(L to R): Stuart Lee, the chief privacy officer of VMware Inc.; Heather Vigil, a shareholder at Littler Mendelson; Hogan Lovells partner Mark Brennan; Joanne Charles, a Microsoft Corp. privacy and regulatory affairs attorney; and Ravi Inthiran, the senior director of compliance and privacy officer at Ripple Labs Inc. (Photo: Caroline Spiezio/ALM)

The Minority Corporate Counsel Association kicked off its 2019 Global TEC Forum in San Francisco on Thursday afternoon with a lunchtime plenary session on the compliance complications of California’s privacy law.

Hogan Lovells partner Mark Brennan moderated the discussion on “The California Consumer Privacy Act and What It Means” with four panelists: Ravi Inthiran, the senior director of compliance and privacy officer at Ripple Labs Inc.; Joanne Charles, a Microsoft Corp. privacy and regulatory affairs attorney; Heather Vigil, a shareholder at Littler Mendelson; and Stuart Lee, the chief privacy officer of VMware Inc. Here are five key takeaways from the session.

  1. Don’t copy and paste compliance procedures from other privacy laws. Companies impacted by the European Union’s General Data Protection Regulation, which went into effect last May, likely have a leg up in CCPA compliance. But Lee said privacy counsel should still approach CCPA as its own separate law. “You can’t just lift and shift your individual rights program for GDPR and put it on top of CCPA,” Lee said.
  2. Employees’ data may be impacted. Vigil said it’s not yet clear how CCPA will apply to employees. The law could give employees the right to request all data employers have collected on them, including sensitive information exchanged in emails or about their browsing history. “It’s not the California Consumer and Employee Privacy Act, but when you start digging into some of these definitions that are used within the law itself, you’ve got personal information identified as employment information,” Vigil said.
  3. “Unstructured data” could complicate compliance. In-house counsel can scour spreadsheets and databases for impacted personal information. They also may need to check videos and recordings, Inthiran said, which could count as “unstructured” personal data. “The question becomes, how do you track that? How do you think about it? Is that considered personal information if you have a CCTV, a recording device in your office and you’re recording people walking through the building. How are you associating that with an individual that’s checking in?” Inthiran said.
  4. Children have stronger consumer protections. Companies that know, or suspect, minors under 16 years of age use their services should take extra precautions with CCPA. Inthiran said CCPA requires opt-in consent for certain subsets of minors and parents sign-off. That’s true even if a child uses an app or service on a device owned by an adult, panelists said. “It’s unlikely that a 5-year-old has a phone but if you’re collecting usage data on a game that is designed for under-5, even though you only have information about the household, it becomes identifiable and I think it falls under the statute,” Charles said.
  5. Form cross-functional teams. Lee said counsel can’t approach CCPA “in a silo, as your privacy program.” As the 2020 deadline for CCPA implementation approaches, he suggested privacy counsel partner with information technology teams and other business leaders to design a compliance strategy that involves all relevant departments. “You have to engage cross-functionally,” Lee said. 

Read More: 

Legal and IT Departments Team Up for CCPA, GDPR Privacy Procedures

Groupon’s Privacy Lawyer Dishes on CCPA, GDPR Compliance Challenges and Tips

GDPR vs. CCPA: Privacy Counsel Weigh In on Compliance Challenges

An American GDPR? Companies’ Privacy Gurus Discuss Future Federal Data Law in DC