A consumer reaches out and says "I want you to delete all the personal data you have on me”

• Today, could you meet that client's request? 

• Do you know how your enterprise fulfills these types of requests?

• If you can fulfill the request, how do you prove that you took all necessary steps to do it the right way?

• Do you know what business impact is occurring based on the consumer requests you process and receive?

There are laws and regulations in place that dictate this process as a pay-to-play to do business with certain data, and many companies are behind in some way, shape, or form; more often than not only in the form of policy, procedure, and documentation, not because the mechanisms and intent aren’t in place. However, now is the last time to make impactful process and policy changes prior to becoming low hanging fruit for enforcement actions in the very near future.

Key Updates

The start of 2023 marks a big year for the beginning of serious data privacy oversight in the United States.

To date,

• 5 states have enacted comprehensive privacy legislation

• 27 discussed comprehensive privacy bills

• Federal legislation drafts have been discussed

Our Thoughts

Coming up on a big election year, it’s likely that we’ll see movement on both new lawmaking, but also enforcement of existing laws. With the absence of a federal law, states are free to continue enacting unique versions of comparable legislation, introducing additional technical and organizational complexity to many companies across the globe.

Our Experience

A lot of clients we work with didn’t engage in European markets at all, and only had to grapple with the CCPA in 2020, with many repeatable processes and procedures being reused when additional states developed lighter touch versions of California privacy law. But some companies fully left the market due to concerns about scrutiny under GDPR enforcement. For example, TapAd, acquired by Experian, decided to exit existing European markets a short time after being named as part of an industry watchdog complaint regarding alleged GDPR violations. While we cannot predict exactly what enforcement will look like in the US, we do know that new privacy legislation allows GDPR-esque enforcement to begin, along with the existing limited private right of action already awarded to California residents from the CCPA. 

This year is going to be a tough one for companies who haven’t had to make large organizational changes because of compliance with GDPR. For many companies who found GDPR compliance too burdensome before and refrained from entering (or even exited existing) EU consumer markets, this year will be the first of many to come where case law and enforcement dictate and prescribe what a comprehensive compliance monitoring and auditing program needs to look like. In our experience, a lot of enterprises are much further behind than they realize in these efforts for a variety of reasons that all go back to a root cause: unorganized data, lack of understanding of the technical assets a company actually has, and continued shortcuts used to scale that begin creating tech debt that cannot be caught up with.

What changes should keep me up at night?

The best time to complete a lot of the underlying data governance, protection, and security work was January of 2020, but the second best time is now. A few of the changes introduced by the CPRA may not seem like a big deal at first, but mean big problems for companies that will be required to produce documentation of thorough policy, procedure, process, and technical asset management in the next year. These problems compound exponentially based on the applications, databases, cloud environments, etc. a company has, and in our experience, gets further complicated due to the number of technology employees that need to make fundamental changes to their day to day operations quickly and efficiently.

While many companies are in a fairly good spot to implement some sort of strategy to comply with the additional rights introduced by CPRA, we believe that the scariest parts of the changes aren’t directly related to the additional rights, but their impact on process, procedure, and culture at an enterprise; things that are much slower to change effectively and require dedicated support to manage constantly until adoption has been obtained. We’ve compiled a few key takeaways from the new CPRA regulations that keep us up most at night. These changes have big impacts to enterprise culture with a very tight July deadline looming near.

The best time to complete a lot of the underlying data governance, protection, and security work was January of 2020, but the second best time is now.

30 day cure period is now discretionary

One of the more daunting changes to the CPRA finalized proposed regulations (target date to finalize in April) is the discretionary 30 day period for curing violations of the law, coupled with the increased enforcement abilities the CPRA allows.

What is the 30 day cure period?

The CCPA provided companies with an automatic 30 days to right any known violations of the law, with no penalty if the company was able to make the changes in that amount of time. This worked out well for some companies, who were able to quickly make needed changes to contracts or website disclosures, and also implement the technical and organizational process changes those language changes include. However, some companies were not able to make it in time. Most notably was Sephora, who did not experience any type of data breach, but due to their misleading website disclosure and failure to remediate within 30 days, were fined over $1mil.

