Last week, California Governor Gavin Newsom signed into law six amendments to the California Consumer Privacy Act, the comprehensive state privacy law that will go into effect Jan. 1, 2020, creating new compliance issues for CPAs and their clients.
CCPA will “become the most stringent privacy law of any single state,” explained Anthony Pugliese, CEO of the California Society of CPAs, who spoke to Accounting Today about the wide-ranging effects of the new legislation on the eve of it being signed into law.
The law requires, among other protections, for businesses to disclose data collection and sharing practices with consumers, provide ways for these consumers to have their data deleted, and offer an opt-out option from personal data being sold or shared. This will formalize how many CPAs are already protecting client data, Pugliese said.
“The way it hits the profession, is public accountants are collecting personal data. They don’t sell it; large tax practices have hundreds, thousands of individuals, complex private financial data. What are they doing with it, is protecting it from unauthorized access. Cybersecurity [protects] access, it’s very controlled. Now it’s a best practice — January 1 it will be law. [We have to] make sure firms are protected.”
In terms of how comprehensive CCPA is, Pugliese compared it to the Health Insurance Portability and Accountability Act of 1996 and the Children's Online Privacy Protection Act of 1998. He also explained that though CCPA shares similarities with the EU’s General Data Protection Regulation that went into effect last year, there are key differences.
“One of the concepts, the first of its kind, compared to GDPR, is the concept of household, versus that of just the individual. [CCPA] covers individual and household,” he explained. “The household [includes] undefined things. You can interpret it as family, anyone that lives in the home, but the interpretation has latitude, implementation issues.”
Additionally, Pugliese continued, “compared to GDPR, it deals with the data a company collects, while GDPR deals with data that is processed. It’s much bigger of a burden.”
“The obligation, when working with clients, is to be very prepared for the impact of the law,” Pugliese continued. “Some of it impacts both sides of the profession. [CPAs must] write privacy notices that are clear and concise, not misleading. It’s a similar concept to GDPR, where it can’t be overly technical. Writing it is challenging, especially for a company that does a lot with its data.”
Given the scope of the law, as well as the potential for other states to adopt similar legislation, Pugliese shared four steps CPAs should be taking right now to start getting into compliance before the new year.
1. Take an inventory of all the firm’s data. As company data is usually fragmented across multiple departments, CPA firms should map out all data that is within the scope of the law.
2. Identify individual clients’ data. Firms will need to ensure that individual clients have access to view or erase their data.
3. Ensure individuals have the right to simply opt out of the firm selling their data. While firms can still hold on to this data, clients have the right to opt out of it being sold.
4. Update any service-level agreements with third-party data processors, or anyone that has access to clients’ financial data. “A lot of people think this is California-specific,” Pugliese warned. “If you have clients in California, the law goes down to the resident level. In matters where you are doing business. If you are doing business in California, it is relevant to those people.”
CalCPA is hosting a 2019 “prīvaC Summit" to address the new law and all its implications. The event will be hosted in Los Angeles on Dec. 11, 2019, and will also be simulcast in Burlingame, California, and be available via webcast. More information is available
