The California Consumer Privacy Act (“CCPA”), formally known as Assembly Bill Law 375, is officially in effect. The law is broad in scope, and imposes many new obligations on companies that collect “personal information” from California residents.
CCPA applies to businesses that are incorporated and/or registered to transact business in California. It also applies to any business that has customers, markets and/or otherwise advertises or seeks business or consumer contacts in California, that collects consumers’ personal data, which satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information
Additionally, businesses are now required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
Hence, there are many nuances of CCPA that your business must now be aware of.
What are the key privacy provisions in CCPA?
Businesses must allow consumers to choose not to have their data shared with third parties. That means businesses must be able to separate the data they collect according to consumers’ privacy choices.
Moreover, while a business cannot refuse users equal service, it can offer incentives to users who provide personal information. For example, businesses can offer discounts to people who are willing to have their data shared or sold to third parties. Thus, a business’s pricing structure might change depending on its user’s privacy choices. This has wide range of technical and legal implications because businesses can parlay the privacy provisions of CCPA into a whole new business venture.
A business has only 45 days to provide consumers with a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to. Thus, CCPA has changed the privacy landscape in the United States forever, not just in California.
With this in mind, below is a streamlined understanding of CCPA that Lloyd & Mousilli has developed for businesses to ensure that they are in compliance.
What does CCPA actually require businesses to do?
Businesses must provide notice about the data it collects about a person, and what it does with that data. Businesses must also create a process by which individuals can exercise the rights created by CCPA. Finally, businesses must ensure that vendors send personal information to protect the information and comply with their CCPA obligations.
What rights does CCPA create?
- Transparency - Identification and discloses to consumers of the information being collected and the purpose of information collection.
- Access - Consumers have the right to access the information a business collects and maintains about them.
- Opt-Out - Consumers are able to opt-out of having their information sold.
- Deletion - Consumers can have their information deleted (in some circumstances).
- Portability - Consumers have a right to get a copy of the information a business has about them.
- Equal Service - Businesses cannot discriminate against consumers who exercise their rights, including access to information rights
What are the penalties for non-compliance?
CCPA gives the California Attorney General the power to enforce the law and issue fines of up to $7,500 per violation. This means that if a company does not provide 100 people with their rights, it could face a $750,000 fine.
Additionally, CCPA gives individuals the right to sue businesses in the event of a data breach, which could result in a large settlement or judgment against the business.
What counts as “personal information?”
CCPA defines “personal information” very broadly and formally considers the following “personal information”:
- Real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number/ other similar identifiers
- Characteristics of protected classifications under California/federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet/other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory/similar information
- Professional/employment-related information
- Education information as defined in the Family Educational Rights and Privacy Act
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
CCPA does not consider publicly available information as personal information. Thus, businesses do not have to worry about gathering information that falls within those categories, including information that is already posted on other websites, news sources, or generally common knowledge.
Are there exceptions?
Yes, information that is subject to HIPAA, Gramm-Leach-Bliley and some California state laws is exempted from CCPA compliance.
What does CCPA mean for security?
Interestingly, businesses are not required to report security breaches under CCPA, and consumers must first file complaints before fines are possible. The best course of action for security, then, is for a business to know what data CCPA defines as “private data” and take steps to secure it.
CCPA requirements around tracking, accessing, and storing data also mean security teams will need to work closely with database administrators. Any tools selected to ensure CCPA compliance will not only need to have full visibility into data stored across the entire corporate environment but also ensure that access to this data is properly secured. Lastly, a business will need these tools to cooperate with any new consumer portal to share specific data with the verifiable consumer requesting it.
Businesses also need to be aware of potential problems if the data is stored with cloud providers. For example, employees might create a file-sharing account to keep track of marketing or sales contacts. Controlling privacy and personal information flowing between machines is already incredibly difficult, and a hurdle all businesses must keep in mind.
Potential CCPA Conflicts
CCPA currently contains many potentially conflicting provisions. One concern is businesses charging consumers different prices based on their privacy settings. For example, many businesses already have an option where a consumer can upgrade to a paid tier that blocks ads on their website.
If the consumer exercises his rights under CCPA, businesses cannot provide a lesser level or quality of product, goods or services to the consumer. On the other hand, businesses are not prohibited from charging a different price, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. Businesses must keep this in mind going forward when deciding whether to offer different qualities of service for pay.
What should Businesses be doing?
Lloyd & Mousilli recommends breaking CCPA compliance into four phases and these phases will tackle six discrete work streams. The four phases are as follows:
PhasesPlanning Data Gathering ActivitiesAssessment & Gap AnalysisImplementation & RemediationActivitiesAnalysis of how and why CCPA applies to the company Draft Project Work Plan Review existing data inventories/maps for CCPA relevancy Develop interview questionnaire Identify preliminary set of questionnaires for recipients and other stakeholders Schedule stakeholder meetings (in person or by phone) Conduct data mapping Submit and get responses to questionnaires Identify all vendors and third parties that receive data and contacts for each Collect existing policies, procedures and practices Commence onsite visits and/ or stakeholder telephone interviews Cross-reference statutory requirements to current policies, procedures and practices Assess vendor contracts Perform gap analysis Prepare Compliance and Risk Report Develop prioritized remediation plan Create an action plan and supporting documentation Update and develop new processes Update and draft new policies and procedures Update disclosures and consent documents Revise and/or put in place vendor contracts Deliverables1. Meeting Materials & Work Plan
2. Interview questionnaire
3. Stakeholder interview schedule
4. Weekly Status Meetings and Reporting Template 1. Completed data map
2. Completed gap analysis questionnaires
3. Stakeholder interview notes 1.Compliance Readiness Findings 2. Gap Analysis Results
3. Compliance and Risk Report
4. Remediation and Action Plans Same as above
These phases will tackle six discrete work streams: