CCPA: Will Your Business Be Responsible For Your Data Service Provider?
On June 28, 2018, California governor Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA), which becomes effective on January 1, 2020.
The primary objectives of CCPA:
- Give users the right to know what information large corporations are collecting about them.
- Give users the right to tell a business not to share or sell personal information.
- Give users protections against businesses which do not uphold the value of privacy
Among the rights that CCPA gives users, the most important are:
- The right to know ALL data collected by a business, twice a year, free of charge.
- The right to say NO to the sale of personal information.
- The right to sue companies who collected personal data, where that data was stolen or disclosed pursuant to an unauthorized data privacy breach, if the company was careless or negligent about how it protected personal data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it).
CCPA’s Business Impact on Data Privacy
The last point has many businesses scrambling to see if they will be in compliance come 2020. Already CCPA’s passage is ushering in a new wave of GDPR-like data privacy requirements for businesses and financial firms, as they now have less than a year to become fully compliant. CCPA will place a heightened level of scrutiny on business data privacy and processing practices, especially when it comes to the relationships between businesses and data vendors (or ‘service providers’). However, according to Consumer Financial Services Watch, the CCPA lacks many of GDPR’s privacy compliance infrastructure requirements, so it will be up to California’s Attorney General to adopting its regulations, rules, and procedures. Until then, there are still many aspects of CCPA that remain unclear.
In this context, banks and other financial services businesses that handle large amounts of consumer data might be liable for any breach committed by data service providers acting on their behalf. For example, CCPA brings up many questions surrounding agency law. Under agency law, an agent is bound to the scope of authority that they have set forward with their principal. As long as an agent acts within their scope of authority, their actions remain the responsibility of their principal. Under CCPA, the agents are the data service providers, which are businesses that process data pursuant to a written contract that prohibits it from retaining, using, or disclosing the data for any purpose other than that set forth in the contract.
In the cloud computing industry this is very common, where data service providers are referred to as Data-as-a-Service (DaaS). This means that companies whose services you use will often times use another service to store your data.
Because service providers are considered an agent, they will not be liable under the CCPA for the obligations of said business. However, this poses a question of whether or not a firm is liable for the violations of their data vendors. CCPA shields a company from liability for violations committed by its service provider, provided that at the time of the violation, the business does not have actual knowledge or reason to believe that the service provider intended to commit such a violation.
Does this Mean Your Business Is Off the Hook?
Not necessarily. If a business doesn’t sign a thorough enough contract with its data vendors, that business runs the risk of being liable for its vendors’ CCPA violations. If a business or firm wants to absolve itself from liability, it needs a written contract that specifies the roles, responsibilities, and authority of its data service provider. This means that it is vital that each business determines their specific data processing objectives and makes sure that all vendor contracts contain language that strictly limits a vendor’s scope of authority to said businesses objectives. Establishing maintaining data processing controls will become an increasingly important topic for compliance professionals.
- CCPA will become effective on January 1, 2020 but we do not know how quickly or strongly it will be enforced by the California Attorney General’s office until then.
- The best way to prepare yourself for 2020 is to take another look at all contractual agreements that you have with data service providers to make sure you know exactly who is responsible for a data privacy breach.
- After the CCPA becomes effective, it will be important to monitor the enforcement actions ordered. You can track trends in the types of businesses and violations the agency is enforcing to better prepare yourself as to what you might be subject to. If you haven’t already, your organization should consider procuring a regulatory change management system. Compliance.ai is the best at this.