Although the details of the California Consumer Privacy Act (CCPA) of 2018 have not yet emerged, businesses may face a steep learning and operations curve in order to implement the kinds of systems, processes and knowledgeable employees necessary to meet its notice, disclosure, right to opt out and other requirements. Businesses subject to the CCPA, including many businesses located outside California that will be covered by the law, should take the opportunity to prepare before the statute and any regulations go into effect. And for those businesses not subject to the CCPA, principles such as notice, disclosure and the right to opt out may appear in other legal frameworks applicable to your operations.
Below are 10 questions to ask yourself about CCPA compliance requirements, along with action items for consideration to help your business stay ahead of the CCPA implementation curve.
Landmark legislation on consumer privacy rights significantly affects the obligations of businesses handling consumer data
On June 28, 2018, then-California Governor Jerry Brown signed the CCPA into law
. The CCPA is being watched closely across the United States because previous California legislation has proven to be a harbinger for other states.
For example, SB 1386, the California data security breach notification law enacted in 2002 was the first such state law of its kind. Now all 50 U.S. states have data breach notification laws on the books.
Effective January 1, 2020, the CCPA will create a number of obligations for businesses subject to its provisions, including:
- Providing notice and disclosure to consumers regarding the kinds of personal information the business collects and how that information is used, and what rights consumers have under the CCPA
- Providing to consumers a copy of their personal information in a useable format
- Deleting the personal information of consumers upon request
- Giving consumers the right to opt-out of the sale of personal information
- Giving consumers at least two ways to request information from a business
- Training employees on how to comply with the CCPA
- Executing written agreements with service providers and other third parties to specify and limit the use of personal information
The California Attorney General is in the process of promulgating regulations designed to provide guidance to businesses seeking to comply with the CCPA. In addition, legislation has been proposed that would further amend the CCPA. The deadline for the Attorney General to adopt implementing regulations has been extended to July 1, 2020. Likewise, the Attorney General cannot bring an enforcement action under the CCPA until the earlier of July 1, 2020, or six months after the publication of regulations.
While the practical implementation deadline for the CCPA is some months away, and the rules implementing the CCPA may shed some light on its applicability, reaching the operational ability to meet the CCPA’s specific requirements will undoubtedly involve significant investments in people, processes and appropriate technology.
Accordingly, businesses should prepare by asking the following questions:
Is your business subject to the CCPA?
The CCPA applies to any for-profit entity:
1) Doing business in California
2) Collecting personal information of California residents
3) Determining the purposes and means of the processing of consumers' personal information
and meeting one or more of the following thresholds:
(A) Annual gross revenues in excess of $25M
(B) Annually buys, receives for the business' commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices
(C) Derives 50 percent or more of its annual revenues from selling consumers' personal information
The CCPA does have some exceptions, including personal information subject to existing statutory schemes, e.g., the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and Driver’s Privacy Protection Act (DPPA). Action Item: Evaluate the potential application of the CCPA based upon its definitions and thresholds.
What “personal information” does your business collect from consumers?
The CCPA creates the broadest definition of “personal information” to date in the United States. Personal information “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Section 1798.140(o)(1)).
The CCPA expands the more common definitions of personal information found in existing legal frameworks to include the types of information that are considered to be “personal data” under the EU’s General Data Privacy Regulation (GDPR), such as IP addresses, “cookies,” and biometric and geolocational data. Action Items:
- Closely analyze and document the types of personal information (as that term is used in the CCPA) you collect, and determine the relative value of that information for business purposes.
- Given the extremely broad definition of personal information, consider whether additional requirements not previously applicable to data collection or usage could be triggered and what, if any, impact this may have from a compliance and cost perspective.
- With respect to the personal information you collect, immediately determine the sources of personal information, purpose for collection, and the third parties with which you share personal information.
Can your business inform consumers about what personal information will be collected from them, and how personal information is going to be used?
The CCPA requires a business, before collection or as collection is taking place, to inform a consumer of the categories of personal information it will collect, as well as the purpose or purposes for which that information will be used. (Section 1798.100(b)). As a result, any personal information collection processes (including customer sales and acquisition) must include the required CCPA notice.
- Identify the collection points for personal information within the business.
- Develop processes for providing notifications required under the CCPA.
- Educate employees on their compliance responsibilities.
Can your business respond to consumer requests regarding personal information?
The CCPA gives consumers the specific right to require a business to disclose the specific categories and pieces of personal information collected from the consumer. (Section 1798.100).
