California Here We Come! Preparing for the California Consumer Privacy Act

In this episode of In Process Podcast: Conversations about Business in the 21st Century, Trusted Counsel’s Evelyn Ashley and John Monahon speak with Michael Jones, Attorney at Trusted Counsel  who has a strong background in business-oriented technology. Michael previously spearheaded Trusted Counsel’s initiative to help clients understand and comply with the European Union’s General Data Protection Regulation (GDPR) and now he’s at the helm of California Consumer Privacy Act (CCPA), slated to go into effect on January 1, 2020.

CCPA is the most comprehensive data privacy bill to pass in the United States at a state level. It requires significant transparency for companies regarding customer data and to date, it’s the toughest privacy law in the country. This law is spreading to other states. Michael says, “ultimately there will be federal legislation, or there will be so many states that pass their own laws that businesses will have to comply with the broadest one .”

Today, businesses in affected sectors face challenges when it comes to privacy and security compliance because of the requirement to establish a process to identify, secure, delete, and/or manage files that pertain to customer personal data. Most organizations who seek to “go at it alone” will not do it well because doing so requires a combination of skills, with legal and compliance analysis leading the way. Businesses should prepare now with the help of legal privacy specialists. We have compiled a best practices list on what activities your business should be doing between now and January 1, 2020. If you are already complying with GDPR, you’re ahead of the game but there is still work to be done.

Note: your company’s specific situation may vary from these general scenarios and further research may be needed.



  • Understand what personal information your business collects
  • Update your data inventories (the database to track your database processing activities) in order to prepare for data access, deletion, portability requests, and to comply with opt-out requests

Privacy Notices and Policies

  • Draft the required notices and disclosures “at or before the point of collection” informing customers of the categories of personal information that is being collected and for what purpose.
  • Determine if your business will maintain one privacy notice for California residents, one for other consumers, or have one universal policy.

Consumer Rights

  • Consumers have the right to know, right to request, right to opt out, delete, and the right to not to be discriminated against.
  • Implement protocols to ensure new consumers rights. Are you building out the process, training and have new systems for responding to consumer demands? What does your roll-out look like?

Third Party Service Provider

  • To comply, if you have a third-party vendor that processes your data you need to update and negotiate your contracts

Systems, Training, and Process

  • Increase your budgets for IT reprogramming costs and build process around responding to consumer demands, including protocols for deleting data.
  • Due to penalties involved, take the time to train your employees on handling customer inquires

During the course of the podcast CEOs, business owners, and C-level executives will learn:

  • The definition of the CCPA
  • Recommendations for best practices for your business on compliance
  • Understand what is meant by “intentional data privacy”
  • Final thoughts from Trusted Counsel on why every business should comply

How We Can Help

Contact us at 404.898.2900 or email us at to set up a consultation to discuss your company’s situation.

Don’t miss a single episode of our podcast show. Subscribe to our show “In Process Podcast” on Apple iTunes and on Google Play to receive this episode as well as future episodes to your smartphone.

Be sure to check out Michael Jones on another podcast episode where he discussed General Data Protection Regulation (GDPR) and answers questions about it and data privacy. Listen to the podcast here.






California Here We Come! Preparing for the California Consumer Privacy Act

Michael Jones, Attorney, Trusted Counsel

(c) Trusted Counsel (Ashley) LLC. All Rights Reserved.

Speaker 1: It’s time for In Process, conversations about business in the 21st Century with Evelyn Ashley and John Monahon. Presented by Trusted Counsel, a corporate and intellectual property law firm. For more information, visit And now with In Process, here are Evelyn Ashley and John Monahon.

John: Evelyn, today we have something that we almost never do. We’re actually going to cover a legal topic.

Evelyn: It’s shocking. It’s shocking, and I hope everyone stays awake for this topic.

John: Right.

Evelyn: Because they should.

John: They should. It’s not just legal. I mean, this is a legal issue that effects businesses and our clients. I mean, today we’re talking about the California Consumer Privacy Act, and, as we know, last year, there was a lot to do about GDPR, that was in Europe. But privacy issues are coming state side, and now California is the first to enact this statewide legislation or going to. It’s something that we want to raise awareness about.

