The California Consumer Privacy Act comes into force on 1 January, 2020, with a one-year lookback provision, so it is essential private funds managers understand how it affects their data operations now. Here are seven key questions you need to be asking.
1 What does the law require businesses to do?
The law requires companies to inform California residents which of their personal data the company collects or holds, the purpose for which it was collected, where the company got that information, how the information is being used, whether the information is being disclosed or sold and to whom the information is being disclosed or sold to.What does the law require businesses to do?
Under the law, consumers have the right to request to opt out of a business selling their information, to access any personal information the business has stored and to request the deletion of any personal information the business has stored.
Businesses will also be obligated to provide an opt-out page or link on their websites’ homepages that notifies consumers of their right to not have their personal data sold.
2 What exactly is ‘personal data’?
The average person may think of personal information as being just someone’s name, email address and financial account number. In order to comply with the law, firms need to rethink what they see as personal information.
“You’ve got to get your head around the idea that IP addresses, device identifiers, inferences, smells, biometrics or really anything that could reasonably be seen as forming a trail of digital breadcrumbs back to the consumer or their household, are now all forms of personal data too,” says Jeremy Feigelson, co-chair of Debevoise & Plimpton’s cybersecurity and data privacy practice. “So, when you begin to think about designing your compliance programme, you’ve got to have a much more expansive view of what the programme has to tackle.”
3 Will PE firms be affected?
Yes, but as this law focuses on personal data, the biggest effect will be on portfolio companies, particularly if they operate in consumer-facing industries. GPs should pay close attention if they use a shared services model across their fund portfolio that centralises finance, accounting and other functions via a cloud-based system, says Karen Schuler, principal and data and information governance national leader at BDO. “In that case, the firm may have direct access to personally identifiable financial information of its portfolio companies’ customers.”
PE firms also directly collect and process personal information from their LPs, portfolio company executives, prospective targets and other external stakeholders, she adds. Individual employee data may also reside in HR and IT systems.
4 Is the California consumer privacy act just a US version of the EU’s GDPR?
While both regulate data privacy, the CCPA and GDPR have fundamental differences.
“The main difference is that the GDPR starts from the premise that data privacy is a fundamental human right and that every single time a company touches your data, every single touch has to be justified by some specific provision in the law,” Feigelson says.
“CCPA doesn’t go that far. It’s much more about giving consumers improved disclosure of what kind of data is being collected and how it’s being used, but it doesn’t put that hurdle in front of companies of having to say, ‘Mother, may I?’ every time they touch your data.”
The two laws also share differences on a micro level. One example being that with the CCPA, a business is required to comply if they have revenues over $25 million or data of 50,000 or more residents, households, or devices, or if 50 percent of your revenues are coming from selling personal information. In contrast, the GDPR applies to any company that’s offering goods or services to EU residents, monitoring the behaviour of EU data subjects or is established in the EU.
The two laws also differ on fines. “The potential penalty for breaching GDPR is up to 4 percent of global revenues or €20 million, whichever is greater,” Schuler says. “For the CCPA, it’s $7,500 per violation plus the violating company will be subject to an injunction.”
Another difference is in reporting personal data breaches. “GDPR requires a controller to notify supervisory authorities within 72 hours of becoming aware of a data breach of personal data,” Schuler says. “Whereas California is saying without undue delay or as quickly as possible.”
Lastly, GDPR requires the controller to respond to data subject requests within 30 days unless there is reason to extend the request by 60 days. This is unlike the CCPA where a company has 45 days to provide information to the consumer.
5 When does it come into force?
The law will come into effect on 1 January 2020. However, it’s wise for firms to start preparing. Due to the CCPA’s 12-month look-back requirement, consumers can ask companies for records of personal information collected in the 12 months before 1 January 2020, which makes it crucial for firms to start managing their data appropriately now.
The issue with this is that the law has a “crazy broad definition of personal information”, says Feigelson. “Firms have to figure out what data they are holding and data they generate routinely that matches up with this definition.
“Figure out what kind of third-party transactions and relationships you’ve got that are going to constitute sales of that data under the crazy broad definition of sale. And then figure out from there what kind of changes you need to make to your policies, procedures, and your vendor agreements to get your house in order.”
6 What does it mean for investment due diligence?
The law increases the importance of due diligence for investments and for portfolio company M&A activity. Now firms not only have to worry about hackers getting into their network and affecting the value of the investment but also paying damage costs.
“California’s new CCPA has a private right of action with an extremely high dollar statutory damages number per consumer, per incident, and the consequences of not doing adequate due diligence for your investment or M&A activity, from a cyber- and privacy-specific lens, are much greater,” says Luke Dembosky, co-chair of Debevoise’s cybersecurity and data privacy practice.
7 Will other states follow California’s lead?
All three experts believe this California law will lead to other states adopting similar data privacy laws.
“California almost in and of itself makes it a 50-state rule, because California is so big and tends to set national standards just by making one-state standards,” Feigelson says. “Sometimes, it’s easier to just treat a California rule like a 50-state rule out of the box.”
Leaders of the tech industry – Tim Cook, the CEO of Apple, and Satya Nadella, the CEO of Microsoft – have been outspoken about the need for data privacy regulation over the past year. With such big guns advocating for this it might be only a matter of time before the US adopts a GDPR-like countrywide law.
“Corporate America doesn’t like regulation, but if it’s going to be regulated, they want it to be uniform and a level playing field, and they want to be able to have one compliance programme and not 20. So GDPR very much looks like the wave of the future here in the US,” Fiegelson says.