© 2022 Lloyd & Mousilli. All rights reserved.
Licensed in California, Colorado, Texas, Washington D.C., and before the USPTO.
CCPA applies to businesses that are incorporated and/or registered to transact business in California. It also applies to any business that has customers, markets and/or otherwise advertises or seeks business or consumer contacts in California, that collects consumers’ personal data, which satisfies at least one of the following thresholds:
Additionally, businesses are now required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
Hence, there are many nuances of CCPA that your business must now be aware of.
Businesses must allow consumers to choose not to have their data shared with third parties. That means businesses must be able to separate the data they collect according to consumers’ privacy choices.
Moreover, while a business cannot refuse users equal service, it can offer incentives to users who provide personal information. For example, businesses can offer discounts to people who are willing to have their data shared or sold to third parties. Thus, a business’s pricing structure might change depending on its user’s privacy choices. This has wide range of technical and legal implications because businesses can parlay the privacy provisions of CCPA into a whole new business venture.
A business has only 45 days to provide consumers with a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to. Thus, CCPA has changed the privacy landscape in the United States forever, not just in California.
With this in mind, below is a streamlined understanding of CCPA that Lloyd & Mousilli has developed for businesses to ensure that they are in compliance.
Businesses must provide notice about the data it collects about a person, and what it does with that data. Businesses must also create a process by which individuals can exercise the rights created by CCPA. Finally, businesses must ensure that vendors send personal information to protect the information and comply with their CCPA obligations.
CCPA gives the California Attorney General the power to enforce the law and issue fines of up to $7,500 per violation. This means that if a company does not provide 100 people with their rights, it could face a $750,000 fine.
Additionally, CCPA gives individuals the right to sue businesses in the event of a data breach, which could result in a large settlement or judgment against the business.
CCPA defines “personal information” very broadly and formally considers the following “personal information”:
CCPA does not consider publicly available information as personal information. Thus, businesses do not have to worry about gathering information that falls within those categories, including information that is already posted on other websites, news sources, or generally common knowledge.
Yes, information that is subject to HIPAA, Gramm-Leach-Bliley and some California state laws is exempted from CCPA compliance.
Interestingly, businesses are not required to report security breaches under CCPA, and consumers must first file complaints before fines are possible. The best course of action for security, then, is for a business to know what data CCPA defines as “private data” and take steps to secure it.
CCPA requirements around tracking, accessing, and storing data also mean security teams will need to work closely with database administrators. Any tools selected to ensure CCPA compliance will not only need to have full visibility into data stored across the entire corporate environment but also ensure that access to this data is properly secured. Lastly, a business will need these tools to cooperate with any new consumer portal to share specific data with the verifiable consumer requesting it.
Businesses also need to be aware of potential problems if the data is stored with cloud providers. For example, employees might create a file-sharing account to keep track of marketing or sales contacts. Controlling privacy and personal information flowing between machines is already incredibly difficult, and a hurdle all businesses must keep in mind.
CCPA currently contains many potentially conflicting provisions. One concern is businesses charging consumers different prices based on their privacy settings. For example, many businesses already have an option where a consumer can upgrade to a paid tier that blocks ads on their website.
If the consumer exercises his rights under CCPA, businesses cannot provide a lesser level or quality of product, goods or services to the consumer. On the other hand, businesses are not prohibited from charging a different price, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. Businesses must keep this in mind going forward when deciding whether to offer different qualities of service for pay.
Lloyd & Mousilli recommends breaking CCPA compliance into four phases and these phases will tackle six discrete work streams. The four phases are as follows:
PhasesPlanning Data Gathering ActivitiesAssessment & Gap AnalysisImplementation & RemediationActivitiesAnalysis of how and why CCPA applies to the company Draft Project Work Plan Review existing data inventories/maps for CCPA relevancy Develop interview questionnaire Identify preliminary set of questionnaires for recipients and other stakeholders Schedule stakeholder meetings (in person or by phone) Conduct data mapping Submit and get responses to questionnaires Identify all vendors and third parties that receive data and contacts for each Collect existing policies, procedures and practices Commence onsite visits and/ or stakeholder telephone interviews Cross-reference statutory requirements to current policies, procedures and practices Assess vendor contracts Perform gap analysis Prepare Compliance and Risk Report Develop prioritized remediation plan Create an action plan and supporting documentation Update and develop new processes Update and draft new policies and procedures Update disclosures and consent documents Revise and/or put in place vendor contracts Deliverables1. Meeting Materials & Work Plan
2. Interview questionnaire
3. Stakeholder interview schedule
4. Weekly Status Meetings and Reporting Template 1. Completed data map
2. Completed gap analysis questionnaires
3. Stakeholder interview notes 1.Compliance Readiness Findings 2. Gap Analysis Results
3. Compliance and Risk Report
4. Remediation and Action Plans Same as above
These phases will tackle six discrete work streams: