The Coming Sea Change in California Privacy Requirements

Recent and Upcoming Rules Announcements Mark Turning Point for Businesses Now Obligated to "Minimize" Data Use 

The California Privacy Protection Agency approved its first round of “final” implementing regulations under the California Privacy Rights Act on February 3rd. While these are technically still “proposed” regulations (pending approval by the Office of Administrative Law), what’s clear is that there is a very real sea change on the near horizon for any company doing business in California that collects consumers’ personal data, and that the sooner businesses move to meet what will be significant obligations, the better. 

This recent announcement is the latest indicator that California regulators will be targeting much more than the public disclosures companies make about their data handling practices in privacy policies, cookie notices and otherwise. Now, the cross-hairs will be trained on the practices themselves; specifically, whether a company is “minimizing” its collection and use of personal data in the first place. We are moving from a privacy framework rooted in notice and transparency to one in which affirmative limits are placed on data collection and usage.The implications of this shift will be far-reaching, especially if they are not addressed proactively. How do we know? All we need to do is look to “the European model.”

Maximizing Efforts to Demonstrate the Minimization of Data Use

Understandably, many U.S. businesses are not thinking holistically about privacy concerns, as they haven’t really been forced to, until this point. But California is on the cutting edge nationwide and ahead of many of its state counterparts in proposing, adopting and implementing new rules and regulations concerning data collection and use. But their counterparts in Europe have been navigating these issues for years, likely portending what American businesses have ahead of them in the coming months and years.

As I’ve been observing for a while now, what gets addressed in Europe is often upstream of what American legislation will attempt to address regarding data privacy, which is one of the most quickly emerging legislative issues facing certain (but many and far-reaching) businesses. The obvious among them are e-commerce companies, whose business model often  relies heavily on the collection and storage of user data, just by the very nature of how they sell, what they sell, and who they sell it to. But this is not to suggest that it is only e-tailers that need to be concerned with new rules and regulations being rolled out. Quite the contrary. 

In fact, nearly every business of any significant size and scope is in the business of collecting and storing user data — that is, if they have a website with any degree of sophistication. Simple plug-ins and third-party apps that drive modern websites collect all sorts of user data as a way to drive the artificial intelligence and automations that perform even primitive digital marketing tasks, let alone the more sophisticated among them. Cookies are just a small part of this equation, and not even the most prevalent. Tracking pixels, third-party CRM systems like Hubspot and Salesforce, and even plug-ins that connect social media platforms and email marketing tools to the website and internal databases are just a few of the common tools that not only collect and store data, but potentially share it or use it for their own purposes — and not always as appropriately or as transparently as they should.

The recently announced proposed implementing regulations, combined with a second round expected to be proposed later this year, combine to create a significant and critical obligation for businesses of nearly every stripe, size and industry. Two of the issues they aim to address are:

1. What are companies doing to minimize their collection and use of private user data, as is now their explicit obligation?, and
   
   
2. Which types of businesses will be subject to the Agency’s new audit powers?

Europe’s General Data Protection Regulation (GDPR) implemented data minimization requirements and regulatory audit powers years ago.  European regulators have not hesitated to use those powers, auditing all manner of companies and imposing some significant fines when audits uncover violations of data minimization rules .  If “the European model,” as I call it, is to be that which portends our domestic futures here in California, the answers to those questions will be:

1. Data minimization must be clearly adhered to, demonstrated, and transparently documented by the business, and
   
2. The types of businesses subject to audit will be broadly defined.

As I’ve written previously, this requires new thinking on the part of business leaders in the U.S., as what has become necessary is much more than crafting a sound privacy policy document, but rather a company-wide policy initiative and a fundamental approach to measuring all strategic initiatives through the prism of privacy compliance.

Start Now, Start Small…to Avoid Pain Later, When the Problem Will Be Bigger and More Urgent

Though the existing California statute is vague as to which types of businesses will be subject to this audit power, and the promised announcements on rules regulations have been trickling out later than originally projected, I maintain that businesses should plan for a European-like model of regulation. 

As Hemingway famously wrote about how bankruptcy hit in the novel, The Sun Also Rises, these audits are likely to come “gradually, then suddenly.” Those businesses that wait until receiving notice of a pending audit to comply with these regulations will be creating undue costs, workload and stress for themselves — in a highly compressed compliance timeframe and with zero margin for error.

On the other hand, those businesses that adopt this company-wide commitment to privacy can take a measured, deliberate approach and spread out the workload and whatever budget becomes necessary over time. As we already know today what the likely privacy obligations are to be in the not-too-distant future, companies can begin immediately assessing all of their existing and proposed business initiatives against their new and forthcoming data minimization obligations. Such as: We want as a company to launch a sophisticated modern digital marketing campaign to drive new and repeat users to our website…but how can we design the campaign to make sure we are not running afoul of the Agency’s new data minimization rules?

That manner of thinking will guide company leadership to embark on a path to embracing the aforementioned five fundamentals of sound privacy policy outlined here. Broadly speaking, leadership should be directing its teams to do the following:

1 - Make a map, and don’t forget about Europe.

The first key initiative is to work with all internal stakeholders to create a data map — a chart, list, illustration, etc. —  that clearly documents all flows of personal data within the business. This includes where the data is coming from, why the company is collecting it, what the business plans to do with it, who else the company is sharing it with, and how long the data will be stored internally….and why. Due to GDPR, this has become the norm in businesses across Europe, and is a sound policy for U.S. businesses today given the state of California law.

2 - Bring in outside support, resources and expertise, as necessary.

Most business leaders and their management teams are understandably not experts in data usage nor the laws and regulations that govern it. Many companies consider hiring outside third parties who remain keenly aware of what is required to create this map and what actions will be necessary to get it done correctly. This may be an attorney, but it can also be a professional operations consultant acting in concert with an attorney. Either way, the intent here is to eliminate the learning curve quickly and instill confidence that everything is being executed properly and that no steps are being omitted in error.

3 - Offload the heavy lifting so leadership can concentrate on the thinking and innovating.

What is necessary at the beginning of such endeavors are thorough interviews and consults with various members of the marketing team, IT personnel, internal counsel if such exists, and others — a tremendous amount of data collection in its own right. There are specialized consultants who will perform this work on your behalf, so your team can stay focused on your daily and long-term objectives, usually in conjunction with legal counsel, who bring the insights and expertise as to what the law currently requires, the direction it is headed, and applying those requirements to business operations. Once the information intake is complete, processed, and presented to company leadership, blind spots will be removed so that the direction forward is clear and calculated, which allows the company to think differently, both about the present and the future…

4 - Develop your company’s privacy-conscious plan.

By this, I’m not referring to the written company privacy policy, but rather mapping out guidelines for decision making and strategy direction. Once you have all of the necessary facts, there should be a consistent manner of processing them through a privacy lens:

What are the privacy risks posed by this initiative?

Why do we currently do it this way? 

Do we need to do it this way to meet our business objectives? 

Can we pare back the associated data collection to still achieve the proposed goal, but to also be confident that our internal practices would pass muster if exposed to Agency scrutiny?

It may seem glacial, in both the size of undertaking currently being implemented in California, as well as the pace by which we are receiving clarity around enforcement, but make no mistake:  No matter the size of your ship, that glacier poses a threat. And it will be upon your bow, sooner or later. Better to navigate to safety today than be forced to make an emergency SOS call for help when it’s already too late. 

Travis Brennan is a Shareholder with Stradling and Chair of the firm’s Privacy & Data Security practice, as well as a member of the firm's Business Litigation and Compliance and Corporate Governance practice groups. Contact him at tbrennan@stradlinglaw.com.