Evelyn: Absolutely. And I think we do see this as a call to action for companies to wake them up because it was one thing when it was GDPR, and we know that many of the companies that we work with kind of took a fairly flip attitude toward it with, “They’re never going to find me. So what’s the big deal?” This is so much closer to home because if you’re not doing business with California, well you’re probably very, very little. And we need companies to focus on the assumption that they should comply and what is the cost of noncompliance, what does compliance look like, and what process should they follow to get it in place.

John: Mm-hmm (affirmative).

Evelyn: So we’re really fortunate that Michael is here to help us with this.

John: Our own Michael Jones.

Michael: Hello, everyone.

John: For those who do not know, Michael is a corporate attorney with Trusted Counsel. He speaks and advises on a wide range of issues, primarily technology and privacy. He’s currently spearheading Trusted Counsel’s initiative to help numerous clients understand and comply with European Union’s GDPR and now the California Privacy Act. He’s been helping businesses to understand and map the data flowing in and out of their organization, then guides them through the process of updating their internal and external privacy policies, online terms, and other third party agreements.

Michael: It is a challenge because I think a lot of times what you have to do, as Evelyn alluded to, you have to convince clients that it’s important, and I think in some ways with GDPR, it was, “That’s Europe. It’s over there.” You can sort of put in a box and arguably not worry about it. This is California. And as Evelyn pointed out, the law applies only to the personal information of California residents now. Having said that, there are a lot of California residents out there, and I believe the latest statistics, if California were its own economy, it would be the world’s fifth largest or something like that.

Evelyn: Yep.

Michael: So as a practical matter, even though it applies to California residents by its terms, it’s really the closest thing we have to a defacto U.S. law. We don’t have one. We had thought that that might actually happen this year because of some of the reaction, the initial reaction to the CCPA, and we’ll talk about it in a little bit, that it might spur our government to take a more uniform-

Evelyn: Get some federal legislation.

Michael: Yes, some federal legislation. I think betting folks would say that’s highly unlikely to happen before this goes into effect.

Michael: So let’s talk a little bit about it, and what-

Evelyn: I do think it’s interesting that we always approach this from the compliance and how do you actually handle the privacy, but I also think that it’s important to kind of keep in mind that I think many companies take the approach of well, privacy in the web is kind of the cat’s out of the bag, and how in the world do you put the cat back in the bag when for all these years, we’ve just been recording people and taking names? Yes, we have spam legislation and everything else. But the interesting part about these regulations is that it truly is a game changer for many companies.

Michael: Right. They haven’t thought about data in that way. They have thought about data as something that they collect and that they can use. What they haven’t thought about and what this legislation is going to make them think about is what users are entitled to know about that data. And frankly, that’s the scary part because, and we’ll talk about the data map, is that a lot of these companies know that they have data. They disclose it on a routine basis. They collect it. They do things with it. But if you were to actually hold a gun to their head and say, “Hey, what data do you actually have and where is it?” A lot of them would be hard pressed to tell you, and that’s going to have to change. That’s really, to your point, it’s a game changer because the idea … The emphasis behind the legislation is really to give users not only transparency but control over their data, and that’s something that by and large these days, you throw up a privacy policy, you put a link in there that says, “You have questions, let us know,” but that’s basically it. It’s going to become much more interactive.

Michael: And, again, companies maybe thinking, “Well, what are the chances that some random users actually going to exercise his or her rights?” It’s happening all the time in Europe right now. I mean, the number of complaints that have been filed post-GDPR have just skyrocketed. I mean, the only saving grace is I think a lot of the data protection authorities over there don’t have the resources and a staff not to deal with it. So the idea that this is just going to be ignored is foolish.

Michael: So we talked a little bit at the end of last podcast when we were talking about the GDPR about CCPA’s coming. It has been passed. It will go into effect on January 1st of 2020.

Evelyn: Eight-nine months basically.

Michael: Yes. It will go into effect then. It will become enforceable, which is a slightly different, and there’s actually some question. But legislation is not terribly well drafted, and that’s part of the reason that I think is giving people so much heartache is that some of the terms aren’t defined. We can talk about that. But one of the questions is, well, what does it mean to be enforced? So the attorney general of California has the primary enforcement authority under the CCPA, and the way it’s drafted it says, “It will go into effect on the earlier of whenever the attorney general can write regulations,” to basically implement it or July 1st of 2020. So effectively that means, in non-lawyer speak, the latest it would become enforceable is July 1st of next year.

Michael: So time is short. Again, it is a game changer. It is the first GDPR like, there are some differences, but it’s very much like GDPR for state privacy law in the country that has actually done similar things-

Evelyn: Similar projection.

Michael: Yes.

John: So for those people who may not be familiar with it, I mean, can you tell us broadly what the CCPA is other than maybe something similar to GDPR?

Michael: So it is basically a piece of legislation that defines and prescribes what businesses can and can’t do, certain businesses, and we can talk about what those thresholds are, covered businesses, can and can’t do with personal information of California residents. Much like in the GDPR, the definition of personal information is very, very broad. It includes all of the usual suspects, everything from social security number, email addresses, but also device identifiers, thumb prints, facial recognition. There’s biometric stuff in there. I mean, it’s about as broad a definition as you’re going to see. Again, it applies to California residents. It doesn’t apply to, for what it’s worth, not for profit businesses. So you have to be a for profit business, that’s one thing.

John: And to clarify, you mean it applies to the personal information of California residents but you don’t have to be a California resident to have to comply with it.

Michael: Absolutely. Yes. So basically it applies … Good point. It applies to companies that do business in California. Now, that does not mean that you have to have a brick and mortar storefront. It just means that you essentially are deriving some sort of commercial benefit from the personal information of California residents. There is a notion, we’ll talk about it. The thing that’s really stuck out I think for people when they first saw it was this notion of sale. It talks about the sale of personal information. It keeps using that word over and over again, and one of the rights, one of the new rights that a consumer has under the law is to actually opt-out, to say, “Look, I don’t want you to sell my personal information.” And I got to admit, when I first read it, I was like, “Well, that doesn’t apply.” And a lot of business, “I don’t sell personal information.” Then you look at the definition of sell or sale, and it is essentially any use of information that you can colorably derive commercial benefit from.

Michael: So it is-

Evelyn: I could be a-

Michael: -a bit of a misnomer.

Evelyn: I could be a data aggregator that collects data, turns around and sells it, or I could probably just even want to buy a leads list of CEOs in California. So a wide range of-

Michael: Right.

Evelyn: -possible actions that-

Michael: Right. Exactly. And it could be an arrangement that doesn’t on its face even require the exchange of money. It could be, “I’ll give you this data in exchange for something else.” As long as there is a commercial benefit, that’s really the key. So that’s a bit of a hurdle to get over in the nomenclature where you see sale, it’s like, “Well, that’s not what we’re doing.” Yes. So it’s better to think about it in terms of sharing and/or disclosing it for business purposes is the idea.

Michael: Now there are certain thresholds, there are certain businesses that could conceivably fall out of direct coverage by the Act, but we’ll get to the problem with that in a minute.

Michael: So businesses are subject to the CCPA if they meet any one of the following requirements. One, you have annual gross revenues of over $25 million. Again, the premise is you do business in California. You got to do business in California to begin with. If you have annual gross revenues of over $25 million, it applies. But that’s only one. You don’t have to meet all three. Or you receive, collect, get personal information of at least 50,000 California consumers. Now consumers is defined as a resident of California. So you may think, “Well, maybe I don’t have 50,000,” but here’s the problem, consumers, households, or devices. So we know what consumers means, it’s defined in the statute. Guess what, households is not defined, no where. We don’t know what a household is because it’s not defined, which, again, has caused enormous consternation among privacy professionals. Because if you think about it, and one of the rights that say a user has is say, “Hey, give me all of my personal information.” Well, if you’re defining that to be you, that’s one thing, but if you’re defining it as your household-

Evelyn: So your address.

