In the age of Big Data and in the face of growing data privacy breaches, new winds are blowing. Starting in Europe and now making a landfall in the west coast of the U.S. “Technology has the potential to keep changing the world for the better” wrote Tim Cook, the CEO of Apple in an Op-Ed published in Time Magazine earlier this year, “but it will never achieve that potential without the full faith and confidence of the people who use it.”
In June of last year, California enacted a sweeping new privacy law, the California Consumer Privacy Act of 2018, also known as the CCPA. The Act is likely to have broad implications for organizations providing services to, or collecting data from California consumers. Moreover, the CCPA may create a de facto baseline standard for data privacy controls and processes across the U.S., and could cause other U.S. states to follow suit. In fact, it is also seem more and more likely that a similar U.S. privacy law may be advanced on a federal level with a U.S. nation-wide implication.
In May of last year, many Israeli companies have just concluded a challenging learning curve and compliance with the new European Union General Data Protection Regulation, also known as the GDPR. The CCPA shares similar themes with GDPR, in particular with its focus on consumers’ rights and control over their personal information as well as transparency requirements related to companies’ data practices. However, Israeli companies should note that a mere compliance with GDPR will not be sufficient to meet the CCPA requirements. And, it is not going to be an easy task. There are potential implementation challenges, impacts to business operations, and increased legal and regulatory exposure. The CCPA applies to all businesses that collect personal information on California consumers for a business purpose, subject to certain thresholds. And while the CCPA does include certain exemptions, it is not apparently clear how exemptions may apply or be interpreted in various contexts.
The Israeli High-tech Association published in January this year, a survey showing 45% of Israeli high-tech companies are either already operating or looking to expand operations abroad. The U.S. is undoubtedly one of the top targeted markets. Among the leading 20 foreign direct investment countries in the U.S. and top foreign private issuers listed on NASDAQ , Israeli companies have increasingly been looking for opportunities in the U.S. . Over 30 U.S. states have signed bilateral agreements with Israel in order to foster closer ties in a wide area of technology fields including agriculture, water, homeland security, cyber and energy. Along with the great opportunities in the U.S., Israeli companies should also make sure they are familiar and in compliance with the relevant U.S. regulatory framework, including among others, re-evaluate their privacy policies along with their legal advisors.
Here are five takeaways on what Israeli companies should keep in-mind:
When will the CCPA become effective?
By January 1, 2020, all covered businesses must comply with the new CCPA requirements. The CCPA directs the California attorney general to adopt regulations before that date.
Who has to comply with the CCPA?
CCPA applies to businesses that are operated for profit or financial benefit in California, collect consumers’ personal information (as broadly defined under the CCPA); and meet one or more of the following: 1) has annual gross revenues over $25 million; 2) annually (alone or in combination) buys, sells, receives for its commercial purpose or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or 3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. The CCPA also applies to any business that controls, or is controlled by, a business that meets the foregoing criteria and shares common branding with the business, which could have broad implications for franchised businesses and subsidiaries.
In addition, even companies that are not directly subject to the CCPA may still be impacted if they do business with, or provide services to, covered businesses. The broad reach of CCPA, makes it quite likely that many of the Israeli companies operating in the U.S. will be impacted by the Act.
What is CCPA’s definition of “personal information”?
The definition of “personal information” is exceedingly broad and expressly incorporates data types beyond those traditionally identified under existing U.S. law. For example, personal information includes (but is not limited to) elements such as:
- Commercial information (e.g., records of products or services purchased, obtained or considered, and other consuming histories or tendencies)
- Internet activity (e.g., browsing and search history and interactions with advertisements)
- Inferences drawn from personal information to create profiles reflecting consumer preferences and attitudes
What are the main ramifications of the CCPA for Israeli companies?
The CCPA places a great emphasis on consumers’ right to know, control and delete personal information collected by businesses. Even in the early development phases, Israeli companies should make sure their solutions are designed in compliance with the CCPA to avoid possible setbacks later on.
Here are some of the significant provisions:
- Right to Request Consumer Profiles: California consumers are given a right to request a detailed listing of certain information, such as the categories of 1) personal information collected and sources of that information, 2) personal information sold and disclosed, and 3) third parties with whom personal information is disclosed or sold. The CCPA distinguishes between personal information that is disclosed versus sold, and businesses must identify such distinctions in disclosures and responses to consumer requests.
- Consumer Rights and Anti-Discrimination Prohibition: Consumers are provided with the right to opt-out of the sale of their personal information. In addition, consumers have a right to request the deletion of their personal information that the business has collected from the consumer. The CCPA also prohibits covered businesses from discriminating against consumers based on the exercise of their rights under the CCPA, including charging consumers different prices based on their decision whether to opt out unless the price difference is reasonably related to value provided by the consumer’s data.
- Liability and Private Right of Action: Consumers are expressly provided with a private right of action for certain data breaches. Before a private right of action can commence, a consumer must provide a business with 30 business days’ notice and an opportunity to cure. If the alleged violation can be cured, a company must provide the consumer with a written statement that the violations have been cured and that no further violations will occur. A consumer private right of action can proceed where a cure is not possible or a consumer alleges a company has violated its written statement to cure a past violation. The attorney general also has enforcement authority under the CCPA, and businesses in violation of the CCPA may be liable for civil penalties (up to $2,500 for each violation, and up to $7,500 for each violation found to be intentional)
How should Israeli companies prepare?
The CCPA may go through additional updates before it takes effect; Israeli companies should closely monitor such developments, and also should take steps to be prepared in advance. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. Business will have to create complex tools that will identify the data they collect, organize it, and give consumers easy-to-use technology to delete it. At the very least, Israeli companies should start mapping the personal information they collect and locations where personal information is stored so they can promptly meet any request under the CCPA.