While some CPA firms are still trying to get their arms around the compliance requirements associated with the European Union's General Data Protection Regulation (GDPR), here comes another curveball. As reported in CAMICO's IMPACT 113 article "General Data Protection Regulation (GDPR)," it did not take long for "GDPR lite" to come to the United States.
California is the first state to push forward a privacy initiative. California signed into law on June 28, 2018, the California Consumer Privacy Act ("CCPA" or "CA Act"), which becomes effective January 1, 2020. And before you assume that the CCPA will not affect you because your firm is not located in California, know that companies both inside and outside of California will be affected by its requirements. It has already been amended once by former Governor Jerry Brown on September 23, 2018 (SB-1121), and may go through additional updates before it takes effect. However, it is critical to start to prepare for it now, as it will take time to take the steps necessary to be in compliance by 2020.
What Businesses Are Subject to the CCPA?The CCPA applies to for-profit entities that both collect and process the "personal information" of California residents and do business in the state of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
What Is "Personal Information" under the CCPA?Personal information under the CCPA is defined more broadly than GDPR, which is problematic. Under the CA Act “personal information” is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The addition of the term "household" adds a dimension to this privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.
The definition of "personal information" under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers' license numbers and purchase histories, but also "unique personal identifiers" such as device identifiers and other online tracking technologies.
What Should You Do Now to Prepare for CCPA?CPA firms that do business in California and meet the applicable thresholds for compliance with the new privacy law should begin to prepare early to implement appropriate compliance measures to meet the requirements of the CA Act.
For CPA firms that have already adopted GDPR compliance, measures need to be taken to ensure that the firm also conforms with the requirements of CCPA, as the CA Act defines personal information more broadly than GDPR and mandates several compliance requirements not imposed by GDPR. In addition, there are also variations in the limitations and exceptions to the privacy rights granted by the CCPA, as compared to GDPR.
What Are Other States Doing with Respect to Data Privacy Legislation?As of the date of this writing, nine additional states have already introduced data privacy bills, although this number will rapidly increase. Of those nine states, some are incorporating similar requirements to CCPA, while others are taking a more limited approach. As of now, the state of Washington has proposed privacy legislation that is more closely aligned with the GDPR. The tidal wave of states putting forth data privacy legislation is expected to continue as the year progresses. Needless to say, the burden on businesses trying to manage the differences and similarities of GDPR along with any applicable state privacy laws, if enacted, will be a compliance nightmare. Proactive steps now to address data privacy within your firm may help to ease any future compliance burden.
Risk Management GuidanceWith data privacy protection initiatives spreading across the U.S., it is important for CPA firms to continue developing a set of best practices to ensure the privacy and security of the personal information they collect, use, or store. An important first step for a CPA firm is to create a data inventory that would identify what personal information is collected by the firm, how it is used, where it is stored, and when it is destroyed. Once this data mapping exercise is complete, a firm has a solid foundation to begin to establish and implement appropriate policies and procedures to safeguard the privacy and security of its data.
It is critical to recognize that a CPA firm’s compliance with applicable data and privacy laws, including but not limited to CCPA and GDPR, is an extremely complex and organization-specific initiative. CAMICO strongly encourages firms to engage legally qualified professionals to discuss how CCPA and GDPR, and other data and privacy protection laws, may apply to your firm and how best to comply. CAMICO further encourages firms to DOCUMENT all time, money, research, risk assessments, and other steps and decisions taken by the firm to achieve compliance. This documentation will help to support the firm’s good faith efforts toward compliance and accountability in the event it is ever challenged by a regulatory body.
For illustrative purposes, CAMICO developed "Engagement Letter Guidance—GDPR" regarding a firm's compliance with applicable data and privacy protection laws. This sample engagement letter language is available to download from the Members-Only Site under Knowledge Tree, CAMICO Publications, and IMPACT 114.
CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention Department at firstname.lastname@example.org, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.