Michael: Your roommate may have … I mean, what is household mean? Who does that include?

Evelyn: Right. It could be residents.

Michael: Could be spouses that wouldn’t want-

Evelyn: And residents of other states could be in there too, right?

Michael: Exactly.

John: Yes. You brought up a potential domestic violence incident where somebody may have been doing searches for a spouse or-

Michael: You have all kinds of harsh that could … So the hope has been that in this period before it goes into effect, that some of these would either be amended, it hasn’t been yet, this particular part, or that the regulations that are drafted or to be drafted by the attorney general would clarify what that means. Latest is that they’re anticipating that they will get drafted this fall, but we don’t have them yet.

Michael: And devices is also not defined. So, again, you think about it, an iPhone is a device, an iPad is a device. How about your refrigerator?

Evelyn: Could be.

Michael: There are smart refrigerators. There are smart cars.

Evelyn: Your television.

Michael: Your television. I mean-

Evelyn: Your Alexa.

Michael: Exactly. And one of the things that’s actually interesting about this, as I said, the driving force behind the GDPR and the CCPA is to really put the user in the driver seat, say, “Okay. The user needs to know from a transparency standpoint what personal information is held about him or her, but also to be able to choose what to do with it.” Consent makes a certain degree of sense maybe in a traditional website context. Refrigerators, cars, how do you consent to that in a meaningful way when there’s literally potentially personal data everywhere?

Evelyn: All over.

Michael: And the real privacy diehards, the real advocates who are all for broad privacy rights, think that this whole consent model while a good idea is ultimately going to be flawed. Because how can you meaningful consent when you’ve got … We’re a washing in an ocean of a person data. So it’s something to think about.

Michael: I got sidetracked. So there were two, right? So we talked about the 50,000 consumer, households, or devices, or, and this is the last one, you earn essentially half your annual revenue from ‘selling, again I’m using air quotes, you can’t see it. You’re basically using for business purposes the information of California residents. Kind of an odd mix.

Evelyn: It is an odd mix.

Michael: Some of it’s pretty black letter. You either have $25 million or you don’t. You can point to something. We talked about the difficulty in consumers, households, and then how do you really determine that that’s where half your revenue comes from? Again, that assumes that you know who’s data you have, right?

Evelyn: Right.

Michael: You’ve got to know, for example, what data do I have that belongs to a California resident? Guess what, a lot of systems are not even set up to ask that question. It’s not like you can just-

Evelyn: There would be no way to calculate it.

Michael: Right.

Evelyn: So really the only way to truly comply most likely is to comply.

Michael: Bingo. That’s where I was headed. Right. So exactly. So the only way … I like that. The only way to comply is to comply. I mean-

Evelyn: Forget the exceptions, just comply.

Michael: Because at the end of the day, you’re going to have a great deal more confidence. Not only that, the law is going to change undoubtedly. We got to deal with what’s in front of our face. It’s also going to spread, and there are a number of other states-

Evelyn: And it is spreading.

Michael: It is spreading, as a fact. A number of states have either introduced or passed copycat legislation. So this idea that you can somehow, even though it’s kind of silly to think that because it’s California, you can just kind of box it over here and avoid it. You can’t. You’re really not going to be able to. This is going to be a lot like in the early 2000s, Massachusetts was the first state that really passed very prescriptive cyber security regulations of certain types of encryption were required for certain types of information. And for a while, they were the only state out there. But it’s Massachusetts, not nearly as big as California, but basically it forced everybody-

Evelyn: Everyone else to do it also.

Michael: -standard.

Evelyn: Yes.

Michael: Because we don’t have a single overarching federal privacy law. So the way to comply is to comply.

Evelyn: Right. Because you’re going to have to.

Michael: Right.

Evelyn: Because ultimately there will be federal legislation or they’ll be so many states that pass their own laws that you probably have to comply with the broadest one that’s out there in order to have clarity.

