Joel Wuesthoff and Samantha Kim discuss the new California data privacy mandate and explore specific rights that the law grants to California consumers regarding the privacy of their data.
Robert Half Legal Report
Samantha Kim is a director with Robert Half Legal’s consulting solutions practice, based in New York City. She served...
Joel Wuesthoff is a former practicing attorney, Certified Information Systems Security Professional (CISSP), and a managing director for Robert...
Charles Volkert is senior district president of Robert Half Legal, a premier legal staffing service specializing in the placement...
In June 2018, the Governor of California signed into law a privacy bill with significant implications for any organization worldwide that possesses or collects personal information on California citizens. Referred to as the California Consumer Privacy Act of 2018, the law, which will take effect on January 1, 2020, already has companies working hard to understand its implications and to identify actions they need to take to achieve compliance.
In this episode of The Robert Half Legal Report, host Charles Volkert, senior district president at Robert Half Legal, is joined by two members of the company’s consulting solutions practice – managing director Joel Wuesthoff and director Samantha Kim. They discuss the new California data privacy mandate, explore specific rights that the law grants to California consumers regarding the privacy of their data and examine which types of businesses – and law firms – are subject to the legislation. They also review key steps organizations should take to ensure they attain compliance with the law by the January 2020 deadline.
Robert Half Legal Report
How California’s Consumer Privacy Act May Impact Your Legal Team
Intro: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession, related to hiring, staff management and more, with leading experts in the field.
Robert Half Legal provides lawyers, paralegals and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Hello everyone and welcome. I’m Charles Volkert; Senior District President of Robert Half Legal and the host of our program. Our guests today are two subject matter experts from Robert Half Legal’s Consulting Solutions Practice, Joel Wuesthoff and Samantha Kim.
As Managing Director, Joel is a former practicing attorney, certified information systems security professional and has more than 15 years of legal practice and consulting work in high-stakes litigation and government investigations.
Samantha is the Director with Robert Half Legal’s Consulting Solutions Practice and is based in New York City. She served as a Deputy District Attorney in the San Francisco Bay Area in both Alameda and Contra Costa counties, prior to joining Robert Half and she earned a law degree from the University of Santa Clara School of Law.
Joel and Samantha counsel our law firm and legal department clients on a broad range of risk management, information governance, eDiscovery, data security and privacy as well as other legal matters.
Thanks so much Joel and Samantha for joining me today to discuss a comprehensive privacy act recently passed in California and explore the impact this new law will have on legal teams.
Samantha Kim: Thank you.
Joel Wuesthoff: Thank you, Chad.
Charles Volkert: So this new Act referred to as the California Consumer Privacy Act of 2018 or CCPA. The legislation was signed into law by California Governor Jerry Brown at the end of June. The Act provides California consumers with a number of specific rights with respect to their private data and imposes significant obligations on affected companies.
Joel, to start our discussion, can you outline some of the key privacy rights, the Act provides to consumers and also explain what types of consumers are protected.
Joel Wuesthoff: Of course, Chad. I think it’s probably good to start with that definition of consumer. The CCPA covers all California residents not just consumers in kind of the buying sense of the word but includes employees as well. It does not include people for instance or visiting as a tourist or temporarily in California.
So essentially there are five rights once we understand the definition of what consumer needs are, five rights that accrue to these individuals. The Right to Know, the Right to Request, the Right to Delete, the Right to Opt Out, and the Right to Equal Service, so we’ll touch on all of those during this session.
Let’s talk maybe a little bit more about the rights in a nutshell there are what we might know as affirmative obligations for businesses that are typically demonstrated through your website, privacy notice. And then there’s certain rights which must be exercised by the consumer including access and control of the information that a business creates and/or sells.
So, in general, your rights to know are more limited or high level than your rights to request or obtain access to. So let me talk a little bit about what those rights are and the types of information that must be disclosed affirmatively or in response to requests, and they’re as follows.
The categories and specific pieces of personal information that a business has collected about an individual; the categories of sources from which personal information is collected, whether that’s another business, whether it’s another entity, where did you get that information.
Third, business purpose for which personal information is collected. A fourth category would be third parties with whom businesses share consumers’ personal information and one should note that there are distinctions in the statute between third parties and service providers, similar to some degree with other privacy statutes around the world such as the GDPR.
The final two rights or opportunities for access that are given to the consumer are categories of personal information that the business has sold or disclosed about consumers. This is a particular concern with the variety of news and media reports that we see around Facebook and Cambridge Analytica. This is significant concern about how companies share and particularly sell data that the consumer may not be aware of or consented to, and then finally, the consumers have the right to request deletion of personal information and ability to prevent sale of their personal information.
