Join us as Sabrina Serafin speaks with Jodi Daniels of Red Clover Advisors about the California Consumer Privacy Act, a new privacy law in the United States that resembles the EU’s GDPR. Learn about this sweeping new regulation and how you should best prepare for its implementation next January.
New Privacy Laws and their Impact on US Business Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier and Deeter’s Process, Risk & Governance practice.
Today, we’re talking to Jodi Daniels, founder and CEO of Red Clover Advisors, a data privacy advisory service that specializes in U.S. and European privacy law and other aspects of data strategy. Welcome to the podcast, Jodi.
Jodi: Thank you, glad to be here.
Sabrina: Let’s start with some background on your company. How did you come to found Red Clover Advisors?
Jodi: After 19 years in corporate America, I packaged up all the experience I had in accounting, strategy, finance, online advertising and privacy to really help serve the small to mid-market companies who might not have a full time privacy professional to be able to help them navigate complying with privacy laws, creating data strategies and making sure that they’re really in tune with how to best use data and maintain the relationship with their customers.
I firmly believe that privacy is good business. We have these privacy laws; we want to make sure we’re all good business stewards and we also have an opportunity to really understand the data that we’re collecting and how that can improve the operations of a business. I will help companies comply with various privacy laws. That might be gap analysis, or we might walk through any of the actions that a company would need to take and I might really serve as an advisor to help them navigate through the ongoing complexities in privacy today.
Jodi: Absolutely. We all probably started noticing them back in the spring of 2018. GDPR, the General Data Protection Regulation, was effective May 25th, 2018. It’s an update to an existing privacy law that the EU had called the Data Protection Regulation, and it was there for over 20 years. As we know, over the last 20 years we have so much more data and have changed the way that data is collected and used and processed and shared.
It was really time to update the privacy laws, so the formation of GDPR came together. Another really important aspect is that it essentially creates a floor or a foundation for privacy across the EU. Before, each different EU member state could sort of have their own, but now GDPR sets that floor; they can still have their own, but it sits on top. So, if we liken it to the United States, imagine you have a federal law, and then you could have each individual state have a more advanced law on top of that.
Sabrina: Well, let’s get into it. In the wake of GDPR, California recently passed similar legislation that affects any business conducting business operations in that state. Can you tell us about the factors that drove this new legislation and when it’s expected to go into effect?
Jodi: Sure. The CCPA is the California Consumer Privacy Act. It passed in June of 2018, and it really came from what happened between Facebook and Cambridge Analytica. That really drove the legislation. It has some other interesting byproducts; there was actually a ballot initiative originally that was supposed to be for the November 2018 election. Fast forward, after a long lobbying effort, the California legislature passed CCPA.
Since then, actually, right now, we have between 10 to 12 other states also looking at CCPA. CCPA and GDPR are different. GDPR is really about the fundamental rights and freedoms of an individual, and companies have to think about how they’re using, collecting, processing data at every individual processing activity. In CCPA, it’s very much around the notice and choice for an individual. So to make sure that I, as Jodi Daniels, know what you’re doing with my data, and then, if I don’t like, it I have choices.
Sabrina: So, that seems like a pretty sweeping regulation, and as you mentioned, a number of other states are following suit. Are there any aspects of the legislation still being defined or clarified?
Jodi: It is a sweeping regulation, absolutely. It’s the first privacy law at a state level that really exists like this in the United States.
We have what we call a sectoral approach. We have HIPAA for health information, we have GLBA, the Gramm-Leach-Bliley Act, to cover financial data, we have CCAN-SPAM to cover email marketing and so on. So, this is really the first time we have a privacy law at a state level. It is certainly a big impact, and I think it’s also important for our listeners to know that it covers you if you are doing business with California residents. We don’t have to have an established business or physical footprint in California. I could be in Atlanta, Georgia and be serving California residents.
Because it was passed so quickly, there are a number of areas that are still being defined or clarified. For example, there are some places where it defines household information and individual rights. Are they connected at the household level, or is it always at an individual level? For example, if I make a request to a company to delete my data; I live in a household, that might impact the other members of the household who didn’t make the same request.
I have to be able to opt out of selling data, but what is the definition of sale? Is it only for money? Could it be a partnership as a sale, can sharing be a sale, exactly what is the definition of a sale? Right now, there are some public forums that the California Attorney General’s office is holding to seek public comment to be able to help clarify what the CCPA will mean. So there are a lot of people anticipating and anxiously awaiting what will come out of that. So, we’ll have a little bit more clarification on some of these very nuanced areas.
