With just under a year left to ensure compliance with the California Consumer Privacy Act (CCPA), organizations may be tempted to think there is ample time to assess their exposure to the new law and the potential impact on their business applications. The CCPA, however, represents a dramatic shift in how an organization must operationalize consumers’ privacy rights—which will require a significant effort and implementation of potentially costly technology solutions.
Organizations may also be tempted to wait and see if a new federal privacy law preempts California’s. Although legislators have proposed several federal privacy bills, there is little consensus in Washington on what a federal privacy law should look like. Federal preemption of state privacy laws remains a matter of significant controversy, and a bill with bipartisan support would likely have to contain many of the already-existing rights and obligations under the CCPA.
Does the CCPA Cover My Business?
Q: I have a small business that is not located in California; do I still have to comply?
A: If you are active on the internet, likely yes. The CCPA defines a “business” as any commercial (for-profit) entity that does business in the State of California and meets any one of the following thresholds on an annual basis: (1) generates a gross revenue of more than $25 million; (2) buys, receives, sells, or shares “personal information” of 50,000 or more “consumers, households, or devices”; or (3) derives 50 percent or more of its revenue from the sale of “personal information.”
It may seem like this definition will not cover your small business located outside of California; however, a physical presence in California is not required. If you make an online “sale” in California and you buy, receive, sell, or share at least 50,000 “pieces” of “personal information” (defined very broadly – see below)—whether collected from California “consumers” or not—you will have to comply with the CCPA. If you make an online sale and your business model primarily involves “selling” information to advertisers, you will also be subject to the CCPA. Know that every visit to your website will likely generate several “pieces” of personal information that are “received,” making it more likely that the CCPA will cover your business. These catch-alls will capture most businesses, of any size, if they have a significant online presence.
Q: Will tracking whether the information I am collecting is coming from outside California reduce my exposure?
A: No. The CCPA defines “consumers” as natural persons who are California residents (irrespective of whether they are outside of California for a temporary or transitory purpose). Therefore, for the purposes of the statute, it will not matter whether a consumer is physically located in California or not at the time of collection.
What Consumer Information Do I Have?
Q: What types of information does the CCPA cover?
A: Basically, everything related to natural persons, their devices, and households. The CCPA defines “personal information,” or PI, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information may include, but is not limited to, online identifiers, IP addresses, email addresses, biometrics, products or services purchased, browsing history, educational or FERPA information, employment information, profiling information based on inferences, and even olfactory information.
Q: Wow, that is a lot of stuff. How do I figure out the types of PI that I am collecting and selling?
A: It may take a lot of work. Given the breadth of personal information the CCPA covers, compliance will require a level of data mapping that is unprecedented under U.S. privacy laws. Data mapping is the process of understanding and classifying what data is collected, how data is collected, processed and transmitted, with whom data is shared, and where data is stored, as well as how data is used, for what purpose, and by whom.
Q: That sounds complicated. Am I better off not knowing about the types of PI that I collect?
A: No. You can only understand your risks under the CCPA if you understand the scale of information you collect. With this knowledge you will be able to mitigate risks and prove your compliance. More importantly, however, by knowing your data map, you can actually improve your business agility and perhaps tap new, profitable business methods.
Am I “Selling” Consumer Data?
Q: What processing activities does the CCPA cover under this part?
A: The key part of the analysis is determining whether the information is going to a third-party. A “sale” under the CCPA is defined as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third-party for monetary or other valuable consideration.”
The CCPA’s conception of a “sale” is very broad such that a website publisher merely making available personal information it collects through cookies to a third-party ad network may constitute a “sale.” Similarly, business’s disclosure or transfer of personal information to a third-party under a service agreement may be viewed as a “sale.”
Under the CCPA, What Must I Do With That Consumer Information?
Q: What type of rights can I expect consumers to contact me about?
A: As many as six different rights. The CCPA grants consumers the right to access personal information (collected in the last 12 months); the right to receive such information in a readily usable and portable format, if provided electronically; the right to request deletion of personal information (subject to exceptions); the right to opt-out of selling personal information to third-parties; if a minor, the right to opt-in to selling personal information; and the right to equal services and prices (even if consumers exercise their CCPA rights).
These rights will not only affect consumers, but also the businesses who will have to vindicate such rights on demand. Disclosing or deleting PI, for example, will require a business to continually assess its data mapping to locate and remove the PI, which is easier said than done and may pose an engineering problem. Opt-outs will require continuous tracking of consumers, potentially across platforms, to prevent automatic sales of their PI. In short, if unprepared, respecting these rights could be very difficult and expensive.
How Long Will It Take Me to Answer These Questions?
Q: What are my next steps?
A: You need to get cracking. The length of time it will take a business to answer these questions will depend on several factors, such as its current data collection and use practices, the amount of data it needs to map, and the amount of contracts it needs to revise. Businesses should start asking these questions sooner rather than later, as the CCPA goes into effect in less than a year and potential amendments that may be enacted are unlikely to change the CCPA’s core provisions.