Data privacy continues to be a hot-button issue. Several factors contribute to the recent flurry of global legislative activity. These include rising reports of security breaches that compromise personal information, lack of visibility into what personal information is collected, and limited control for owners to determine how information is used. The United States is no exception. Due to a lack of centralized formal legislation on data privacy, efforts to change are mounted at the industry, federal, and state levels.
In recent months, Louisiana, Vermont, and Colorado have passed amendments to their existing data breach and notification laws. The changes range from expanding the definition of personal information to regulating activities of data brokers. Amid these changes, a proposed initiative in California titled “The California Consumer Privacy Act of 2018” is receiving a lot of attention due to its breadth and potential impact nationwide.
The California Consumer Privacy Act of 2018 was an initiative backed by privacy advocates that sought to provide consumers with visibility into and control over personal information collected and sold by businesses. The measure faced substantial opposition from the tech industry. Despite this, its supporters announced that they had received enough signatures to qualify for the November ballot. On Thursday, June 21, 2018—before the Secretary of State completed the signature verification process—a tentative agreement was announced whereby the initiative would be withdrawn in exchange for the passage of an alternative bill, the “California Data Privacy Protection Act.” But, there is still uncertainty because both houses must pass the bill and it must be signed into law by the governor by June 28, 2018. If this deadline is not met, the initiative will move forward for vote in November.
While the framework of the initiative and the bill contain similarities, there are critical differences. Key changes include the:
- threshold for covered businesses
- scope of personal information
- ability to request personal information be deleted and exceptions to that right
- opt-out and anti-retaliation provision
- number of penalties (decrease)
- number of exemptions (increase)
While the state of privacy in California is unclear, from an information governance perspective, some universal steps can help achieve compliance. Read on to learn about a few of these steps.
Know Your Information
The piecemeal approach to privacy in the United States can make compliance difficult because of variances in the laws. One key difference is often in the definition of personal information (and any noted exemptions), which dictates what information the covered entity can collect, store, and use. Accordingly, it’s critical to understand the scope of coverage and then map the flow of personal information to discharge both obligations and accountability effectively.
In this case, because of the uncertainty of the state of the privacy law in California, the scope is undecided. However, both the initiative and the bill lay out a definition of personal information, along with exemptions based on coverage under existing laws (e.g. protected or health information subject to the Health Insurance Portability and Accountability Act). This definition sets the guardrails for the personal information framework, which can be used to conduct a gap analysis for existing programs or, if initializing in response to the proposed initiative or bill, to create the foundation for a new program.
Identify New Records
Besides records that contain personal data, there are typically records associated with privacy-related activities. These records are not explicitly called out but are largely inferred. This leaves their exact nature and the extent of records unique to each covered entity. Once identified, retention schedules must be assessed to find any existing record series that govern over its retention or if new records must be created and assigned retention.
Consider that under both the initiative and the bill, a covered entity must respond to a “verifiable consumer request.” The steps for verification will be based on the rules and procedures as set by the Attorney General. However, this consists of either a request submitted through a password-protected account while the consumer is logged on or, where no account is maintained, a way for the covered entity to authenticate the consumer’s identity. This process is further complicated by the fact that an agent of the consumer can make a request. Consumers can even request on behalf of a minor child. Accordingly, operational records developed to comply may include procedures for how to verify consumer identity, scripts for verbal or electronic requests, the capture of the requests, and confirmation of delivery or other response, to name a few.
Furthermore, as these records do not have a defined retention period within the initiative or the bill, they will need to be addressed with knowledgeable stakeholders. When the operational need for retention aligns with an existing record series, it’s ideal to use the existing series. However, be mindful of those records that contain personal information before you determine the retention period. If you can’t align the retention, you might need to create of a new record series.
Identify Applicable Legal Requirements
It is not uncommon for data privacy laws to contain exemptions from the law or exceptions from limitations to retention based on a general caveat (e.g. unless provided by another law). In this case, while neither the initiative or the bill contains a specific retention period for personal information or related operational records, there are exemptions. Hence, to properly discharge its obligations, these other laws must be reviewed to determine the scope of coverage and compliance.
Even where the operational records are not identified or covered, there may be other overlapping laws that define retention based on broad categories. Therefore, determine the jurisdictional scope and survey laws to ensure assigned retention or records handling processes related to personal information management are compliant.
Timely Dispose of Personal Information
The more personal information you manage, the more you need to track and account for. Otherwise, you might experience loss or mishandling of information, or even become a target for security breaches. To reduce exposure, monitor and audit personal information to make sure it is disposed of properly. This helps ensure information isn’t retained beyond the use for which it was collected. If subject to retention for longer based on a legal requirement, retain it for no longer than that period. Also, keep in mind that disposal applies to all copies and duplicates, regardless of format. Use a data map to understand the flow of personal information and develop a plan for disposition.
While this article focused on managing personal information citing to commonalities from the California initiative and bill, the pointers are universal to adapt in this area of law. As you identify or reassess your compliance plan, it is critical to understand the scope of personal information collected, used, and stored. Your compliance plan should be supported by good records management practices to assure that records are accounted for, and timely disposed of in line with legal requirements or operational needs, with specific care to reassess the retention of those records that contain personal information. Finally, continue to monitor and audit on a regular basis to stay compliant moving into the future.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.