be for the 12 months prior, which will take me back to January 1st, 2022. So, that 12 month look back period, the company is going to need to be able to honor my request to do so. It's going to need to know where all of my data is, what I'm doing with it, how I'm processing it, so that's a bit of that look back period is, being able to understand everything that's happening, and being able to honor that request literally on day one of January 1st, 2023, and if you were to delete it's the 12 months, going backwards.

Bill Tolson:

Yeah, now, that's a great way to explain it. It's not that they can apply fines going a year prior, presumably, but it's that data collectors and data processors have to be able to react to a data subjects request on, "What data do you have of me? Where is it being stored? I want it to be deleted." They have to be able to go back though those 12 months, so that's the look back from January 1st, 2023. Still starting on January 1st, 2022, they should be having those processes in place, so, on that next day, they can actually look back and react to those requests.

Jodi Daniels:

Exactly.

Bill Tolson:

Okay. One question that I get asked a lot, and I know you don't have the answer to this, but I know it'd be an interesting opinion. In the United States, we have these states' privacy laws that are just popping up all over the place, I think the latest one was Virginia, but you can foresee in the next year or two, the majority of the states having California-like privacy laws, what do you think the chances are by 2022 that the federal authorities, the Congress, will have issued a America-wide privacy policy that would hopefully supersede the states, so that companies would only have to follow one versus 51, 52, 53.

Jodi Daniels:

I get this question all the time.

Bill Tolson:

Yeah.

Jodi Daniels:

And my personal belief is, we will not have a privacy law in 2022, I'd pretty surprised if we had a privacy law in 2023, I think in time there might be a privacy law. It's just so complex. We have, what's called a sectorial privacy approach here, where we have the state laws, we also already have a variety of federal privacy laws, we have HIPAA, and canned spam, and TCPA, and a variety if you're in the communication space, GLBA for financial, the state laws are excluding pieces of those laws. So will federal law just kind of be those? Will it, again, be a slice of the pie? Will the state be able to go on top of the federal? There's so many different questions, and I think it's just a very complex situation, and how long everything takes to come to consensus, I personally believe the likelihood is low. However, you never know. I always say throw a political dart, because either side could magically do something.

Bill Tolson:

Yeah. I think I tend to agree with you. I don't see the feds putting something out anytime in the near future, so I think companies are basically looking at having to deal with all of these new state laws that are propping up for the next several years, and as a person in a company that works with large amounts of data, I feel really sorry for those data collectors that are relying on this PI to make revenue. It's just one of those things it's going to be... I think you're going to have to take the worst of the lot, meaning the most strict and say, "Okay, we'll meet that one." And by deference, the rest of it will have been meant. Yeah, it's going to be interesting, but Jodi, I know, and I've read a lot of your stuff, one of the things that you've done here, lately, is you've created a really fantastic CPRA to-do list for companies, to prepare for the effective date of January 1st, 2023 for the CPRA. Can you walk us through that?

Jodi Daniels:

Absolutely. I think planning in advance is going to be critical, and while we're talking about CPRA today, we could talk about the Virginia law, which is also going to be very similar in some respects, so the planning that you're doing here, know that it's going to help you for other states as well, and the first part is literally planning who is going to be anointed, the privacy person/leader/project-holder in your company, and if you don't have one, you need to find one soon, and partner with someone who is going to be well-versed in privacy.

Jodi Daniels:

Then you need to really have a team, because people always ask, "Well, where should privacy sit in the organization?" And I actually always love asking others, "where does privacy reside?" The answer is always different. It is sometimes in legal, because it starts with a law. At the same time, privacy and security are intertwined, so sometimes the security teams own it. For companies that do a lot of marketing, the marketing person might own it, and sometimes risk and compliance organizations own it as well.

Jodi Daniels:

And truly it's a cross-functional effort, regardless of who owns it, you need everybody else to play well together in the sandbox, so you really have to make sure that you've created a cross-functional team, even if you're a small organization, it's still going to involve all, all hands on deck and then you really need to figure out what data you have, and depending on the volume of data, how complex the organization is, you're also going to want to think about how will you manage this, meaning, "Do you need any software or tools? Do you need any outsource resources like consultants or attorneys? Do you need risk assessments? Are you going to manage this literally in Google Sheets? In Excel?" So, there's a variety of softwares on the market, a variety of people who can help, so you need to think about what will work for your organization, because knowing the data is going to be the very first step.

