Data privacy remains a critical priority for businesses today. The introduction and enforcement of regulations to protect consumers’ personal data is a trend that shows no sign of abating. And that reality has become a key challenge as organizations seek to maintain compliance amid ever-shifting privacy mandates.
In this episode of the Robert Half Legal Report attorneys Charles Volkert, senior district president of Robert Half Legal, and Joel Wuesthoff, a managing director with the company’s consulting solutions practice, discuss significant updates relating to data privacy that could directly impact your business and compliance obligations. They explore recent changes in the California Consumer Privacy Act (CCPA), including enforcement actions. They examine the impact of a landmark ruling that invalidated the EU-US Privacy Shield, offering approaches to set a new course for EU-US data transfers. And they suggest strategies to help companies ensure ongoing data privacy compliance, including an audit checklist.
Robert Half is not a law firm and does not provide legal representation. Robert Half project attorneys do not constitute a law firm among themselves.
Robert Half Legal Report
Understanding Recent Updates to the CCPA and EU-US Privacy Shield
Intro: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession, related to hiring, staff management and more, with leading experts in the field.
Robert Half Legal provides lawyers, paralegals and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Hello everyone and welcome. I am Charles Volkert, Senior District President of Robert Half Legal and the host of our program. Our guest today is Joel Wuesthoff, Managing Director at Robert Half Legal Consulting Solutions, where he provides leadership and guidance to clients on information governance, compliance and other legal service solutions. A former practicing attorney Joel is a Certified Information Systems Security Professional CISSP, and a member of the International Association of Privacy Professionals.
Joel, welcome to the show.
Joel Wuesthoff: Thank you Chad, it’s great to be here. Privacy has been hot for the last few years and it looks like it’s heating up again, so this is very timely.
Charles Volkert: Well, it’s great to have you and building a strong data privacy plan has become a key imperative for businesses; large and small during recent years, and even greater priority is to maintain an effective and resilient privacy program that protects consumers’ personal information. Not an easy task amid the ever shifting privacy regulations that we’re seeing emerge.
We’ll be discussing with Joel important updates relating to data privacy regulations that could directly impact your business and compliance obligations. We’ll outline the latest developments in connection with the California Consumer Privacy Act, otherwise known as CCPA, and how to avoid the risk of serious penalties now that enforcement efforts have begun.
We’ll also talk about the recent landmark ruling that invalidated the EU-US Privacy Shield to help you understand its impact and how to establish a new strategic course for EU-US data transfers, and we’ll also offer an audit checklist and examine key strategies to help ongoing privacy compliance.
Joel, let’s start our discussion with the California Consumer Privacy Act of 2018. The CCPA provides groundbreaking privacy rights for California residents relating to their personal information and a clear road map for how businesses should use and store that information. What are the key provisions of the Act?
Joel Wuesthoff: Yes, so great place to start. There’s no question that the CCPA leads the way in the United States for data privacy and given the size of the state it will have a significant impact on corporate compliance programs.
So I’d like to take a look at the Act. The Act defines personal information very broadly and I’m going to get into the weeds a little bit here, so it defines it as any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.
So that’s quite a mouthful, but it’s critical to be mindful of this definition as it drives all sorts of compliance obligations.
So the Act grants California residents significant privacy rights and control of their personal information, and it’s built on a premise that California residents own their personal information, that they have a right to decide if and how it can be collected, stored, used, accessed and sold or shared.
So who does it apply to? The law applies to any business that collects consumers personal data, does business in California and then meets one of the following requirements, I’m just going to read those out.
Annual gross revenue is more than 25 million. Secondly buys, receives or sells personal information of 50,000 or more consumers or households, and finally earns more than half of its annual revenue from selling consumers’ personal information.
Charles Volkert: That’s great detail, Joel, I appreciate that. You know and I think I’d like to underscore that the CCPA doesn’t just impact businesses located or incorporated in California, it applies to any business worldwide that meets the noted criteria and a special caution for businesses that are approaching the revenue or volume of consumer thresholds. Consider if you anticipate increased sales through an upcoming merger and acquisition or perhaps a new service or product launch, if so it’s important to start planning ahead for actions that may be required for CCPA compliance and since it was introduced the CCPA has undergone several rounds of modifications and on August 14th, the California Attorney General released final implementing regulations for the CCPA.
Joel, can you bring us up to date, what’s the current status of the CCPA?
Joel Wuesthoff: So the big takeaway here is that there are no more further modifications, no amendments, no updates, no further guidance until there is, and by that I mean there’s going to be another statute potentially proposed and maybe passed in the upcoming election, but we’ll get to that.
As it stands now the CCPA in its current form became law on January 1, and it’s kind of interesting to note that back in March a group of businesses requested a six-month delay in CCPA enforcement due to COVID-19. The Attorney General responded saying, look they had no plans to postpone enforcement and in fact started sending out notices of deficiencies on July 1 of this year, so they’re not slowing down at all.