In addition, the CCPA specifies particular means and timelines for compliance with such a consumer request. (Section 1798.130).
Without the ability to locate personal information in response to a valid consumer request, and subsequently satisfy that request, a business will potentially run afoul of the CCPA.
- Confirm that your company can identify a consumer within the company’s records and associate that consumer with the personal information that has been collected.
- Develop internal and external communication protocols to respond to inquiries regarding personal information.
- Ensure an adequate response is feasible.
How does your business use personal information within the organization?
The CCPA prohibits a business from collecting additional personal information or using personal information for additional purposes beyond that initially disclosed to the consumer unless and until it has notified the consumer. (Section 1798.100(b)). Accordingly, information sharing within a business must be limited and managed as required by the CCPA. Action Items:
- Develop and implement processes for managing the use of personal information consistent with the purpose(s) for which it was collected.
- Develop and implement processes that trigger appropriate notice to consumers when use changes.
- Educate all employees with respect to the limitations on use of personal information imposed by the CCPA.
- If the collection of personal information is currently being monetized in any way, conduct a legal analysis to ensure current information use practices can remain viable in light of the new requirements (notice, disclosure under the law). If the business revenue model is dependent on data sharing or analysis, determine what impact the legislation will have on revenue generation.
How does your business disclose personal information?
The CCPA gives a consumer the “right to opt-out” of the sale of her personal information. Any business that sells personal information must provide the consumer with notice of the “right to opt out.” (Section 1798.120). Similarly, the CCPA requires a business to disclose to a consumer those categories of personal information that have been sold previously to a third party or disclosed for a business purpose. (Section 1798.115).
The CCPA allows a business to share personal information with service providers and other third parties as long as the business does so pursuant to a written contract that limits the use or sharing of the personal information. (Section 1798.40(v) and (w)).
- Carefully examine and conduct an inventory of all third-party vendors that may access or obtain personal information in the course of providing services to the business to ensure contractual requirements are consistent with the CCPA.
- Prepare written contracts or amendments to existing agreements if necessary.
How does your business delete or dispose of personal information?
The CCPA gives a consumer the right to delete the personal information collected by a business, subject to certain exceptions. Upon receipt of an appropriate deletion request, the business must delete the personal information from its records and direct any third party to delete that personal information from its records. (Section 1798.105).
- Assess your operational capabilities to comply with requests for the deletion (and disclosures) of personal information.
- Implement the necessary controls (such as opt-out mechanisms).
How does your business make consumers aware of their rights?
The CCPA requires businesses, at a minimum, to make available two methods (including a toll-free number and a website address) to allow consumers to submit requests for information. (Section 1798.130). The CCPA also requires a business to respond to an adequate consumer request within a certain period, and requires that a business inform consumers of their rights under the CCPA, including the opt-out right.
Action Items: As referenced above, determine the methods through which:
- Consumers can submit requests for information;
- The business can inform consumers of their CCPA rights; and
- The business can satisfy consumer requests within the timeframes mandated by the CCPA.
How does your business store and protect personal information?
The CCPA gives a consumer the right to bring a civil action, and seek statutory or actual damages, in the event that “nonencrypted or nonredacted” personal information is subject to unauthorized access as a result of the business’ failure to follow reasonable security procedures. (Section 1798.150).
- Consistent with other statutory and regulatory frameworks, evaluate the effectiveness of your existing information security program in light of the CCPA.
- Revise incident response plans to ensure those plans adequately consider unauthorized access, exfiltration, theft, and disclosure as potential triggers for notification in California.
- Be prepared to appropriately mitigate potential liability for damages under the CCPA.
- Consider whether sensitive information (including personal information) should be encrypted (at rest and/or in transit) or redacted.
Does your business put a particular value on personal information?
The CCPA does provide the ability to charge a different rate or price for services if the business can demonstrate this difference is reasonably related to the value provided to the consumer by the consumer's data.
Likewise, the CCPA also creates the opportunity for businesses to create financial incentives for the use of personal information that could include direct payments to consumers for collection of personal information, the sale of information or the deletion of personal information. Businesses offering such incentives to consumers would be required to provide prior notice to consumers and could only enter consumers into a financial incentive program with prior opt-in consent from the consumer. (Section 1798.125).
Action Item: Valuing personal information is undoubtedly a very technical process. Any business seeking to implement a financial incentive program should only consider doing so after careful analysis and the development of appropriate financial and pricing models.