Bill Tolson:

Well, and that's one of the biggest problems in our issues, challenges, in my mind is, knowing what data the organization has and where it is. I still, to this day, I find very smart people, falling back on the old idea of we have an enterprise content management system. That's where we keep all of our records, so that's where we'll check, and number one that's a fallacy, but it's also a huge risk, because PII, for example, can exist anywhere. What can be on Teams, Notes, parts of Teams chats, and PowerPoint slides, hopefully not, but in Word documents, and emails and attachments spread all over the system, so a company really needs to know what those data systems are, and where they are, and do they archive, and if you have to do a data subject, or erasure request, are you going to hit all of those areas?

Bill Tolson:

Or are you just going to go to the ECM system and say, "Well, I got it out of here," Then the other issue is, based on the analyst that I've talked to, up to 80% of all organizational data is sitting on employee-controlled laptops and stuff, and if you get a right, a request for erasure, can you go to those thousands of laptops, or workstations, or removable media, and find that stuff? And obviously the answer is no. So, that really brings up this idea of data control, knowing where this sensitive data can be put, and stopping it from going into all of these places, I think would make a person like you, their job a lot easier when you're consulting with a company to go do a data map or something like that, to know where all this data is.

Jodi Daniels:

Yes, and one of the big pieces for knowing the data is under CPRA. There's a new category introduced called "sensitive data," so companies are going to need to know, do they collect any of the sensitive data that's included, and there's an individual right to be able to say, "you got to stop processing my sensitive data in that capacity." So, if you collected my social security number for one purpose, and now you want to use my social security number for a different purpose, I have the right to opt out of that secondary purpose, and there are additional requirements for protecting it and disclosing it in a privacy notice, so you can't do any of those things, if you have no idea what you have and what systems it's in and why you're using it. So, it's not only a systems-based approach of what data you have in what system it's in, you have to understand the business purpose for why you're using it, because that shows up in the creation and update of the privacy notice, as well as even the ability to honor individual rights.

Jodi Daniels:

Well, that's absolutely right on, and I think that's one of the biggest benefits of these privacy requirements, is it's forcing companies into putting a more formal information management process in place, so that they can eventually get control of all of their data versus just a record. So when, like what you just said, a request to know about PI or to delete it, or whatever else, if you're controlling all of your information, then you can respond. If you're not, then obviously your liability goes way up.

Jodi Daniels:

You're absolutely right, and some of the other things that you want to be doing that, starting with that data, is going to help you with, is, as you talked about, figure out what other security measures you're going to need in place. We've addressed, understand your individual rights, because you need to know what you're processing, why you're processing it, and where it is so that you can honor the individual rights, and a part of that is the downstream sharing of data to third-party service providers, or vendors.

Jodi Daniels:

It's the company's obligation to tell the downstream vendor, if you share data with them, "Oh, so-and-so asked to be deleted, or opt out, stopped doing that." So, it's incumbent on the company to be able to do that trail, or potentially, it's a self-serve type model if it's a technology, but again, the company needs to understand, I call it the data life cycle, if you're starting from left to right, you were drawing on a whiteboard, the data flow at a process activity, business process level, and that also will then help you in your marketing efforts, because you might decide maybe I'm using this data, and I shouldn't, or maybe I should offer a preference center. I should create more choices for my customers, or my prospects, and really use this opportunity to explain, "Here's why we collect this data. Here's what we're going to do with it. Here's all your fabulous choices."

Jodi Daniels:

People want to trust companies, and they're going to trust the company to deliver its product and service because, of whatever major fabulous features you have. They also want to trust you as a brand, as a company, are you going to protect my data? Are you going to misuse my data, or you're going to do the right thing? And we have the opportunity to explain all of that in our privacy notice, a privacy portal, a preference center, and really use language to connect in a marketing and a privacy manner.

Bill Tolson:

I'm sorry, I threw you off, you were going through your to-do list, so...

Jodi Daniels:

That's okay! Well, I brought us back a little bit to the to-do list. So, we know our data, we're going to manage our individual rights, we're going to strengthen our security, we need to update our privacy notices, because we might uncover what we're doing was not disclosed in our privacy notice, and we need to make sure that, one, our privacy notice aligns with the requirements of the law. There's a bit of a long list of things that you need to make sure you're disclosing. One of those, as an example, is sensitive data and making sure that you have that, plus the sharing or selling of data as defined, which is a unique definition under CCPA or CPRA, where it can be sharing to a third party, and the third party gets to use it for its own purposes. That can be a share or a sell of data.

