Preparing for CPRA, CDPA, and Other Emerging State Privacy Laws

WireWheel’s Spokes 2021 conference included a panel of experts discussing current and emerging privacy laws around the U.S., including CPRA and CDPA. The panel was moderated by Rick Buck, Chief Privacy Officer for WireWheel, and panelists included Kristi Preuss, Senior Manager of Privacy Risk Services with Deloitte; Melissa Maalouf, Shareholder with ZwillGen, and Robert Glaser, Chief Privacy Officer and Vice President of Advyz Cyber Risk Services.

The discussion launched with an acknowledgment that Europe’s GDPR has influenced laws all over the world. This becomes more evident when you compare GDPR side-by-side against other regulations. GDPR has sparked conversations around how to approach privacy and the importance of notice, choice, consent—and putting the consumer at the center of the equation.

Taming Complexity

Although many states have introduced privacy laws based on GDPR principles, there are sometimes significant differences among these laws, and companies doing business in multiple states or jurisdictions must wrestle with these complexities.

Indeed, “complexity” was the key word for this panel, as Kristi Preuss dove into the conversation. She brought up the point that the issue extends beyond consumers, and the scope of these laws has serious ramifications for how employee information will be handled—particularly in the life sciences and healthcare, where “consent” can be a thorny issue. “I probably spend 80 to 85 percent of my time helping [healthcare] clients think through content management, and this is before some of these laws have truly gone into effect,” she said.

Robert Glaser weighed in on this topic as well, noting that some industries that may be healthcare-related, but not explicitly healthcare providers, may face onerous challenges when it comes to navigating privacy regulation. “What many of us do not realize is that those companies are not HIPAA-covered entities, which are excluded from CPRA [and the] Virginia and Colorado laws,” he said. “Consequently, when we start looking at those entities, the definition of what must be consented or not consented, what is exempted or not exempt, is very complex.”

First Steps for Companies

When it comes to taking those initial steps to comply with new privacy regulations, Melissa Maalouf recommends first and foremost pinpointing where the data is, where it’s coming from, and how it’s being used. “It’s time now for everyone to do data mapping,” she said. “There’s just no way to avoid data mapping anymore … and even more importantly, [examine] how you’re sharing [information] because so many of these new laws have very specific requirements with regard to the sharing of data between different entities.”

Maalouf goes on to emphasize that, despite the proliferation of laws, most follow the same basic principles. Regardless, compliance should be viewed as an ongoing process—and not something that’s put in motion then forgotten. And the process starts with determining what type of approach to privacy a company would like to take. “Do you want to take the granular approach, where you really do try to tailor your compliance program to each law and use technology, so you only apply certain rights to people with certain IP addresses from certain jurisdictions?” Maalouf says. “Or do you want to take a ‘lowest common denominator’ approach and apply the most stringent protections across the board?”

Preuss went on to explain that everyone in a company has skin in the game when it comes to privacy. Knowledge of privacy regulations and best practices is going to become more and more important—for everyone across the organization, not just the privacy officer. “It’s more than just a once-a-year training … that they take when they become a new employee and they never see it again.”

Robert Glaser agreed: “One of the keys to that comes to embedding [privacy culture] at the foundational level of the business and it’s really part of everyone’s job.”

To Comply or Not Comply: Rolling the Dice

The panelists also tackled the concept of compliance from another angle: the risks of not complying.

“After GDPR, many of us expected to see this [push for more laws and compliance],” said Glaser. “There haven’t been near as many as we expected, so … a lot of companies are willing to roll the dice, particularly if they’re under the radar. … The rules are changing and the risk-based approach becomes extraordinarily important.”

Maalouf disagreed, saying that most companies probably were not willing to “roll the dice” on privacy. “With all of the privacy information that’s been in the press, with just more consumer awareness around these issues, I’ve noticed a big shift with clients really viewing privacy as not a compliance exercise, but as more of a business enabler and a way to differentiate themselves from other companies,” she said, further noting that the risk of litigation is just too big at this point.

Glaser did, however, point out that the trend seems to be shifting away from “data privacy execution” to a more comprehensive “data governance” model.

