By Justine M. Phillips
Ignorance is bliss, at least until a statute makes intentional stupidity unlawful. The California Consumer Privacy Act of 2018 (CCPA) mandates extrication of all those heads buried deep in the sand about what data businesses store and how it is used, shared and secured. This article explores why burying our heads in the sand about digital assets is wrong on many levels.
Misnomers About Ostriches & Data
Ostriches are the inspiration for the saying, “Don’t bury your head in the sand.” Apart from cartoons, I never saw an ostrich put its head in the sand but readily accepted it as true because so many others held the same belief. In fact, ostriches don’t bury their heads in the sand. Nevertheless, intentionally ignoring what is most dangerous to you is commonly known as the Ostrich Effect, which conveniently brings us to data management.
The single greatest peril to data is ignorance of its existence. You cannot disclose to consumers what happens to their data if you don’t know you have it. You cannot secure it, sell it, forget it or manage it unless you first know what you have.
Why Is CCPA Such a Big Deal?
Big data was unregulated until CCPA was hastily rushed through the legislative process. There was no law that required an organization to fully understand and inventory all of its electronically stored information. Consistent with this lack of regulation, many businesses did not think of consumer data — like IP addresses or unique identifiers — as data that “belonged” to consumers. Similar to a fingerprint left on a door, IP addresses or unique identifiers are artifacts that consumers leave when they visit a website. Many businesses do not know what type of unique identifiers it may collect, how they are used, or how to recall and delete them. Simply put, CCPA requires businesses to dedicate significant resources and time to understand what consumer data they collect.
Here are some basics on CCPA:
- Businesses must disclose data collection and sharing practices to consumers
- Consumers have a right to request their data be deleted or forgotten
- Consumers have a right to opt out of the sale or sharing of their personal information
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit opt-in consent; for children under 13, the opt-in must be collected from a parent or guardian
- Individuals have a private right of action with steep statutory fines and penalties if businesses fail to safeguard data and it is breached
Shifting Perspectives About Consumer Data
The first thing a business that pulls its head out of the sand may realize is that the legal and regulatory landscape is shifting: organizations must now think about consumer data as “borrowed” until such privilege is revoked by consumers. In other words, the company no longer “owns” all of the data it collects. Previous laws required certain disclosures about cookies or tracking, online privacy policies, or notice to consumers if their personally identifiable information was compromised. Consumers, however, did not have the right to request that an organization identify or delete their personal information. CCPA makes clear that the owners of “personal information” are the consumers themselves and they have a right to request that their data be identified and “forgotten.”
The second major departure from traditional state privacy laws is the expansion of “personal information.” Previously, personally identifiable information was limited to sensitive data like name in combination with Social Security numbers, driver’s license numbers, financial information, health information, emails and passwords. Under CCPA, the definition of “personal information” includes anything that “identifies, relates to, describes as capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This broad definition includes IP addresses, cookies, unique identifiers, biometric data, email addresses, account names, aliases and many more types of data that have never been regulated in the United States. Most organizations have not identified or mapped the data elements regulated by CCPA.
What Do Lawyers Have to Do with Digital Assets?
Compliance and risk are often delegated to legal teams; navigating CCPA is no exception. However, lawyers are not often experts on information technology or security. So what value do lawyers add to managing digital assets? Foremost, if a lawyer is leading the project there is a presumption of privilege. More importantly, attorneys know how to conduct investigations, create charts, ask questions, paraphrase, and delegate — all essential qualities to sound information governance. While many organizations may have a basic understanding of key databases that include sensitive personal information like Social Security Numbers, dates of birth, financial information, intellectual property or crown jewels, they generally do not understand how or why data flows across the organization.
The Risk is Real
Effective Jan. 1, 2020, Californians can request a covered entity to identify and delete all their “personal information” for the last 12 months. New legislation proposed by California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson (SB 561) will revise CCPA to add a private right of action for consumers to enforce this “right to be forgotten.” If an organization has not mapped their data and developed processes for identifying and deleting data, the risk of class actions is high. This empowers consumers to pursue class actions where each consumer may stand to recover statutory damages for each violation. If the amendment mirrors CCPA’s statutory damages for data breaches — which provides $150-750 per consumer per incident — then companies may face multimillion dollar payouts.
If We Know Better, We Do Better
Organizations know data can be dangerous and have buried their heads deep in the sand about unregulated data. CCPA’s broad reach mandates a fundamental awareness and mindfulness about all types of data a business collects and maintains. The natural consequence of knowing data exists is to further analyze its costs/benefits. If the benefits outweigh the risk, the data will be maintained. If the inverse is true, the data may not be collected. Confronting these truths about data management will ultimately make organizations more aware. And the first step toward change is overcoming the Ostrich Effect and increasing awareness.
Justine M. Phillips is a Partner at Sheppard, Mullin, Richter & Hampton LLP.