Probably the biggest development right now is the recent approval and the withdrawal of certain elements of the AG’s Regulations and as of July 1 the Act became enforceable by the Attorney General. And I should mention and we may get to those a little bit later that the changes that were made and withdrawn in August were fairly minor but related to explicit consent for purpose such as materially different dealt with some of the opt-out provisions and finally authorized agents and what their role should be.
So as a recap, the AG’s office submitted final proposed regulations to the California Office of Administrative Law on June 1. The OAL approved this final version along with updated addendum and the final implementing regulations are in effect. So the net of all of this is that all businesses subject to the CCPA need to be in compliance and they need to have the right policies and practices in place now.
Charles Volkert: Lot of moving pieces. So has the AG initiated any enforcement actions since that date, Joel?
Joel Wuesthoff: So the short answer is yes, with the caveats. So prior to any enforcement action the State must first notify businesses of non-compliance and during July and as I think of the first day of July, a number of initial compliance notices, letters were sent out, kind of a shot across the bow.
According to the Deputy AG at the time these letters were sent to businesses across multiple industry sectors. So we understand that many of those alleged violations were identified through consumer complaints.
Charles Volkert: So if I’m a business that receives a non-compliance notice what are my next steps?
Joel Wuesthoff: Well, your next steps are likely to get serious about what that notification says. The business has 30 days to comply with the regulation and so advise the State. If it fails to comply the AG may open a confidential investigation or initiate a lawsuit.
Charles Volkert: Understood. So recognizing that compliance enforcement is now in effect, are there any significant modifications made to the Act during recent months that businesses should know about?
Joel Wuesthoff: So in general, there haven’t been any real surprises if you’ve been following along and many of our clients obviously have been. I’ll mention a few areas that have gotten some attention. The requirement that businesses that sell data and we should note that sell has a very broad definition, those businesses must include an obvious do not sell option, as well as restrict service providers from selling data on behalf of the business when the consumers opted out of the sale of personal information.
Next third parties that buy personal information would no longer need to provide direct notice to a consumer nor offer opt-out alternatives. In addition, there’s some clarification around consumers who want personal information deleted, but they also must advise businesses that they want to remain in the loyalty program. Businesses can deny such a request and that such a denial would not be considered discriminatory.
Another two or three that that probably appropriate for this audience is that businesses are no longer required to advise consumers how personal information was deleted, that requirement was in there in previous versions, but they do need to inform consumers once that request has been honored.
The final two is that businesses will be required to comply with opt-out request within 15 days and finally removal of a requirement of opt-out button that was included in prior jobs but is no longer there.
Charles Volkert: Interesting. So what are some strategies that can help businesses remain compliant with CCPA?
Joel Wuesthoff: So, and this may be self-evident, but read the statute, read the guidelines, read the full scope of the requirements of the Act as well as the final version of the AG’s Regulations. Conduct regular compliance audits and here’s — and you mentioned Chad earlier that we provide an audit checklist for businesses, I’m going to go through a few of those right now.
Map all consumer information that you possess, i.e. conduct a personal data inventory to determine what personal data businesses collect, how and from where you collect it, what information if any you share with third parties or companies and under the GDPR incidentally, this is called the Record of Processing Activities, the same general obligations apply here.
Use findings to help refine data collection. Create new procedures and make needed changes. Next topic would be update your online privacy notices as required by the CCPA, those notices would appear at or before the time the consumers share personal data with the business. Explicitly outline categories of data that your business collects and reasons for collection and clearly explain the consumer’s rights under the CCPA, and the final area I would suggest this part of your audit checklist, establish policies and procedures to protect consumers’ rights. This would include to support the CCPA’s requirement that consumers can opt-out from sharing personal data and that would include, a do not sell personal information link on the website, to develop and maintain workflows to stay on top of consumer requests and finally to train employees on these new processes.
Charles Volkert: And I know Joel, you and I have talked a little bit about even another key step, which is update agreements with third parties and service providers to support the primary business in its operations and if you work with third parties to process consumer data, take care to update contracts for CCPA compliance, key provisions, data inventories, incorporating due diligent questionnaires, adding on-site assessments and auditing requirements. I know all of that we’ve talked about as well, are there any additional points that you can think of that our listeners would be interested in?
Joel Wuesthoff: Yeah, maybe a few more and I’ll just reinforce what you just said there. I think many companies miss this part of the obligation which also occurs under other statutory regimes in other countries, so ideally companies can take a look at this provision and use it to maybe take a look at other jurisdictions in which they do business.
But, and maybe one, one additional point I would add to what you just mentioned is that there is this new privacy legislation that’s been introduced in California, it’s the California Privacy Rights and Enforcement Act of 2020 also referred to as CCPA 2.0. Supporters have collected more than 900,000 signatures and the initiative has qualified to be on the ballot this November coming up, and so if this thing passed, it would supplement the CCPA and apply additional privacy protection requirements on businesses and strengthen consumer privacy rights.
