Is CCPA just the same as EU’s GDPR?
While the CCPA and the General Data Protection Regulation that took effect in the EU in 2018 may both regulate data privacy they are fundamentally different says Feigelson.
“The main difference is that the GDPR starts from the premise that data privacy is a fundamental human right and that every single time a company touches your data, every single touch has to be justified by some specific provision in the law,” Feigelson said. “CCPA doesn’t go that far. It’s much more about giving consumers improved disclosure of what kind of data is being collected and how it’s being used, but it doesn’t put that hurdle in front of companies of having to say, ‘Mother, may I?’ every time they touch your data.”
The two laws also share differences on a micro level. One example being that with the CCPA a business is required to comply if they have revenues over $25 million or data of 50,000 or more residents, households, or devices, or if 50 percent of your revenues are coming from selling personal information. In contrast the GDPR applies to any company that’s offering goods or services to EU residents, monitoring the behavior of EU data subjects or is established in the EU.
Fines are also a big factor and where the two laws differ. “The potential penalty for breaching GDPR is up to 4 percent of global revenues or €20 million, whichever is greater. For the CCPA it’s $7,500 per violation plus the violating company will be subject to an injunction,” Schuler said.
Another difference has to do with how businesses are required to report a personal data breach. “GDPR requires a controller to notify supervisory authorities within 72 hours of becoming aware of a data breach of personal data,” Schuler said. “Whereas California is saying without undue delay or as quickly as possible.”
Lastly, GDPR requires the controller to respond to data subject requests within 30 days unless there is reason to extend the request by 60 days. This is unlike the CCPA where a company has 45 days to provide information to the consumer.
The California Consumer Privacy Act comes into force on January 1, 2020 with a one-year lookback provision, so it is essential private funds managers understand how it affects their data operations now.
What does the law require businesses to do?
The law requires companies to inform California residents: which of their personal data the company collects or holds, the purpose for which it was collected, where the company got that information, how the information is being used, whether the information is being disclosed or sold and to whom the information is being disclosed or sold to.
Under the law consumers have the right to request to opt out of a business selling their information, to access any personal information the business has stored and the deletion of any personal information the business has stored.
Businesses will also be obligated to provide an opt-out page or link on their websites’ homepages that notifies consumers of their right to not have their personal data sold.
What exactly is ‘personal data’?
The average person may think of personal information as being just someone’s name, email address and financial account number. In order to comply with the law, firms need to rethink what they see as personal information.
“You’ve got to get your head around the idea that IP addresses, device identifiers, inferences, smells, biometrics or really anything that could reasonably be seen as forming a trail of digital breadcrumbs back to the consumer or their household, are now all forms of personal data too,” says Jeremy Feigelson, co-chair of Debevoise & Plimpton’s cybersecurity and data privacy practice. “So, when you begin to think about designing your compliance program, you’ve got to have a much more expansive view of what the program has to tackle.”
Will PE firms be affected?
Yes, but as this law focuses on personal data, the biggest effect will be on portfolio companies, particularly if they operate in consumer-facing industries. GPs should pay close attention if they use a shared services model across their fund portfolio that centralizes finance, accounting and other functions via a cloud-based system, says Karen Schuler, principal and data and information governance national leader at BDO. “In that case, the firm may have direct access to personally identifiable financial information of its portfolio companies’ customers.” PE firms also directly collect and process personal information from their LPs, portfolio company executives, prospective targets, and other external stakeholders, she adds. Individual employee data may also reside in HR and IT systems.
When does it come into force?
The law will come into effect on January 1, 2020, however it’s wise for firms to already start preparing for the law.
Due to the CCPA’s 12-month look-back requirement consumers can ask companies for records of personal information collected in the 12 months before January 1, 2020, which makes it crucial for firms to start managing their data appropriately now. The issue with this is that the law has a “crazy broad definition of personal information,” says Feigelson. ”Firms have to figure out what data they are holding and data they generate routinely that matches up with this definition.
“Figure out what kind of third-party transactions and relationships you’ve got that are going to constitute sales of that data under the crazy broad definition of sale,” Feigelson says, “And then figure out from there what kind of changes you need to make to your policies, procedures, and your vendor agreements to get your house in order.”
What does it mean for investment due diligence?
The law increases the importance of due diligence for investments and for portfolio company M&A activity. Now firms not only have to worry about hackers getting into their network and affecting the value of the investment but also paying damage costs. “California’s new CCPA has a private right of action with an extremely high dollar statutory damages number per consumer, per incident, and the consequences of not doing adequate due diligence for your investment or M&A activity, from a cyber- and privacy-specific lens, are much greater,” Luke Dembosky, co-chair of Debevoise’s cybersecurity and data privacy practice, tells pfm.
Will other states follow California’s lead?
All three experts believe that this California law will lead to other states adopting similar data privacy laws.
“California almost in and of itself makes it a 50 State rule, because California is so big and tends to set national standards just by making one-state standards,” Feigelson says. “Sometimes, it’s easier to just treat a California rule like a 50-state rule out of the box.”
Leaders of the tech industry, Tim Cook, the CEO of Apple, and Satya Nadella, the CEO of Microsoft, have been outspoken about the need for data privacy regulation over the past year. With such big guns advocating for this it might be only a matter of time before the US adopts a GDPR-like countrywide law.
“Corporate America doesn’t like regulation, but if it’s going to be regulated, they want it to be uniform and a level playing field, and they want to be able to have one compliance program and not 20. So GDPR very much looks like the wave of the future here in the US,” Fiegelson says.