Organizations collecting and maintaining personal information about California and New York residents should be paying attention to what is happening with the states’ consumer privacy laws.
The data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act went into effect on March 21. Ten days earlier, the California Attorney General released a second modification of the proposed regulations to implement the California Consumer Protection Act (CCPA). Both of these laws strengthen consumer privacy by focusing on how organizations use and protect the personal data they collect.
New York’s SHIELD Act, which was signed into law last July, broadens the scope of consumer privacy by requiring organizations to protect the information they collect and by expanding the types of data which are subject to the data breach notification law. The law also broadened the definition of a data breach to include unauthorized access to private information. Most of the law’s provisions took effect on Oct. 23, 2019, and the data security portion was the only one left.
Often compared to European Union’s General Data Protection Regulation (GDPR), CCPA gives consumers control over what data is collected, processed, shared, or sold by companies doing business in California. As a state law, CCPA’s rules protecting consumers from having their personal data being used improperly applies only to California, but the sheer size of the state’s economy and number of residents means most organizations have to comply. CCPA went into effect Jan. 1 and is currently the strongest consumer privacy law on the books among the fifty states (and absent a federal law).
Like CCPA, the SHIELD Act’s reach extends beyond New York’s borders because it applies to any organization with any information about any New York resident. It doesn’t require the business to operate in New York.
SHIELD’s Stipulations
The SHIELD Act established minimum security requirements for all organizations (“persons and entities”), both for-profit and non-profit, that hold protected data. If this type of data, which includes Social security numbers; driver’s license numbers or non-driver identification card numbers; account numbers and payment card numbers; passwords and security codes associated with financial accounts; biometric information such as fingerprints, voice prints, retina or iris image; and usernames and email addresses, along with corresponding passwords and security questions and answers, gets exposed in a data breach or some other incident, the entity has to report it to the attorney general.
Organizations possessing protected data would be considered in compliance if they implement data security practices with reasonable administrative, technical, and physical safeguards. These include having a written security program with reasonable administrative safeguards such as training employees on appropriate security procedures and selecting service providers that follow secure practices, along with technical safeguards such as regular testing and monitoring of essential controls, systems and procedures. The law requires physical safeguards such as disposing of private information and securely erasing electronic media. The SHIELD Act also requires that any entity collecting data has to have a designated employee to oversee the security program.
Small businesses—with less than $3 million in annual revenue, less than $5 million in assets, or fewer than 50 employees—will be considered in compliance if they have the same kind of administrative, technical or physical safeguards "appropriate for the size and complexity of the small business, the nature, and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers."
Most entities already compliant with Health Insurance Portability and Accountability Act (HIPAA), Graham-Leach-Bliley Act, or New York Department of Financial Services cybersecurity regulations most likely already comply with the SHIELD Act, wrote Curtis A. Johnson, an attorney in the Cybersecurity and Data Privacy at law firm Bond, Schoeneck & King PLLC. There is no certification process to show the organization is complying with the SHIELD Act. However, if there is a data breach and it turns up during the investigation that the organization was not compliant, the organization may face civil penalties of up to $5,000 per violation and no penalty caps.
Current CCPA Changes
As for CCPA, the proposed regulations on how to implement the law were released in October, and the California Attorney General released a set of modifications in February. The second modifications are in response to the comments received on the February rules. While some of the changes in the second modifications are new, some reversed the changes that were introduced in the first modification.
The modifications do not change the overall structure of the proposed regulations, and there is no major change to the main requirement that businesses have to notify the consumer at the “point of collection” about what information is being collected, how it will be used, and where to find the privacy policy. There is a minor tweak in how the notification is presented, however, as businesses collecting the personal information over the telephone or in person can notify the consumer verbally. And in cases where the information is being collected for employment purposes, the business doesn’t have to provide a link to the privacy policy.
The modifications expand the types of information to include in the privacy policy. For example, the privacy policy must identify the categories of sources from which personal information is collected, and the categories have to be described in a way that consumers will understand. This is in line with the original regulations. Another change requires that businesses selling information must identify the commercial purpose the data will be used for--or the business they are selling to—”in a manner that provides consumers meaningful understanding of why the information is collected or sold.”
If the business receives a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, it does not have to disclose what it knows. However, the business still has to inform the consumer that it collected that type of information. “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.”
A business that does not collect personal information directly from consumers does not need to notify the consumer about having the data only if the business does not sell the personal data. But if a business that sells consumer data denies a consumer’s deletion request and the consumer has not already made a request to opt-out of the sale, then the business must ask the consumer again if the consumer wants to opt-out.
Don’t Delay
Businesses are expected to be compliant with CCPA by July 1, when enforcement will begin. The California Attorney General is making these modifications in response to public input, and the final regulations are expected to be complete before then. However, it can be difficult for businesses making the necessary changes to be compliant with the law when the rules keep changing.
Organizations should be implementing good security hygiene, conducting thorough asset inventories, and strengthening their security practices—all of which will help meet SHIELD’s requirements to have safeguards in place— in order to avoid civil penalties under the laws. Businesses should be encrypting their data in order to comply with CCPA, according to California Consumer Privacy Compliance Guide from IT analyst and research firm Enterprise Strategy Group. If data has been encrypted or redacted, it cannot be used by unauthorized parties, so even in the case of a breach the consumer is not harmed. Data protection applies to data at rest in storage, in transit over networks, and while in use by applications, according to the Guide.
“Organizations need to implement advanced data classification, data anonymization, data masking, encryption, security, and access controls in order to set themselves up for successful compliance,” wrote Christophe Bertrand, ESG senior analyst.
Many organizations are “only ready on the surface,” such as implementing the opt-in/opt-out mechanism for marketing materials, and have not acted on the data protection elements, Bertrand said.
A business group asked the California Attorney General to postpone enforcement of CCPA because of concerns over making the necessary changes when many employees are working remotely and adjusting to new processes. “Developing innovative business procedures to comply with brand-new legal requirements is a formidable undertaking on its own, but it is an especially tall order when there are no dedicated, on-site staff available to build and test necessary new systems and processes,” the letter said.
While the attorney general’s office has not yet responded to the request, privacy advocates pushed back, noting that organizations have had almost a full year to make the changes.
“[Industry] shouldn’t exploit the health crisis to ignore consumer requests to companies to stop selling their data,” said Justin Brookman, director of privacy and technology policy at Consumer Reports.
“Now that more consumers are working from home and relying on tech companies for crucial communications, the attorney general needs to ensure that appropriate safeguards are in place,” said Maureen Mahoney, a policy analyst at Consumer Reports.
Organizations should not expect a postponement and do what needs to be done to ensure they are complying with the law. This is not the time to be lax about compliance. In fact, with the workforce working remotely and using alternate (unfamiliar) tools, proper data management and protection is more important than ever.
As for SHIELD, “New York State has not delayed implementation in the face of the statewide and national emergencies declared as a result of the COVID-19 pandemic,” said Johnson.