Jodi Daniels:

Then ultimately you need to train. You need to train people, not only on security, but privacy. "Can I use this data? What are the considerations I need to do when I'm looking at a new vendor or a new tool or a new marketing campaign?" Incorporating privacy into the design, even if it's a marketing campaign, a new product update, but thinking about privacy, at the beginning, will make the entire process much, much better because this is a continuous thing, so there might be some effort at the beginning, and then you're done, and then the next year comes and you think, "Well, all right, I'm good. I did all that," except you're not because the business changed, and we need to kind of keep iterating on this entire life cycle. So, you have to think about a sustainable model that will work with the type of dynamic changes that your business is undergoing.

Bill Tolson:

By the way, one of the things I learned a long time ago, and working with lawyers is, and you brought this up in my mind when you were talking about training, is everything the company does around this, like in e-discovery, but in privacy and everything they do around it, document everything. So you can, if you're ever sitting in front of a judge, you can pull out the papers and say, "This is what we did on this date, this date, we trained the employees, twice a year, and they all signed the statements, and so forth." But having those simple documentations, I've seen in dealing with the courts and judges, they go a long way. They show a good faith attempt to do what's right, and that goes a long way with judges, that's for sure.

Jodi Daniels:

You're absolutely, right. If you've done nothing, then anyone would just say, "Well, I guess you've just ignored it. You don't care. You chose to not do this," but if you put forth the right effort, and someone disagrees with a decision that you've made, it's a very different situation to defend, in that regard, then you've just ignored it, didn't do it, forgot about it.

Bill Tolson:

Yeah. Yeah. I read in your article that the last to-do list is to go brag.

Jodi Daniels:

Yes, go brag. So that is, a big piece, nowadays companies are advertising all their products and features. They're advertising why to do business with us. We might have great customer service. We might deliver it in two days, whatever it is, and I also tend to see privacy and security as a feature. If you have an amazing program, if you've done all of this work, if you care about people's privacy, this is an opportunity to share it. If you're in B2B customer sales, you can at the beginning say, "You know what? We are all ready to be able to manage any compliance questions that you might have. We've gone through a full review and we're ready to handle that." If you're a B to C environment, your customers are looking to you to make sure that they can trust you with their data.

Jodi Daniels:

The B2B companies are doing that as well, but this is really a place to shine, to have a competitive edge, as it relates to how you care about someone's privacy. It's a selling feature these days, not to use just because it's a selling feature, but because it matters, because it's truly a decision that I see time and again, that if you don't put it forward, you're going to lose the sale. So, if you've done all this great work, then you can communicate you can share that, and in doing so, you're customers have objections, right? Why should I buy from you? Why should I do business from you? Don't let this be one of those objections. Answer it upfront.

Bill Tolson:

Yeah. It's a great marketing tool to say that you've taken this seriously. You've taken privacy seriously. You've done all of these things, and companies are really looking for that, now. It's not one of those things that they ignore anymore, because they could have issues to, buying software from a vendor that doesn't handle the data correctly could put them in liability too. I'll say one thing that I always tell people, and I think with the new environment of cyber hacking and ransomware, and it's just going nuts now, I think companies, especially companies dealing with personal information, but with intellectual property, or "know-how," or any of that kind of stuff, I just don't understand now why companies are not storing data encrypted versus non-encrypted, and we can get into a whole different discussion about that, a whole different podcast actually, but I just firmly believe that, especially with this kind of data that Jodi's been talking about, this personal information, you need to take that extra step and protect it, by encrypting it and keeping the encryption key separate, somewhere else.

Bill Tolson:

That really could lower your overall liability of how you'd have to react after a data breach and all of this kind of stuff, but that's simply my opinion. So with that said, Jodi, I think that wraps up this edition of the Information Management 360 podcast. I want to thank you for some just absolutely great advice and really interesting discussion today and on this very relevant subject of caring for the CPRA, as well as all the other new... I think what you've talked about in your list, probably, will be pertinent for all of the new state laws coming out, so I think this is really good.

Bill Tolson:

And by the way, you do have a really nice article on your webpage that walks through this as well. If anyone has questions on this topic, or would like to talk to a subject matter expert, please send an email, mentioning this podcast to info@archive360.com and we'll get back to you as soon as possible. Also, you can send an email directly to Jodi and Jodi's at Red Clover Advisors. Jodi's email address is jodi@redcloveradvisors.com, no spaces. And with that, Jodi, very much appreciate you taking the time today, and thank you.

Jodi Daniels:

Thank you so much! Much appreciate it.