Michael: And it makes sense when you look at the new rights. We talked in general terms about consumer choice, consumer visibility, and so there are specific rights that are granted under the CCPA that are really new for the U.S. There are bits and pieces of them here and there. They really were front and center in the GDPR. So this is one of the areas of the legislation that is very similar to the GDPR. One is transparency. Companies that are covered, and we’re assuming, for the point of argument, the sake of argument, everybody is covered, that they will need to disclose the categories of personal information they collect and the types of third parties that they share that information with. And there’s a list in the legislation. So there’s some guidance in terms of what that needs to look like, but you got to start by doing an inventory, and we’ll talk about that. That’s the data map, the data inventory. That’s really the first step.

Michael: So, again, back to your point, the only way to comply is to comply. You have to go through that exercise.

Michael: The other one that is a big one, we talked about it, and is really new and it does distinguish it from the GDPR is a clear, easy way for consumers to opt-out of the ‘sale’, and, again in air quotes, the use for commercial purposes of their personal information. So what this means is that essentially any website, any consumer facing interface, whatever that is, will need to have a prominently displayed button, link, something that says, “Hey, I don’t want my personal information shared.” Think about that for a minute.

Evelyn: I mean-

Michael: How disruptive that could be.

Evelyn: Absolutely. I mean, I can’t even really imagine how you can administer that and enforce it because if you even just take the example of we’re being tracked by our cellphone wherever we go.

Michael: Right.

Evelyn: Okay. AT&T is going to offer me the ability to not have them share my data.

Michael: Under the law, that’s what they are supposed to do. But, see, so this part of it, and there are a lot of parts of it, will be an operational nightmare. Because here’s the other thing, anybody I guess could push a button. I mean, your cat could walk on your keyboard and push a button or whatever, and you suddenly opted-out. How does the website operator, the business, even know that that person has that right?

Evelyn: Has actually done it?

Michael: So there’s a whole other issue of say a consumer calls your, and there has to be a toll free number. That’s another thing that you have to actually have a phone number, not just a web link, you got to have a phone number.

John: What about a fax?

Michael: A fax. Right, right, right. Somebody calls up and says, “Hey, I’m Joe Blow from Modesto, and you’ve got my personal information, and I want it.” That’s one of the other rights. You have access to it and get a copy of it. You’ve got to verify that, and so how can you verify that without getting additional personal information that you are then obliged to protect, if that makes sense to you. I mean, it’s, Yes.

Evelyn: So is this actually one of the requirements that under like GDPR? Is this something that they’ve also required?

Michael: So yes. So I think what we’re trying to get guidance from is how that has been handled in practice over there because that’s exactly right. It’s really the same principle because under the GDPR, data subjects, that’s the term of art, have all kinds of rights and they can exercise them. But one of the requirements is that it has to be verified, verifiable. So I think from an operational standpoint, a lot of companies are going to lean on what has already taken place over there.

Evelyn: I see.

Michael: In terms of being able to have some hopefully easy to administer verification mechanism to actually be able to say, “Yes, you’re legit.”

Evelyn: By now there has to be software programs that are offered.

Michael: There are all kinds of tools. That’s right. That’s right. Well because if you think about it, it’s one thing to just take the risk of some random person saying, “Don’t share my information,” then somehow that would go into a database. It’s kind of like a do not call list in the old days. That kind of thing.

Evelyn: Absolutely.

Michael: It’s quite another to have someone report to the California resident, you don’t verify it, and then you give them all their personal information. Oops. What if it’s not that person.

Evelyn: Right.

Michael: You’ve breached somebody else’s privacy.

Evelyn: Or even to verify, I have to give you more of my personal information.

Michael: I mean, in some ways, if you’re starting with a blank slate and you’ve got brand new customers, there’s an account formation process, you could fix it there. The issue is what do you do with all the existing ones?

Evelyn: Right. Everything that’s in-

Michael: How do you do that?

Evelyn: -the system already?

