November 6, 2019
Count Down to the California Consumer Privacy Act (CCPA)
Posted by Pippa Akem
The pressure is on if your business handles the consumer data of people living in California. The count down to the CCPA has officially begun. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, is changing the landscape of how businesses collect and use personal data. And the impact isn’t only being felt in California — the law is also creating momentum in other states to give their consumers greater control over the use of their personal information.
Not surprisingly, many businesses will need to adjust their data handling practices given the strength and market size of the California economy. If you don’t yet have a roadmap for how your organization intends to comply with the disclosure, access, deletion, opt-out-of-sale, and equal service requirements of the new law, you need to move fast, get a team together, and take some very fundamental steps to determine your grounds for complying with the new regulation.
To be brought into scope for the CCPA, your organization needs to operate as a for-profit business that collects the personal information of California residents, and you also need to satisfy one of the following criteria:
- Has annual gross revenues in excess of $25 million
- Alone, or in combination with other entities, annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices
- Receives 50% or more of annual revenues from selling consumers’ personal information
At first glance, you may not think that the above qualifications apply to your organization. However, the last two conditions are broad enough to capture businesses both large and small (this can be a great conversation point to mobilize your compliance team and efforts).
Many small businesses will find that they must comply with the new law. For example, a company that engages in direct marketing to households can easily hit the 50,000 records threshold if it collects data from the multiple devices associated with each particular household. If your business derives revenue from selling personal information, you need to determine if 50% or more comes from the sale of personal data, and therefore determine if you have to confine your data sales practices to the new privacy requirements.
Where to Begin
Start by understanding how the CCPA defines personal information. The law broadly scopes the definition of personal data but also excludes certain types of data from that definition, be sure to understand both. Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This applies to information that resides in any form or format, such as paper, electronic records or even in the form of an algorithm. Examples of personal information include name, contact information, employment history, purchasing history, biometric information, browsing history, geolocation data, and inferences drawn from personal information used to create customer profiles. Information that is available publicly and linked to a person, aggregated information, and de-identified information are considered “out of scope”.
The next step is to identify what data resides throughout your organization, and whether it includes the data of California consumers. Several bills have been signed into law by the governor that may affect your organization’s compliance strategy. The recently released draft regulations raise new regulatory ambiguities for businesses, especially around internal processes to manage and mitigate the risks that surround consumer requests, while also tackling aspects of the California privacy law that were not previously clear. Your organization also needs to be aware of the new requirements introduced by the draft laws. This is a great opportunity for those driving their company’s CCPA journey to evaluate the readiness work in view of these regulatory developments and the final count down to the CCPA launch.
Don’t Neglect Vendor Contracts
Also, pay attention to your vendor agreements. Be sure to include clauses to define business partners and restrict the use and sale of data. To do this, you need to evaluate your business relationships and separate them into groups of those that are providing or fulfilling services on behalf of the business, and those that aren’t, with the latter being a third party. This separation is critical to helping you and your service providers meet your respective transparency obligations.
The CCPA defines a service provider as another legal entity organized for profit that helps the business with processing personal data. The business has to provide or disclose this information because of a business need or purpose, and this is done pursuant to a contract between the parties. The key elements for such a contract to be CCPA-compliant are:
- Restrict selling of personal information.
- Limit the retention, use or disclosure of that information as stated in the contract.
- Limit use, retention or disclosure of that information outside the parties, unless a written authorization is obtained.
- Include terms to ensure service provider will comply with the restrictions of the contract.
Inventory and Disclose Where You “Sell” Personal Information
If your business routinely sells consumer data, consumers now have a right to opt out of the sale of their information. If you are not a data broker business, but you communicate or transfer personal information to another business (not a service provider) or third party for money or valuable consideration, the opt-out right still applies.
The CCPA requires that a business disclose to consumers that they have a right to refuse the sale of their data, and to also display — in a link in its privacy notice on the business website — the text “Do not sell my personal information.” This link should take the consumer to a page for them to opt out.
For a business, the real focus should be on use cases where information is used, shared or disclosed and not based on one or more of the exceptions below:
- Consumer requested data
- Activities with the service provider
- Transfers due to M&A
- Transfers to support opt-outs
- Consumer requested disclosure
- Data is aggregated or de-identified
It is always best to move cautiously if you are uncertain whether prior notice to the consumer is required. Don’t adopt a wait and see approach, consult with the privacy professional at your organization or find support beyond the business.
What Comes Next?
The CCPA era is less than sixty days away. Remaining on the sidelines is not a wise course of action.Remember that the rights of consumers are not stalled by inaction. Consumers can pursue action if your business website contains a privacy notice that is inaccurate and fails to disclose all situations of sale of personal information. Recognize that consumers may exercise their private right of action as early as Day 1 of the new law, for a violation. A lawsuit brought by a consumer can fetch a fine of between $100 and $750 per consumer per incident, or actual damages. Fines or civil recoveries have the potential to multiply with multiple claimants. The California Attorney General has the authority to also impose fines of up to $7,500 per incident. (A business is given a period of time to cure the violation prior to the start of any civil action or fines being imposed.)
If you already began your CCPA efforts earlier this year be sure to perform a quality check on workflows that support your information requests. Using metrics to track the timeliness of responses and adherence to internal polices for handing requests has its advantages for compliance. Now is the time to implement an accountable data processing operation. Note the proposed regulations under the CCPA are open to public comments until December 6, 2019. The final count down to the CCPA is officially upon us!
For more information on Armanino’s data privacy solutions visit Risk Assurance & Advisory Privacy Services.
Prior to joining Armanino, she held privacy functions at Fortune 500 companies supporting General Data Protection Regulation (GDPR) implementation and the transition to California Consumer Privacy Act (CCPA) compliance. Pippa holds the Certified in Healthcare Privacy Compliance (CHPC) designation and is a member of the Health Care Compliance Association (HCCA) and the International Association of Privacy Professionals (IAPP).