Charles Volkert: Well, thank you Joel, I know you’ve provided just a ton of great information, and I know there is more to discuss, but first let’s take a quick break.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings, and improve the overall management of human resources.
We offer a wide range of resources to assist hiring managers and job candidates, including our Annual Salary Guide, industry-leading workplace research and valuable interactive tools. For more information, call us at 1-800-870-8367 or visit roberthalflegal.com.
Charles Volkert: Welcome back to the Robert Half Legal Report. I am Chad Volkert and with me today is Joel Wuesthoff, Managing Director for Robert Half Legal’s Consulting Solutions Practice.
We’ve been discussing key updates regarding data privacy regulations including recent news about the California Consumer Privacy Act. Now I’d like to switch gears and raise another important development on the privacy front, namely the EU-US Privacy Shield. Designed by the U.S. Department of Commerce and the European Commission in 2016, the EU-US Privacy Shield is a framework that enables companies here and abroad to transfer personal data between the European Union and the United States while complying with privacy requirements.
In mid-July the European Court of Justice ruled to invalidate privacy shield, stating the mechanism didn’t sufficiently protect personal data during the transfer process and wasn’t compatible with EU Privacy Laws.
Joel, how does this landmark ruling impact United States-based companies with clients or customers in the European Union?
Joel Wuesthoff: So the most immediate impact is that more than 5000 U.S. companies that have relied on Privacy Shield for data transfers can no longer do so, and they need to immediately identify and implement alternative measures to securely transfer personal data between the United States and the EU.
So the ruling does state that Standard Contractual Clauses as they are known SCCs can be used for transatlantic data transfers with conditions. I will also note that Binding Corporate Rules, which is another method, is also indirectly implicated in this decision.
So this decision requires the data controller to determine the level of protection and to stop transfer if protection is inadequate and it also underscores that data protection authorities in the EU member countries are accountable for halting transfer of personal data if determined to be unsafe.
Charles Volkert: I’ve heard Joel, that this ruling took many organizations by surprise. For those who have been relying on Privacy Shield can you suggest how they can effectively respond?
Joel Wuesthoff: Yeah absolutely, and before I do that, I do want to note that the U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework. We don’t know how long that will take, we don’t know what kind of political discussions we’ll need to take, but that is a reaction to this decision.
So in terms of the more immediate needs our clients should work with privacy data governance experts and outside counsel to understand the impact of the Privacy Shield ruling which is called Schrems II, and to develop a new approach for EU-US data transfers. A part of that deliberation would include a determination of where Privacy Shield has been used as a transfer mechanism, to review vendor relationships, to identify which ones are reliant on the Privacy Shield and those that are, to implement new data transfer processes to ensure privacy compliance mandates. As part of that, one would need to review and identify all data export, import arrangements and storage locations including public cloud providers which may retain data copies without determination of adequate protections. They would need to review and revise their Standard Contractual Clauses to ensure clear data protections considering the Schrems II decision, and as I mentioned before considering implementing Binding Corporate Rules.
The final few elements that our clients would need to consider is to review current operational privacy practices and amend as needed and then finally to review an organization’s privacy policies and practices and public notices and then consult with legal counsel to update documents to reflect compliant terms.
Joel, what are some additional strategies that can assist companies in staying ahead of changing regulations and remain compliant?
Joel Wuesthoff: So the recent Privacy Shield Ruling has re-emphasized the need to have an executive level of data privacy officer, which depends of course on your size and scope or at the very least to have a data privacy manager and team to monitor privacy news, headlines, pending legislation, domestic or global, subscribe to consumer privacy news feeds, privacy association newsletters and still need to monitor governmental websites for privacy updates.
Secondly I would advise a company to develop a systematized monitoring capability to identify and understand changes to privacy laws and adjust policies and practices as needed to remain compliant.
Third, regularly examine and test emerging technologies that could automate or facilitate compliance solutions, and finally regularly audit practices, policies and procedures to evaluate compliance.
Charles Volkert: Great information Joel, and on that note, hard to believe but we’ve reached the end of our program for today.
A special thanks to you Joel for joining today and sharing your insights and guidance with our audience. Before we close, how can our listeners contact you?
Joel Wuesthoff: So they can contact me at [email protected].
Charles Volkert: Excellent, and our listeners can reach me at [email protected], and you can visit the Robert Half Legal website for additional information on legal career and management resources including our latest Salary Guide for Legal Professionals as well as information about our consulting and staffing solutions. The website is roberthalflegal.com.
Thanks again, Joel, and to our audience for listening.
Join us next time on the Robert Half Legal Report as we discuss important trends impacting the legal field and legal careers.
Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Robert Half Legal, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects highly skilled candidates with the best positions in the legal profession. If you liked what you heard today, please remember to rate us in Apple Podcasts. Also, follow Robert Half Legal and Legal Talk Network on Twitter or Facebook.
Join us again for the latest information in the next edition of the Robert Half Legal Report, here on the Legal Talk Network.
Robert Half is an equal opportunity employer, including minorities, females, people with disabilities and veterans.