Michael: Yes. Yes. So, again, a lot of these are … The opt-out is probably the one area that is really different from the GDPR, but a lot of the other ones, the right to delete, the right to correct, the right to get a copy, all of that is also in the GDPR.

Evelyn: Is the same.

Michael: Yes. Yes. And so I wanted to just kind of walk through sort of what we see right now as the general steps to getting into compliance.

Evelyn: Great.

Michael: What we would love to help you with. And I’ve alluded to this quite a few times. The first step, as painful as it is, is to get a very robust data map, data inventory. I like the map image a little bit better because basically what you’re tracking is where is our data coming from, what are all of the sources of the data that we have. And I actually encourage businesses to go broad. Don’t get hung up on is it personal information or not. Just do a data inventory because sometimes what I found is that things that at first blush might not look like their personal information, could be given the breath of the definition. So go broad. And also, where does it go? It is a flow. It’s like where’s it coming from, what are we doing with it while it’s under our control, and where does it go? Do we have our own data center? Probably not these days. So it’s at least going into AWS. It’s going to Azure.

Evelyn: Right.

Michael: Guess what, they’re service providers under the … I mean, they’ve got access to the data. So that’s something you need to start out with as a first step, and spend the time to do it because the more complete it is, the better off you’ll be down the road. Because then you’ll know what your potential exposure is.

Evelyn: Right.

Michael: Then we have sort of I guess I like to think of it as the front door. Much like we did when we dealt with GDPR compliance, which is okay, we know that the legislation has certain requirements. We talked about the button, the opt-out button, but there are other things that if you don’t have a privacy policy that’s compliant with GDPR, it’s going to look kind of like a GDPR compliance.

Evelyn: Similar to that.

Michael: It’s very similar. Yes. You’re going to lay out the rights that the consumer has. You’re going to flesh that out a bit. There are going to be certain things that unless you went through the exercise with GDPR, which if you did, there are going to be some additional things you’re going to have to do, but you’ve done a lot of the heavy lifting. That’s the good news.

Evelyn: That’s good.

Michael: But if you didn’t, you’re going to have to-

Evelyn: Start again.

Michael: Exactly. And then not only as we talked about, so you have all of these new consumer rights that they can exercise. This is probably the hardest part of the entire process. It’s hard to kind of get going, roll up your sleeves and find out where the data is, but then what you have to look at is how are we going to implement this in a way so that when a consumer picks up the phone or emails us and says, “Hey, I want to do X, Y, and Z,” you can actually do it.

Evelyn: Mm-hmm (affirmative).

Michael: And do it within I think it’s like 30 days. There’s a timeframe that’s involved. You have to be able to do it and do it in a timely fashion. Because if you don’t, the CCPA has enforcement mechanisms. So there’s a private right of action, it’s not just the attorney general that can come after you. Folks can come after you.

Evelyn: That individual.

Michael: An individual, and they can come after you as a class. That is a new thing. The original draft of the legislation says that it’s only if there is a security breach that they actually have a right. So it’s not any breach.

Evelyn: Okay.

Michael: Guess what, that’s appending amendment. The attorney general and a state legislator who’s very privacy conscious in California has appending amendment that would make it any violation of the CCPA. Any violation.

Evelyn: Can you imagine the class action suits?

Michael: Of the CCPA. Not just an actual security breach, that was the original language, any.

Michael: So you’ve got a lot of lobbyists that are not too pleased with that. But I got to tell you, given the political makeup of the legislature, I don’t see it getting watered down a hell of a lot. In fact, it’s kind of going the other way. So you have to be able to do this.

John: If you do want it to be an effective law, that private right of action is one way to get it some real teeth.

Evelyn: To make sure it does, Yes.

John: Because I know GDPR came and went, and it was a little bit like Y2K, right? The world didn’t explode the next day. Everything was fine. But if you give a private right of action to people in California, I mean, I might even think about moving there to join a class action.

Michael: It’s California. Right. So it’s really dynamite. I mean-

Evelyn: So the reality is businesses might not be gearing up for this, but the class action lawyers absolutely are.

Michael: They are salivating. They are getting their ads together now, without a doubt.

