This is the third installment in Hogan Lovells’ series on the California Consumer Privacy Act.
What personal information do you have about California consumers and households?
The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
Mapping data accurately and efficiently can be challenging. It requires an understanding of the law and the practical consequences. But when done correctly, data mapping can deliver significant value. For example, beyond the immediate benefit of assessing risks and identifying legal obligations, a data mapping exercise can promote organizational hygiene, identify problematic practices and security risks, and uncover operational inefficiencies.
KEY DATA MAPPING QUESTIONS
The goal of a CCPA-focused data mapping exercise is to answer the following questions:
- What PI does the organization collect and possess?
- How is the PI collected?
- Where and how is the PI stored?
- To what entities does the organization transfer PI?
- What is the nature of the transfers (e.g., sale, provision of service)?
By mapping data flows with a critical eye on the key CCPA legal issues and business operations, organizations can get ahead of the compliance curve and begin to develop thoughtful strategies to mitigate risk. And as discussed below, most companies likely will not be able to rely on GDPR compliance efforts alone for their CCPA compliance.
Identifying personal information (“PI”)
“Personal Information” under the CCPA is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. (Emphasis added.) Under the CCPA, a “consumer” is a “natural person who is a California resident.” The term “household” is not defined, but it presumably could be construed to include information collected by connected devices that relates to a particular household but no single individual.
The CCPA definition of “PI” includes a list of examples that are considered PI (if a recent technical amendment is signed into law) if they are capable of being associated with a consumer or household. Items on the list include: identifiers (including real name, postal address, online identifier, Internet Protocol address, email address, social security number, driver’s license number, and passport number), commercial information (such as purchase histories or past consuming tendencies), biometric information, Internet or other electronic network activity information (including browsing history, search history, and interactions with web sites, applications, or advertisements), geolocation data, and inferences drawn from other personal information to create a consumer profile describing preferences, characteristics, behavior, or other traits.
It is important during this step to examine not only known identifiers and their data elements but also potential identifiers and their data elements (and the extent to which potential identifiers may be linked to other data).
This definition goes beyond previous definitions of “PI” under US law. And by including information about households within the scope of PI, the CCPA appears to have a broader impact than the GDPR. Therefore, even organizations who have conducted recent data mapping exercises for GDPR compliance may need to update their mappings to reflect CCPA considerations.
Identify how PI is collected
Organizations should not focus solely on what PI is collected; it is also important to understand how it is collected. Doing so informs the analysis of whether a particular piece of information should be considered PI, as the context of collection may help inform whether the information “is capable of being associated with” an individual, or whether it “could reasonably be linked, directly or indirectly, with a particular consumer or household.” And if the information is “publicly available,” it may not constitute PI, and thus may be out of scope for CCPA compliance.
Additionally, by identifying the specific method of collection, organizations can better develop a plan to implement compliance strategies, such as identifying the appropriate time and manner of providing notice and opportunities to opt out, and collecting any necessary authorizations (such as for the sale of PI of consumers under age 16). And the scope of the deletion right under the CCPA is limited by reference to reasonable consumer expectations, which are influenced by the context of collection.
Identifying where and how PI is stored
Identifying where and how PI is stored helps inform the provision of reasonable security measures. It also supports decisions on how to respond to data deletion and access requests and assessing whether current infrastructure is well-suited to responding to such requests. As another example, with information about PI storage at hand, organizations can assess the viability of segregating PI that relates to California residents, or combining or reorganizing data so that all pieces of PI relating to specific individuals are kept together.
Identifying which entities receive PI, and for what purposes
To comply with the CCPA’s transparency and opt-out requirements, organizations must maintain knowledge of the entities to which they transfer PI and must identify whether, e.g., the transfers constitute “sales” or “disclosures for a business purpose.” Moreover, organizations will want to impose certain contractual provisions on service providers to address CCPA compliance concerns.
As organizations that have undergone GDPR-driven vendor management exercises will know, identifying third-party transfers of PI, classifying the nature of the transfers, and updating relevant agreements can involve substantial effort. Organizations will want to confirm that they have sufficient resources in place to identify and assess PI transfer arrangements, while integrating legal counsel to confirm that risks are appropriately prioritized and addressed.
Data mapping can help drive organizations to refine data collection practices; redesign information technology architecture to better facilitate timely access to and control over data; develop new internal policies, procedures, and training programs; and evaluate options for offsetting the potential impact of certain compliance controls on business operations. However, it’s important to recognize that effective data mappings are not static – they must evolve with the organizations they support. To support ongoing efforts, consider developing a cross-functional team with representatives from legal, IT, compliance, and key business units. Doing so can help establish and entrench a shared understanding of compliance and operational priorities while promoting effective communications.