What changed?

Starting on January 1st of this year, it’s no longer mandatory to give a company the ability to cure their noncompliance before handing down a fine. Companies can choose to litigate the penalty, however that becomes extraordinarily expensive and burdensome for many organizations.

What does this look like for my enterprise?

Consumers who take issue with your privacy practices have the ability to send their complaints to the Office of the Attorney General. That sets off a long chain of procedural events that can end up in your company getting a request to provide details around the consumer complaint, similar to any consumer oversight agency.

Your company will have to use resources to organize the requested information, submit responses, respond to follow up, and eventually triage and implement any required changes. At this point in time, it will be determined whether a violation has occurred, and you will either get a cure period, or a fine. 

If you get the 30 day cure period…

Don’t jump for joy right away.

You are getting 30 days to make changes, but again, there isn’t any prescriptive way to do this “right” yet. If you don’t use the time appropriately, you may face a situation where you become the example, and the oversight on your remediation forces you to significantly over-solution for compliance based on positions that are more risk averse than your business is as an enterprise.

Your best option is to proactively determine your strategy, and implement it consistently so it can accurately reflect the efforts and expense your company has put into attempting to comply, and resolve potential future oversight and scrutiny. 

If you don’t…

You’re looking at fines up to $7500 per violation of the law. In the absolute worst case scenario, you can multiply the number of consumer requests you’ve received by that number. But most likely, you’ll be retaining outside counsel at a minimum to facilitate the number of responses you’ll be sending back and forth to regulators trying to mitigate the existing damage. 

One of the most common violations we’ve seen is language in the website disclosure. If you have to make significant changes to your website disclosure, everything in there has to have auditing and monitoring around it. So you’re potentially on the hook for:

• Architecture updates

• Modifications to company process and procedure

• Evangelism of new process and procedure to all impacted stakeholders

• Technology changes

• Set up auditing and monitoring to validate new site content

Bottom line - That’s a lot of work for 30 days.

Employee exemption ends

It was unclear from the beginning discussions around CPRA until now whether employee data would be considered covered and allotted rights under California Privacy Law, but the final text of the regulations strongly suggest it’s something that companies will have to account for in 2023.

The positive news

Many companies have a fairly straightforward path ahead when handling existing and/or recently separated employees because these enterprises have shifted towards utilizing a centralized platform built specifically for the purpose of handling, processing, and securitizing sensitive employee data.

Additionally, because of the long-standing requirements to provide sensitive personal information and process sensitive information in order to be employed, most enterprises choose to utilize a third party platform built to handle those types of processes and data. There is very little from a company wishing to remain in business from abusing the data they collect on behalf of their employment, and blatantly ignoring rigorous standards for protecting the information that comes with employment through healthcare, financing, etc. As a result, we have not seen many of our clients pursue the utilization of employee data as rigorously as general consumer marketing data.

Complying with the basic requirements of privacy laws for current or recently separated employees may be more simple because any information that they wish to have access to should be available already to them through a variety of platforms; for example:

1. HR platforms for managing employee information

2. Tax documentation annually

3. Insurance information provided regularly

Additionally, much of the information not already available to employees through reaching out to their HR representative is protected by various employment laws protecting both enterprises and individuals from access to certain information.

For a deletion request, it may be more simple as well. Depending on industry and location, there are many different laws around the types or records that must be kept, and how long they must be retained. Current or recently separated employees don’t fall into this category, so their deletion request should be taken, but nothing should occur outside of the company’s retention schedule.