John: I think that’s a huge difference in enforceability.

Michael: Absolutely. You don’t have that under the GDPR. So you had people basically saying, with some justification, they’re going to go after the really big, bad actors first. You’ve got Facebook, Google, and that’s basically panned out. Here, it’s anybody that has a beef. And it doesn’t even, like I said, if this actually goes through, it would be any breach. Being able to essentially operationalize the consumers rights is going to be hardest, and I think that is partly getting your processes in place, getting it down on paper, and frankly, looking to see what technological solutions are out there. There are tools that will help you that are already … There are certainly a whole suite of GDPR stuff. There’s bound to be stuff that’s coming from CCPA, and that’s something that we can talk about together as we do this.

Michael: To basically, we talked about the data map, sort of map out who your third party service providers are. It can be, as I said, anybody from AWS to whosever doing your help desk, whoever it is, whoever is receiving personal information from you would be considered a third party service provider. You’re probably going to need to look at those contracts.

Evelyn: Right.

Michael: And you’re going to have to refresh them and make certain amendments.

Evelyn: Make certain that they are complying also.

Michael: Exactly. Exactly. And then overarching all of this is make sure that all of this hard, good work gets memorialized. Make sure that you have a process in place to train your employees to make sure that they understand what the consumers rights are and what they need to do to make sure that they’re able to exercise them.

Evelyn: Mm-hmm (affirmative).

Michael: It’s really a 360 degree process, but it begins with the data map.

John: One of the things that we touched on earlier is who this applies to in this process, and we went through the various requirements. But one thing we didn’t discuss is how this is going to flow down in a practical way, even if you’re not meeting those requirements. Because we all see it in contracts all the time, I try to argue some of our clients sometimes get bound to HIPAA. HIPPA contractual obligations, and I say, “We don’t want your health … Don’t give us any health information. We don’t wait it,” they say. We get everybody to sign this. You got to sign it. So how do you envision this working?

Michael: That’s a really good point. You might go through this exercise. You look at all of this and say, “You know, I don’t really fit in to any of those three buckets. I really don’t think it applies to me directly.” Well, I got news for you, it’s going to apply to a lot of folks you do business with. Depending on the space you’re in, particularly if they are regulated entities at all, they’re going to be building this into their standards agreements, and they’re going to ask you, require you to say, “Hey, I am compliant with all …” It could be defined as privacy law, applicable law, whatever it is. And that includes this.

Michael: So unless you want to be in breach of your agreement from day one, and that’s not the advice we typically give our clients, then you’re going to by hook or by crook, you’re going to have to get there. That may mean you’re not going to have a user calling you, but you may have your customer, your provider, your third party calling you and say, “Hey, we have somebody on the line. They want their personal information. You have to cough it up.”

Michael: So at the end of the day, aside from the frontline support, you’re going to have to be able to respond to those.

Evelyn: Because it’s a full trail. I mean, it’s a trail of tears. It’s where do I get it from. If they want it, if a consumer wants it out, then they need it out. I’m holding it. I need it out, and anyone that I’ve provided it to, they have to get it out.

Michael: Yes. I mean, look, you could be totally on the backend, hidden from the consumer, but somebody is manning the front door. And that somebody is going to be on the hook. So they’re going to definitely make sure that you’re in compliance because they don’t want to be out of compliance. So absolutely. That’s a very good point. That is certainly happened. We’re already seeing it with GDPR, and it will certainly happen here.

John: Including some companies having to scramble when they have a contract and they haven’t gone through the GDPR process yet. I think it’ll be very similar to this, which is that’s not the time you want to be trying to-

Evelyn: Comply.

John: Yes. Try to get compliant and renew your contracts and-

Michael: I think part of it is just changing our mindset. Evelyn mentioned it’s really a game changer, and it is. But I think data privacy is becoming such a central topic. Obviously it’s a subject of legislation. It’s all over the news. People are very aware of it I think in a way they probably haven’t been. Get an Equifax data breach that effects pretty much everybody. The shenanigans with Facebook. I mean, it’s a hot topic. But I think it gives forward thinking businesses, proactive businesses, a real leg up, a chance to shine. I think it’s what I like to call intentional, an intentional approach to data privacy, which is what business doesn’t these days traffic and trade in data. I mean, it’s really the coin of the realm. And I think it’s important for businesses to treat it like the asset it is.

