California Consumer Privacy Act: What to Know for Business Owners

The California Consumer Privacy Act (“CCPA”), formally known as Assembly Bill Law 375, is officially in effect. The law is broad in scope, and imposes many new obligations on companies that collect “personal information” from California residents.

CCPA applies to businesses that are incorporated and/or registered to transact business in California. It also applies to any business that has customers, markets and/or otherwise advertises or seeks business or consumer contacts in California, that collects consumers’ personal data, which satisfies at least one of the following thresholds:

• Has annual gross revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
• Earns more than half of its annual revenue from selling consumers’ personal information

Additionally, businesses are now required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.

Thus, even if your business is only collecting email addresses, it is subject to CCPA. Therefore, even if your business had a privacy policy in effect prior to the passing of CCPA, that policy must now be revised for CCPA compliance. Furthermore, there are steep penalties for non-compliance with the statute.

Hence, there are many nuances of CCPA that your business must now be aware of.

What are the key privacy provisions in CCPA?

Businesses must allow consumers to choose not to have their data shared with third parties. That means businesses must be able to separate the data they collect according to consumers’ privacy choices.

Moreover, while a business cannot refuse users equal service, it can offer incentives to users who provide personal information. For example, businesses can offer discounts to people who are willing to have their data shared or sold to third parties. Thus, a business’s pricing structure might change depending on its user’s privacy choices. This has wide range of technical and legal implications because businesses can parlay the privacy provisions of CCPA into a whole new business venture.

California law also allows consumers great access to their records. Businesses will have trouble pulling information together if they do not maintain a comprehensive data collection process and compliant privacy policy. The amount of data that businesses collect through web traffic alone is already massive and continues to grow.

A business has only 45 days to provide consumers with a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to. Thus, CCPA has changed the privacy landscape in the United States forever, not just in California.

With this in mind, below is a streamlined understanding of CCPA that Lloyd & Mousilli has developed for businesses to ensure that they are in compliance.

What does CCPA actually require businesses to do?

Businesses must provide notice about the data it collects about a person, and what it does with that data. Businesses must also create a process by which individuals can exercise the rights created by CCPA. Finally, businesses must ensure that vendors send personal information to protect the information and comply with their CCPA obligations.

What rights does CCPA create?

• Transparency - Identification and discloses to consumers of the information being collected and the purpose of information collection.
• Access - Consumers have the right to access the information a business collects and maintains about them. 
• Opt-Out - Consumers are able to opt-out of having their information sold.
• Deletion - Consumers can have their information deleted (in some circumstances). 
• Portability - Consumers have a right to get a copy of the information a business has about them. 
• Equal Service - Businesses cannot discriminate against consumers who exercise their rights, including access to information rights
  
  

What are the penalties for non-compliance?

CCPA gives the California Attorney General the power to enforce the law and issue fines of up to $7,500 per violation. This means that if a company does not provide 100 people with their rights, it could face a $750,000 fine. 

Additionally, CCPA gives individuals the right to sue businesses in the event of a data breach, which could result in a large settlement or judgment against the business. 

What counts as “personal information?”

CCPA defines “personal information” very broadly and formally considers the following “personal information”:

• Real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number/ other similar identifiers
• Characteristics of protected classifications under California/federal law
• Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
• Biometric information
• Internet/other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory/similar information
• Professional/employment-related information
• Education information as defined in the Family Educational Rights and Privacy Act
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

CCPA does not consider publicly available information as personal information. Thus, businesses do not have to worry about gathering information that falls within those categories, including information that is already posted on other websites, news sources, or generally common knowledge.

Are there exceptions?

Yes, information that is subject to HIPAA, Gramm-Leach-Bliley and some California state laws is exempted from CCPA compliance.

What does CCPA mean for security?

Interestingly, businesses are not required to report security breaches under CCPA, and consumers must first file complaints before fines are possible. The best course of action for security, then, is for a business to know what data CCPA defines as “private data” and take steps to secure it.

