A deeper look at the CCPA
The California Consumer Privacy Act (CCPA) was enacted in June 2018 and goes into effect on January 1, 2020. The CCPA, which will bring certain privacy rights for California residents, will be the most comprehensive privacy law to ever take effect in the United States. It will bring increased transparency to how personal information is being used and it evidences the growing demand for privacy security. Additionally, the CCPA is likely to set the foundation for further privacy regulation across America.
Who Must Comply?
The CCPA will affect any business storing or collecting data about California residents. The law will impact an estimated 500,000 organizations conducting business in California.
Specifically, the CCPA applies to any for-profit entity that (i) does business in California, (ii) collects personal information of California residents (or has such information collected on its behalf), (iii) determines on its own or jointly with others the purpose and means of processing that information, and (iv) meets one or more of the following criteria: (a) has annual gross revenues in excess of $25 million, adjusted for inflation; (b) annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The CCPA also applies to any entity that either controls or is controlled by a covered business, or shares common branding with a covered business, such as a shared name, service mark, or trademark.
Who is Protected?
The CCPA protects consumers who are in California for anything other than a temporary or transitory purpose. The CCPA also protects consumers who are domiciled in California but are currently outside the State for a temporary or transitory purpose. The term “consumers” is broadly interpreted and includes customers of household goods and services, employees, and Business-to-Business transactions.
What Privacy Rights are Protected?
The law protects all personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household. Some of the specific rights enumerated under the law are as follows:
- Right of Privacy Notice / Information: Businesses will have the obligation to provide consumers with details regarding how their data is processed. Consumers have the right to know the categories of personal information collected, the sources of those categories, business or commercial purposes for collecting or selling personal. Third parties must also give consumers explicit notice before re-selling personal information that the third party acquired from another business. Thus, businesses must keep a running list of all of its vendors, the exact personal information collected by those vendors, and whether or not such personal information is then deidentified by each vendor.
The statute includes eleven specific personal information categories that businesses must use when providing their required disclosures. Those categories are identifiers including real name, an alias, postal address, email address, unique personal or online identifier, internet protocol (IP) address, account name, social security number (SSN), driver’s license or passport number, or other similar identifiers.
- Right to Opt-Out for Personal Information Sales: Businesses must enable and comply with a consumer’s request that a business not sell their personal information to a third party. A clear and conspicuous link on the business’s webpage must say, “Do Not Sell My Personal Information.” This link should direct consumers to an opt-out option. A business must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.
- Right of Deletion of Personal Information (The Right to be Forgotten): Consumers may request that any personal information collected by a business be deleted. The business must then also instruct its service providers to delete the data.
How to Respond to Requests
Consumers may make most information requests twice a year and only for a 12-month lookback. There are no limits on deletion and do not sell requests. When a request is made, a business must (i) comply with a verifiable consumer request; (ii) Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification; (iii) Inform the consumer of the reasons for not taking action; and (iv) Provide the information free of charge, unless the request is manifestly unfounded or excessive.
What is the risk of Noncompliance?
Non-compliant businesses are subject to pay damages between $100 and $750 per consumer, per incident, or actual damages, whichever is greater. Under the CCPA, non-compliant businesses are also subject to class-action lawsuits and injunctions. Further, the California Attorney General may bring actions for civil penalties of $2,500 per unintentional violation, or up to $7,500 per violation if intentional. The law does, however, grant companies a 30-day period to cure violations.
Unfortunately, there is still a lot of ambiguity within the law. And with the CCPA not taking effect for months, lobbying groups continue to work to limit the scope. Much of the lobbying is coming from major tech companies and advertising firms. These companies are lobbying for amendments to the CCPA as well as pushing Congress to enact a federal privacy law rather than moving forward with state law. The California state legislature also continues to work on changes to the CPPA. The state assembly’s Privacy and Consumer Protection Committee held a hearing earlier this month in which it advanced bills to amend the CCPA.
For example, in Assembly Bill 25, the definition of consumer in the CCPA would be narrowed to exclude individuals whose information has been collected during the course of applying for a job. Assembly Bill 981 aims to exempt insurance companies from having to comply with the CCPA. Assembly Bill 873 would amend the definitions of personal information and the type of information known as ‘deidentified’. The definition of ‘deidentified data’ would follow the three-part test used by the Federal Trade Commission to define the term. While the CCPA requires that companies only provide a toll-free number for submitting requests, Assembly Bill 1564 would allow companies to make a toll-free number, an email address, or a website available to consumers who want to submit requests under the CCPA.
The Office of the Attorney General has been conducting meetings throughout California cities in order to gain insight into practical notes, complaints, and directions to continue to help shape these regulations. The California Department of Justice expects to publish a Notice of Proposed Regulatory Action concerning the CCPA in the Fall of 2019.
Implementing comprehensive changes to a company’s data collection, processing, usage and storage practices can be a resource-intensive and time-consuming exercise. Thus, even though the statute is far from clear, now is the time to begin developing your compliance programs and procedures.
It is also worth noting that the CCPA is likely just the beginning for privacy law in the United States. Businesses across the country should consider proactively building and maintaining a privacy framework in preparation for whatever privacy legislation appears next on the state and/or federal level.
At Elevate, we are here to assist you with performing gap analysis and providing remediation services towards your IT compliance and privacy requirements.