Evelyn: Right.

Michael: Protect it, understand where it is at all times, just like you would understand where your office equipment is. It’s an asset.

Evelyn: Mm-hmm (affirmative).

Michael: And if you take these steps and build that image and that relationship of trust with the user, you’re going to have a reputational advantage.

Evelyn: Yes.

Michael: I mean, the flip side of it is you’re going to have pretty severe reputational harm if you end up on the front page of the newspaper.

Evelyn: Right. Particularly if you’re in the middle of negotiating a contract with a much larger entity, and they’re asking you to represent that you are in compliance and you have to go back and basically … I agree, many might just sign the document, and look the other way. But they don’t understand the level of exposure that they could have if there is a breach.

Michael: Right. So when I was in-house at New York Life, there were certain businesses that we just wouldn’t do business with. There were companies that we got enough red flags that it’s like, “You’re struggling with this. You’re telling us that you’re not complaint. We can’t afford to do business with you. Sorry. Because there’s someone over here that is.” From a reputational standpoint and just from a business generation standpoint, if you want to play with the big boys and girls, you’re going to have to do this. And it will spread. It won’t just be the big boy. I mean, it may start being the big boys and girls, but it will eventually in pretty short order-

Evelyn: Spread.

Michael: Yes. Like I said, you’ve got the class action bar salivating.

Evelyn: Right.

Michael: Yes. This is serious stuff.

Evelyn: Absolutely. Well, and then of course when you consider that the other states are moving toward this legislation, it makes sense for companies to start thinking about it now. How do I comply, can I get complaint regardless of whether I’m really subject to it because if ultimately I get to increase my reputation for reducing liability risk for my customers, my clients, my business clients, that’s a benefit.

Michael: Your insurance coverage is going to be cheaper if you can show your broker that you’re compliant. There’s all kinds of things that … Some pain, but a whole lot of gain at the end of the day. And that is exactly right. So it’s coming. And guess what, it’s not going to get any easier, and it’s not going to get any cheaper. This is as cheap as it’s going to get right now because, again, the last thing you want to do is be in a situation where you’re trying to close a deal, and that’s the thing that’s standing in your way.

Evelyn: Right.

Michael: Whether it’s a commercial deal, whether it’s an acquisition, whatever it is, that dirty laundry won’t come out one way or the other.

Evelyn: Absolutely. I mean, more and more in transactions, we are seeing representations that have to do with the data, and many companies are not aware of what’s going on with the data.

Michael: Well, with any luck, when we’re done with them, they will. So that’s the first step, find out what you got. Where is it, where’s it coming from, where’s it going, and then go from there.

John: Well, Michael, this has been a great talk. I love hearing the updates on this. I love hearing the way that you’re thinking through the issues and the little things that are arising in it. I’m sure it’ll provide us with a lot of learning opportunities in the near future.

John: Tell people how they can get in touch with you.

Michael: You can go to, and then under the About Us, you’ll find my bio and all of my contact information, email, phone. Would love to hear from you.

John: All right. Perfect. I hope everyone enjoyed this episode. If you did or you have any ideas for upcoming episodes, please feel free to write us at

Evelyn: And I think it’s also important that we make everyone aware that our website is going to be modified where we actually will have Michael’s white paper on the CPPA and then also a flow chart, basically his map that he talked about, and more information on compliance.

Evelyn: Hope you join us next time.

Speaker 1: This has been In Process, conversations about business in the 21st Century with Evelyn Ashley and John Monahon. Presented by Trusted Counsel, a corporate and intellectual property law firm. Are you interested in being a guest on our show? Email our show producers at For more information on Trusted Counsel, please visit

Share on facebook
Share on twitter
Share on linkedin