Sabrina: You mentioned that it’s not as sweeping as GDPR. So, if companies already complied with GDPR, how much more work would need to be done to comply with the state regulation?
Jodi: That’s a great question. And there is still some work that needs to be done, because there are some differences. Also, some companies might have only done the GDPR work for their EU impacted sides of the business. So, if a company looked at all of their data processing activities, the question would be, “Well, what else do I need to do?”
First, the privacy notice requirements under CCPA are a little bit different. There are some very specific categories, for example, of needing to list the types of third parties that data is going to. That will need to be a change. Making sure the individual rights are a little bit different. There’s going to need to be sort of some alignment between listing the individual rights for CCPA and the individual rights for GDPR, one very specifically around the sale of data. GDPR does not have a specific right that says, “Opt me out of the sale of data.” CCPA does, and CCPA says you have to have a button on your home page that says, “Opt me out of the sale of data.” If any company sells data, a massive change right there is that they’re going to have to figure out: What data do they sell? Where is all that data? How will they create a process to be able to honor those individual rights and be able to move forward on those?
Sabrina: What are some of the consequences associated with any violation of these regulations, or, at worst, data breaches?
Jodi: Under GDPR, the big headline has been it can be up to 4% of global revenue or €20 million for some violations. In some cases, it can be half of that. We’re starting to see some fines come in, and they aren’t necessarily at that high level quite yet. But, what we are seeing is the impact.
To me, one of the most important pieces is not just the financial impact, but the brand reputation. So, you’ll have negative PR about your company if there’s some type of violation, and then you’ve lost customer trust.
If there’s a situation under CCPA, the violations can range between $2,500 and $7,500 per infraction and on a data breach level. This is an area I think companies really have to pay some close attention to, because there’s an individual private right of action that is up to $750 per record if the company is found to have had a data breach and was essentially negligent. Meaning, they should have done something, and they didn’t. That can add up really quickly. I think this is a good opportunity for companies to look at their overall security practices and review on an ongoing basis and determine what changes need to be made so that they’re in the best position to avoid those types of fines and, again, that negative PR that’s often associated with a situation like that.
Sabrina: You mentioned that besides California, there are a number of other states looking at this type of legislation. Do you think it will eventually make its way to the federal level?
Jodi: There’s a lot of conversation about national federal privacy law, and it’s complicated. Does it replace the existing laws that we have today? What should that law look like? You have some constituents who feel like it should be closer to GDPR, you have some who feel like it should stay a little bit more similar to the CCPA as drafted today, and then you have some who feel like, “Nope, we’re not ready for that.”
So, I think we’re seeing the conversation elevated for sure. I, as a privacy professional, really do hope that we can have some type of a federal privacy law that makes sense, because we’ll continue to have 50 privacy laws potentially, because the states are going to continue to want to help protect their residents. For a business to manage 50 privacy laws is onerous. That’s very complicated to navigate those waters. So, I’m excited that we’re here having this conversation, and it’s certainly an interesting time in the privacy arena right now.
Sabrina: Jodi, what should companies be doing right now to prepare? If you could sum it up for us.
Jodi: Companies need to first pick somebody in the company to identify who is going to be responsible for ensuring that the company is compliant with the CCPA. That likely is then going to involve putting a team together. Who are the right stakeholders in the company? And the very next thing is a data inventory, because you really cannot draft the right privacy notice, you can’t figure out what your individual rights policies need to be if you have no idea what data it is that you even have. And from there, you may identify some policies or procedures or updates that need to happen.
And then, with all of these laws, it’s really important that it be maintained, so it’s not really just a check the box activity; “Last year it’s GDPR, this year it’s this CCPA thing, next year will be a new four letter acronym.” It needs to be something that’s sustainable. I’m often working with companies, and they’ll identify someone internally who’s going to be their long term privacy advocate, and maybe for some companies there’s not a full time need. So, when I work with companies, I might serve that part time need for them to be able to help them navigate all these different privacy laws and data strategies and to continue helping. Right now, it’s: identify that original person who’s going to help them. Create those data inventories. And then, from there, they can determine what other policies and procedures and training needs to happen to make it an ongoing, sustainable process.
Sabrina: Jodi, thank you very much for being with us today. You’ve certainly given our listeners some great insight into the California Consumer Privacy Act. And thank you to our listeners for tuning in to Frazier and Deeter’s Culture of Compliance podcast. Please join us for our next episode, as we continue to discuss transforming compliance requirements into investments in your business.