Data privacy continues to be a hot-button issue. Several factors contribute to the recent flurry of global legislative activity. These include rising reports of security breaches that compromise personal information, lack of visibility into what personal information is collected, and limited control for owners to determine how information is used. The United States is no exception. Due to a lack of centralized formal legislation on data privacy, efforts to change are mounted at the industry, federal, and state levels.

In recent months, Louisiana, Vermont, and Colorado have passed amendments to their existing data breach and notification laws. The changes range from expanding the definition of personal information to regulating activities of data brokers. Amid these changes, a proposed initiative in California titled “The California Consumer Privacy Act of 2018” is receiving a lot of attention due to its breadth and potential impact nationwide.

The California Consumer Privacy Act of 2018 was an initiative backed by privacy advocates that sought to provide consumers with visibility into and control over personal information collected and sold by businesses. The measure faced substantial opposition from the tech industry. Despite this, its supporters announced that they had received enough signatures to qualify for the November ballot. On Thursday, June 21, 2018—before the Secretary of State completed the signature verification process—a tentative agreement was announced whereby the initiative would be withdrawn in exchange for the passage of an alternative bill, the “California Data Privacy Protection Act.” But, there is still uncertainty because both houses must pass the bill and it must be signed into law by the governor by June 28, 2018. If this deadline is not met, the initiative will move forward for vote in November.

While the framework of the initiative and the bill contain similarities, there are critical differences. Key changes include the:

  • threshold for covered businesses
  • scope of personal information
  • ability to request personal information be deleted and exceptions to that right
  • opt-out and anti-retaliation provision
  • number of penalties (decrease)
  • number of exemptions (increase)

While the state of privacy in California is unclear, from an information governance perspective, some universal steps can help achieve compliance. Read on to learn about a few of these steps.

Know Your Information

The piecemeal approach to privacy in the United States can make compliance difficult because of variances in the laws. One key difference is often in the definition of personal information (and any noted exemptions), which dictates what information the covered entity can collect, store, and use. Accordingly, it’s critical to understand the scope of coverage and then map the flow of personal information to discharge both obligations and accountability effectively.

In this case, because of the uncertainty of the state of the privacy law in California, the scope is undecided. However, both the initiative and the bill lay out a definition of personal information, along with exemptions based on coverage under existing laws (e.g. protected or health information subject to the Health Insurance Portability and Accountability Act). This definition sets the guardrails for the personal information framework, which can be used to conduct a gap analysis for existing programs or, if initializing in response to the proposed initiative or bill, to create the foundation for a new program.

Identify New Records

Besides records that contain personal data, there are typically records associated with privacy-related activities. These records are not explicitly called out but are largely inferred. This leaves their exact nature and the extent of records unique to each covered entity. Once identified, retention schedules must be assessed to find any existing record series that govern over its retention or if new records must be created and assigned retention.

Consider that under both the initiative and the bill, a covered entity must respond to a “verifiable consumer request.” The steps for verification will be based on the rules and procedures as set by the Attorney General. However, this consists of either a request submitted through a password-protected account while the consumer is logged on or, where no account is maintained, a way for the covered entity to authenticate the consumer’s identity. This process is further complicated by the fact that an agent of the consumer can make a request. Consumers can even request on behalf of a minor child. Accordingly, operational records developed to comply may include procedures for how to verify consumer identity, scripts for verbal or electronic requests, the capture of the requests, and confirmation of delivery or other response, to name a few.

Furthermore, as these records do not have a defined retention period within the initiative or the bill, they will need to be addressed with knowledgeable stakeholders. When the operational need for retention aligns with an existing record series, it’s ideal to use the existing series. However, be mindful of those records that contain personal information before you determine the retention period. If you can’t align the retention, you might need to create of a new record series.

To read more, click here:


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.