CCPA requirements around tracking, accessing, and storing data also mean security teams will need to work closely with database administrators. Any tools selected to ensure CCPA compliance will not only need to have full visibility into data stored across the entire corporate environment but also ensure that access to this data is properly secured. Lastly, a business will need these tools to cooperate with any new consumer portal to share specific data with the verifiable consumer requesting it.

Businesses also need to be aware of potential problems if the data is stored with cloud providers. For example, employees might create a file-sharing account to keep track of marketing or sales contacts. Controlling privacy and personal information flowing between machines is already incredibly difficult, and a hurdle all businesses must keep in mind.

Potential CCPA Conflicts

CCPA currently contains many potentially conflicting provisions. One concern is businesses charging consumers different prices based on their privacy settings. For example, many businesses already have an option where a consumer can upgrade to a paid tier that blocks ads on their website.  

If the consumer exercises his rights under CCPA, businesses cannot provide a lesser level or quality of product, goods or services to the consumer. On the other hand, businesses are not prohibited from charging a different price, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. Businesses must keep this in mind going forward when deciding whether to offer different qualities of service for pay.

What should Businesses be doing?

Lloyd & Mousilli recommends breaking CCPA compliance into four phases and these phases will tackle six discrete work streams. The four phases are as follows:  

PhasesPlanning  Data Gathering ActivitiesAssessment & Gap AnalysisImplementation & RemediationActivitiesAnalysis of how and why CCPA applies to the company ­ Draft Project Work Plan ­ Review existing data inventories/maps for CCPA relevancy ­ Develop interview questionnaire ­ Identify preliminary set of questionnaires for recipients and other stakeholders ­ Schedule stakeholder meetings (in person or by phone)  ­ Conduct data mapping ­ Submit and get responses to questionnaires ­ Identify all vendors and third parties that receive data and contacts for each ­ Collect existing policies, procedures and practices ­Commence onsite visits and/ or stakeholder telephone interviews  Cross-reference statutory requirements to current policies, procedures and practices ­Assess vendor contracts ­Perform gap analysis ­Prepare Compliance and Risk Report ­Develop prioritized remediation plan ­ Create an action plan and supporting documentation  Update and develop new processes ­ Update and draft new policies and procedures ­ Update disclosures and consent documents ­Revise and/or put in place vendor contracts  Deliverables1. Meeting Materials & Work Plan
2. Interview questionnaire  
3. Stakeholder interview schedule
4. Weekly Status Meetings and Reporting Template  1. Completed data map
2. Completed gap analysis questionnaires
3. Stakeholder interview notes  1.Compliance Readiness Findings 2. Gap Analysis Results
3. Compliance and Risk Report  
4. Remediation and Action Plans  Same as above

These phases will tackle six discrete work streams:

Work-streamDescriptionData MappingReview/update Personal Information inventories and flows to understand what Personal Information is being processed, for what purposes, where and who has accessVendor ReviewIdentify vendors/service providers to whom Personal Information is transferred, how such Personal Information is used/further shared/sold ­ Review and revise contracts ­ Diligence to ensure consumer right fulfillment mechanismsConsumer Request Fulfillment­ Review systems and operations to ensure ability to comply with data subjects’ requests ­ Provide opt-out mechanism and rights request channels ­ Establish policies and procedures for data subject requests, including identity verificationPrivacy DisclosuresUpdate privacy policy disclosures and ensure proper notifications are provided prior to collection of Personal InformationIT SecurityReview systems and operations to ensure appropriate encryptions used for data ­Establish and document data retention policies for each category of data to ensure data minimizationOngoing ComplianceEstablish training program and update/establish appropriate internal compliance policies and procedures

WRAP UP

Once your business has completed internal assessments, Lloyd & Mousilli recommend retaining an attorney to review all existing measures, including preparing a privacy policy if none previously existed or, if one does exist, analyzing and revising the current privacy policy to ensure compliance. Lloyd & Mousilli is on board to assist you in this process.