One thing more, Chad, I will mention before finishing up the answer to this question is the obligation on companies to actually exercise and execute the deletion of personal information is extraordinarily difficult and requires input from a variety of different business units within an organization.
Charles Volkert: Very interesting Joel. Turning to you Samantha, what kinds of businesses are subject to the CCPA?
Samantha Kim: Sure, so Chad, I think everyone’s really curious to see whether their business needs to comply with CCPA or not? And the first part of this question is that this law will apply to for-profit companies and those also include law firms and they are any for-profit companies that are doing business in California, and that involves really California residents or consumers as Joel just explained.
So the primary focus of this law is really targeting the large companies. So we’re talking about the large tech companies that are mostly based in California such as Google, Facebook, the large names like that. And it’s going to apply to even businesses are not doing business in California; however, if they’re collecting personal data or personal information regarding California residents.
So what that means is we have to look at some of the criteria to see if a business falls within the scope of this law. As lawmakers have carved out, they have to meet one of three criteria. First, does the business have an annual gross revenue in excess of $25 million. Two, does it annually process personal information of 50,000 or more California residents, households, and/or devices; or three, does it derive at least half of its gross revenue of sale from personal data of California residents. So it’s got to meet one of those three in order to fall within the scope of the CCPA.
Charles Volkert: Very interesting. Thank you, Samantha. So how is personal information defined in the California Privacy Act?
Joel Wuesthoff: You know what, Chad, the definition is extremely broad. It actually covers some of the things that you would assume would be part of the definition such as Social Security Numbers, the name, address, email address, driver’s license and password numbers. Those things you might expect.
There are some other elements of the definition that maybe you might not expect such as biometric identifiers, fingerprints, geolocation information, tracking data and unique identifiers such as IP address. It also includes behavioral and profiling another data source from Internet activity such as online browsing search and purchase history, employment and education information.
One of the other things that is not included in say other privacy regimes such as a GDPR is the term thermal and olfactory information about an individual, so the definition of personal information is fairly broad.
Now, some categories of information are excluded from the Act including publicly available data and aggregated information where individuals’ identifiers have been removed.
Charles Volkert: Great. Thank you, Joel. Samantha, regarding some of the rights the Act provides to consumers, can you discuss for our audience some of the requirements it imposes on affected businesses?
Samantha Kim: Yes, so there are quite a few new requirements that businesses have to comply with. And really this law is about transparency and giving a lot of transparency back to the residents or the consumers. So in this case, the law is going to require that businesses provide to consumers at least, two methods of contacting them, to exercise their rights.
So what that means is the businesses have to not only provide just a telephone number but they need a secondary method such as a website, a direct email, a direct contact at the company. And some other requirements along with the contact information is that the businesses must disclose specific information on its website relating to categories of personal information that it has collected and/or sold during the prior 12 months.
And again, this goes back to transparency so that people are aware of what information that the business has and also, if the businesses that do sell personal information to third parties, it must include a link for consumers to see that there is a do not sell my personal information on their website.
So again, this is analogous to a do not call list, if you will, that we’ve had as laws enacted. So similarly we need to give consumers the right to have their personal data not be resold to another party and also businesses have to honor the consumers’ opt outs for at least one year before approaching them again to re-request information of their personal data.
So, again, it’s giving a lot of rights back to the individual and the consumer here and trying to regulate and really enforce laws to make it really transparent for someone that’s using their personal information.
Charles Volkert: Excellent. Thank you. Are there significant differences between the requirements of the European Union’s general data protection regulation and the California consumer privacy Act, Joel?
Joel Wuesthoff: There are similarities, there are a few distinctions, but let me touch on the similarities before I get to the areas where they diverge. There are the right to be forgotten as we’ve talked about this idea of portability where you can move your data from one company to another company, the right to access data. There are some similarities around third-party risk management. In the GDPR there’s Article 28 which requires certain provisions to be part of the data sharing contract. Those themes run throughout the CCPA, they’re a little bit different, they’re little bit more nuanced, but those areas are there.
I think where the difference are, I think are important to illustrate the CCPA does not have — elaborate concepts of what they call the legal basis of processing, there’s about six different purposes that one can use under the GDPR to show that you have the right to do it in California that doesn’t exist. There’s a different take on what they call opt in or opt out. The GDPR takes a stance that you must opt in to sharing data or the use of your data and the CCPA it’s more of an opt-out jurisdiction. For the GDPR it covers any organization holding personal data on data subject in the EU and the CCPA covers only for-profit companies that possess data on California residents and that meet a high annual revenue threshold possess the personal data of thousands of people and derive at least half of revenue from sell of personal data, Samantha discussed earlier.
For the GDPR you must notify consumers if the data breach exists with CCPA, that notification does not appear though although it does refer to other statute where that obligation does exist.
With respect to penalties the GDPR, as Samantha, I think also talked about is 4% of revenues or 20 million Euros, whichever is greater. In the California law there is a distinction between penalties enforceable to the AG and those would be collected through a private right of action. For AG enforcement it’s up to $7,500, for intentional violations and then for private right of actions it’s per violation per customer, and Chad, we should note that the private right of action just mentioned is only applicable where there is a breach as opposed to some of the broader privacy obligations which would be enforced by the AG.
Charles Volkert: Great to know, Joel, thank you. Well, we have much more to discuss with Joel and Samantha regarding California’s new privacy law, but first it’s time for a quick break.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings, and improve the overall management of human resources.
We offer a wide range of resources to assist hiring managers and job candidates, including our annual salary guide, industry-leading workplace research and valuable interactive tools. For more information, call us at 1-800-870-8367 or visit roberthalflegal.com.
Charles Volkert: Welcome back to the Robert Half Legal Report. I’m Chad Volkert and joining me today are Joel Wuesthoff and Samantha Kim from Robert Half Legal’s Consulting Solutions Practice.
We’ve been talking today about the recently passed California Consumer Privacy Act, a comprehensive law that protects information privacy by providing California residents effective ways to control their personal information.
The Act was signed into law at the end of June and is set to take effect on January 1, 2020 and while it is several months before the Act is enforceable many companies have already started preparations to comply with the legislation.
Joel and Samantha, can you discuss initial actions that law firms and corporate legal departments and affected companies should take now in response to CCPA?
Samantha Kim: Yes, Chad, there are several things that companies should start looking at before the enforcement date in 2020. First companies and legal departments should look to see if the CCPA applies to them.
And as I’ve mentioned these are going to be for-profit companies that do a lot of business in California, and also they need to look to see if their law firm, for example, and they serve as outside counsel for a company whether that company may be impacted also by CCPA, because their work with clients and things may subject them to that law as well.
So some of the critical steps that companies that deal with California residents and California consumers is first to identify how this law is going to apply to them. They should determine if they collect if they maintain or hold any personal information for California residents, and if so, does the company meet the other qualifying criteria such as the revenue marker that I discussed earlier and if they do then I think they should all start a CCPA compliance team of some sort to begin planning to start discussing how to implement changes that are going to be required once the law comes into effect January of 2020.
Now what does this look like for a company I think that means that they should start taking the key steps which is first collecting their data doing a data discovery, mapping out where all this data sitting, figuring out who has access to the data, figuring out what specific applications may hold this personal information, looking then to see how long this information is being retained and going further see if and how they could delete this information if a consumer or a resident reaches out and asked them to delete it. So, I think some of those are the necessary steps in order to be compliant with the CCPA.
And also to note, Chad, there are still changes that are happening to this law. What I mean by that is an amendment was just passed recently, September 23rd that’s SB 1121, that basically is carving out some exceptions to CCPA and what I mean by that is there’s certain information that’s already being governed. So, for example, medical information is already governed by HIPAA, so lawmakers are seeing in this situation that CCPA will not apply to an area such as medical information because that already has a governing law and there are several other carve-outs that are discussed in this amendment. So, I think it’s important to note anyone looking at the CCPA that it’s not finalized, but there will be further amendments or addendums to this law as we move forward.
Charles Volkert: Excellent, Samantha. Thank you. What does the California Privacy Act mean for law firms providing counsel to impacted companies or legal departments within those companies and can you offer strategies or tips to assist them in their compliance efforts?
Joel Wuesthoff: Yeah, Chad, that’s a great point. I think those two areas are certainly things that I think companies are now just trying to get their arms around and specifically law firms, they will note, and I think this shows the role of most likely attorneys in the legislative process that there is a reference in the statute that the sharing of personal information does not violate an evidentiary privilege and so from a legal perspective there’s some protection under the statute for collecting information from a client that might be, for instance, protected by work product or some type of privilege within either the Federal Rules of Evidence or Federal Rules of Civil Procedure and the local equivalents in California. So that’s important for lawyers to know.
And I want to re-emphasize what Samantha said was that in certain situations the law firms themselves may be covered by the statute not just as an advisor but as either — and more likely as a service provider should that occur or as a business depending on the size of their entity.
So I think we’ve heard throughout our discussion here that there clearly should be alignment with other divisions in working with the clients’ cross-functional teams addressing CCPA compliance not the least of which it’s because there are certain tensions across the companies’ information governance strategies whether it’s eDiscovery, whether its records retention or privacy where the lawyer’s advice are critical, and I will note that there are nine exceptions, for instance, to a consumer’s request to delete information and at least one or two of them relate to the law.
So, maybe I could jump down to some of the examples of areas where a law firm could support a client’s preparation and an ongoing compliance with the CCPA, and these might serve as somewhat of a checklist as I go through them.
Certainly preparing a data map inventory of the information that is collected by the organization, shared what that information has been collected for, why, the purpose of it, where it came from, how long it’s kept, and whether or not it’s being shared with third parties or service providers?
A second element would be the need to review an update as needed company data management procedures and policies. A third part of that checklist would be, and Samantha mentioned this early on, is the need for an audit, a regular audit whether it’s yearly audit or biannually for the collection and processing of personal information, to determine whether or not there’s exposure in compliance with the CCPA and whether proper controls are in place.
The client should certainly with the advice of counsel review and update any policies with information about consumers’ rights under the Act, the categories of personal information and company has collected from the consumers dating 12 months back, and keep in mind that even though the Act is effective in 2020, there’s a look-back period of 12 months, which means that companies should they receive a right of access or request delete, that would date back to the entire 12 months preceding that which would be starting in three to four months in the year 2019.
There are as we’ve talked about before these rights of opt-out mechanisms on your homepage so that language needs to be very clear. Do not sell my personal information, needs to be on the website to allow consumers to prevent personal information from being sold or disclosed to third parties.
As a companion would be the right to know on the right to deletion, those need to be implemented both from a process perspective and a procedural perspective to track and respond to customer requests, to identify data that relates to consumers and note that aggregated data may be excluded from the scope of the CCPA, by aggregated data or anonymized data that would be data that cannot be tracked or readily tracked back to the consumer.
Certainly, the client as I mentioned earlier must need to understand map data to enable efficient response to consumer requests, and this is the added value of helping in a discovery context or simply information management.
The final two or three elements that I would mention is the need to develop those two mechanisms that Samantha discussed for submitting request for information disclosures, make sure that your inventory process are kept current as new consumer information is collected and deleted, the importance of training employees regularly to respond to consumer requests and where organizations share consumers personal information, they need to implement language in their third-party contracts to ensure that those provisions are passed to those parties.
Charles Volkert: Excellent, Joel. Very good information. You’ve both provided some wonderful examples all of which underscore why it’s critical that companies impacted by the CCPA gets started now on the significant number of activities required to comply with the regulation.
Unfortunately, at this point it looks like we’ve reached the end of our program. A special thanks to both of you, Joel and Samantha, for joining us today. It’s been a pleasure having you.
Before we close I’d like to let the audience know how they can contact you and where they can obtain more information.
Joel, could you share your contact information.
Joel Wuesthoff: Certainly, Chad, it’s been a pleasure. My email is [email protected]
Charles Volkert: Excellent, and Samantha what about for you?
Samantha Kim: Thanks for having us, Chad. My email is [email protected]
Charles Volkert: Excellent. Our listeners can reach me at [email protected] And you can also visit the Robert Half Legal website for additional information on legal career and practice management resources, including our latest salary guide for legal professionals at roberthalflegal.com.
Thanks again, Joel and Samantha, and thank you to our audience for listening today.
Join us next time on the Robert Half Legal Report as we discuss important trends impacting the legal field and legal careers.
Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Robert Half Legal, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice; as always consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects highly-skilled candidates with the best positions in the legal profession.
If you liked what you heard today, please remember to rate us in Apple Podcasts; also, follow Robert Half Legal and Legal Talk Network on Twitter or Facebook.
Join us again for the latest information in the next edition of the Robert Half Legal Report, here on the Legal Talk Network.
Robert Half is an equal opportunity employer including minorities, females, people with disabilities and veterans.
The Robert Half Legal Report covers the latest trends affecting the legal profession.
Jamy Sullivan discusses the changing expectations of legal departments and the impact on the selection, management and evaluation of outside counsel.
Jamy Sullivan outlines Gen Z's values, attitudes and career aspirations and offer critical strategies to recruit and motivate this next generation of legal professionals.
Joel Wuesthoff offers strategies to help companies stay ahead and adjust security and privacy practices to manage the growing volume of data regulations.
Ida Abbott discusses critical components of succession planning that can position law firms or legal departments, their clients and departing leaders for future success.
Jamy Sullivan, executive director of Robert Half Legal, explores the latest hiring and compensation trends expected to shape the legal profession in 2019.
Joel Wuesthoff and Samantha Kim discuss the new California data privacy mandate and explore specific rights that the law grants to California consumers regarding...