Automated decision making consent

One area that may be tricky for companies to grapple with is applying automated decision making consent on models currently being used on employee data. This would allow consumers to control the use of their employment data and require the company to apply filters to these models that update regularly to refresh consent decisions. A lot of places we’ve seen companies invest in these types of models for using employment data are in places such as:

1. Hiring and candidate evaluation efficiencies

2. Performance evaluation and management

3. Compensation and benefits.

You may experience some difficulty implementing comparable processes on business generation vs. employment data modeling because consent in this form is a new option to certain employees only; applying this change to systems already handling data sharing or sales consent should not see as much of an issue simply modifying their existing rules logic.

Typically, these data sets and processes are also logically or physically isolated from business data, and won’t be as organized as those business generating data sets because prior to this, there has been less business need to or value derived from doing this.

Candidate data

Additionally, most companies don’t realize how much information they’ve collected on one group: candidates.

Candidates are individuals who did not ultimately become employed by the Company during their engagement period, but did have information collected about them.

Candidates are known your enterprise - you can uniquely identify them as a person in your data sets, and that’s how you are able to do things like find someone who has already applied to your company before, or worked there before. 

Candidates carry the same rights as employees for the purposes that their information was collected under the new CPRA regulations. This is where a lot of tried and true processes start to break apart.

Why candidates are tricky

Existing processes to know, access, and delete information might not cover candidates if their information doesn’t get ingested into centralized systems soon enough. Even companies with a mature understanding of their data infrastructure and governance programs may struggle integrating existing compliance programs on these more unaccounted for data sets.

Therefore, you now have a lot of potential information in unstructured settings, and may not be able to effectively apply existing know, access, deletion, consent, and correction processes as seamlessly as you thought. A compliance addition to an existing privacy program that seemed simple may now be a significant technology lift you don’t have time to fix.

What do I do?

The best thing to do is evaluate existing processes and figure out what your posture is. If you have some unaccounted processes, that’s okay. The first step is documentation of what you have, and what your most glaring gaps are. This hasn’t been litigated in court yet, so you have the opportunity to proactively set the standard through your strategy as long as you try to do it the right way. That’s something we can help you accelerate right away through our professional services offering. 

We’ve simplified these process gap hurdles to meet many timelines that are right against the wire for a compliance deadline, and have great success implementing impactful programs for large enterprises facing these same hurdles you’re facing now.

Authorized agent definition is broadened

Not potentially as concerning, but maybe more impactful than expected from an administrative perspective; the definition of authorized agent has changed within the finalized regulations.

Authorized Agents no longer have to be a natural person or business entity registered with the Secretary of State to conduct business in California. This allows more businesses to exercise rights requests on behalf of other individuals.

Why is this important?

We’ve seen examples of these companies pop up where you can self service all your privacy needs in one spot, and believe the intention of this change is to allow consumers to utilize these services without as much pushback from companies receiving the requests. 

Companies are required under privacy law to validate the identity of the individual making a rights request. Many enterprise processes require this validation to occur against internal data they hold on the individual, for example asking them to answer knowledge based security questions, or respond to a 2FA prompt. 

This process step is usually a bigger hurdle a company had to grapple with when setting up their original CCPA compliance technology, because it requires searching and mastering personal information within systems that up until this point weren’t designed to perform that specific function. By widening this definition, the California Attorney General’s office has removed protections enterprises have to refuse response to requests from third party companies not classified as an Authorized Agent because they cannot fulfill the identity validation requirement. More than likely, companies will have to modify their processes to account for this change. There are two ways this can occur:

Proactively: The company realizes it’ll be a requirement before regulatory action, and creates a way to bypass standard identity validation through their existing process (this is tough - we can help)

Reactively: The company receives a notice that they’re out of compliance and has to make changes to their process to allow these requests to come through, resulting in an architecture change to existing technology that must be fully in production within a 30 day cure period (if provided now that it’s discretionary).

While not the scariest aspect of the new regulations, it’s something to consider when planning your compliance infrastructure in accordance with enforcement starting on July 1st.

Now what?

You have some time to make changes before the official enforcement period begins on July 1 of this year. We can help you expedite the things you need to do to by providing customized process and procedure for your enterprise, with solutions that scale quickly and with your business in mind.