“In the ideal model, we should push business requirements to our enterprise data management group so that they help us to manage the personal information the way that they manage any other information,” said Preuss. “It becomes part of the broader ‘data governance enterprise data management construct.’”

Beyond the Privacy Impact Statement: What Does “accountability” Really Mean?

Most of the new privacy laws mention transparency and accountability. But Rick Buck took this a step further, asking what exactly accountability means, and whether that idea goes beyond the basics.

The panelists argued that accountability goes well beyond statements and legal documents—it’s a foundational concept that permeates every aspect of a company, to one degree or another. And in order to make that work, there needs to be a good deal of cooperation in the business. “It shouldn’t always just be those back-office functions with the responsibility for executing [privacy compliance],” said Preuss.

Maalouf noted that U.S. companies have had to build their own approach to accountability, but new laws in other states may well define it more narrowly. “The companies who are doing a good job complying … essentially have to build in those accountability mechanisms because it’s the only way to sort of ensure continued compliance. And now with the CPRA amendments and some of the provisions in the Virginia law and the Colorado law, there will be more built-in requirements from the beginning.”

Third-party Risk Management: A “Downstream Obligation”

When it comes to third parties, the panel agreed that the sheer complexity of managing data privacy of contractors and vendors was a thorny issue that wasn’t likely to be simplified soon, no matter which state law is under discussion. “I think that it’s getting a lot harder now to just use the standard form and impose contractual obligations on a vendor,” said Maalouf. “If you’re dealing with an EU transfer now, post-SCHREMS, you do have an obligation under the new standard clauses to do some sort of transfer assessment that’s more than just sticking provisions on an agreement.”

Glaser also pointed out that, here in the U.S., we’re starting to see more “processors” handling this kind of work, just as the contracts with third-parties are becoming more specific about the data itself. “What they are doing is taking a much more assertive and invasive testing approach,” he says. “I am also seeing contract terms that contractually establish who owns the data and who can do what with the data on who’s direction.”

The panel tangled with the problem that even the definitions within laws, let alone contracts, are hazy—and could be a potential minefield for companies trying to comply. Under many of these state laws, the definition “sale” or “selling” can run the gamut, with some being very broad, as in the case of California’s law, while in Virginia and Nevada, the definition of “selling” is tied to monetary considerations. “Navigating these is a moving target,” said Maalouf. “Companies must pay attention and read carefully—and take a risk-based approach.”

Private Right of Action: A Key Sticking Point

Rick Buck shifted the conversation to the private right of action (when someone other than the state has the right to enforce rules under a statute), and noted that the concept seems to divide policymakers—and often marks the difference over whether privacy legislation passes or fails.

Maalouf noted that there could be potential problems down the road, with the possibility of more class-action suits.“The plaintiffs’ lawyers are becoming more creative under CPRA,” said Maalouf. “Before, the existing law was limited to a breach of only certain types of personal data as defined in California. Under the CPRA, that’s actually going to expand to include all of the data components and the existing California breach law—which includes a mere breach of username and passwords—which will potentially bring credential stuffing attacks [under the legal umbrella] that are not really the fault of the company.”

Glaser agrees, believing that as privacy laws evolve—and more states adopt them—the opportunity to be “caught up in a legal situation” will only increase. In light of that, laws may become more targeted. “I think [privacy law] is also going to become … much more specific,” he said. “So as an example, HIPAA has specific security clauses and standards that you have to comply with [while] GDPR and CPRA basically say ‘thou shall comply’ with the security standard that is appropriate to the sensitivity of the data that you’re processing.”

The Big Question: A Federal Privacy Law?

The discussion closed with Rick Buck posing a question to the panelists: Will there be a federal privacy law in the coming years?

Without exception, all of the panelists were pessimistic about a federal privacy law coming to fruition. “Personally, I don’t see it happening anytime soon, or if it does, it’s going to be a baseline piece of legislation without much teeth,” said Maalouf.

“I give this a 25 percent chance if I had to quantify it, maybe at 20%,” said Glaser. “And I don’t care who’s in office, whether it’s a Republican or Democrat, I think the likelihood is very slim.”