Multinational US organizations spent nearly $8 billion preparing for the GDPR. We can expect to see similar numbers in 2020 when the California Consumer Privacy Act (CCPA) is enforced.
On January 1, the CCPA will be the strictest data privacy law the US has ever seen. The CCPA uses a broader definition of “private data” than similar laws and could have more repercussions for US companies than the GDPR.
What makes compliance even more difficult is that the bill was put together and passed quickly, and there have since been several amendments and industry-wide confusion about key provisions.
2020 is right around the corner but it’s not too late to find out more about new consumer rights, how to make your organization compliant and the penalties for violations.
Case management software makes it easier for you to investigate security incidents (such as lost and stolen personal data). Learn more here.
Similar to the GDPR, the CCPA may apply even if you are located outside of California, and even if you believe you don’t conduct business with its residents.
The act outlines a set of three criteria. Your business must comply with the CCPA if you conduct business with Californian consumers and if you meet one (or more) of these three criteria:
- You make $25 million or more in annual revenue
- You have the personal data of at least 50,000 people, devices or households (even non-Californian residents)
- You make more than half your revenue by selling personal data
The general rule is that if your business is active on the Internet, if you have a newsletter or you sell products online, you will likely have to comply with the CCPA.
Insurance institutions, agents and support organizations, however, are exempt from CCPA since they are already regulated by the Insurance Information and Privacy Protection Act (IIPPA).
Defining Personal Information
If you think you meet criteria two or three, but you’re not sure what constitutes personal data, you’re not alone. There has been a lot of confusion around the CCPA’s definition of personal information and personal data.
The CCPA provides a thorough definition of personal information (which you can read here) that includes everything from first name to search history to geolocation data.
Most lawyers and experts recommend that if you collect any information about anyone, it would be wise for your business to comply with the CCPA’s provisions. They say any information because the CCPA lists 11 categories of personal information and they say about anyone because the act also defines the word “consumer” broadly.
Note: their definition of consumer extends to include Californians who are traveling or temporarily out-of-state (at university, for example). So, err on the side of caution and treat all data according to the CCPA.
The CCPA gives consumers in California greater power over their personal data, including what is collected and for what purpose, as well as with whom it is shared.
Consumers will now have: the right to notice, the right to access, the right to opt out (and, for minors, to opt in), the right to request deletion and the right to equal services and prices.
Right to Notice
Organizations must notify consumers which categories of personal data they want to collect, and why, prior to receiving this information. And, the business must inform consumers again every time they collect new information or for new purposes.
The right to notice leads to greater transparency of the buying and selling of personal data. When an organization is more transparent about this process, consumers will be able to make more informed decisions about what information they’re sharing and for what reasons.
Right to Access
The right to access allows consumers to find out, in much greater detail, the collection, use and whereabouts of their personal data.
According to Davis Wright Tremaine LLP, consumers can request that businesses share:
- The categories of personal information collected
- The categories of sources from which personal information is collected
- The business or commercial purpose of the collection
- The categories of third parties with which the business shares the information
- The specific pieces of personal information the business holds
Consumers can file a request at any time, within reason. Once they have, the company has 45 days to provide an accessible report containing all of the above information. Organizations that store consumer data in multiple locations (i.e., cloud and storage cabinet) or mediums (i.e., physical and digital) should alter their procedures to be sure they can meet this deadline.
Companies that do not respond to access requests or miss the deadlines will face penalties and fees under the CCPA (but more on this later).
Right to Opt Out (and In)
Under the CCPA, consumers have the right to opt out of having their data shared or sold.
A consumer can demand, at any time and for any reason, that a business stop selling their personal information. Once the demand is made, the organization must wait one full year before asking the consumer if they would like to opt back in.
For minors, the CCPA provides for a right to opt in to the sale of data. For those under 13, their parent or legal guardian must opt in on the minor’s behalf.
Note: the CCPA defines “sale” very broadly. According to the bill: “Sell, selling, sale, or sold, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
Right to Request Deletion
The right to request deletion gives consumers the power to ask an organization to delete the personal information they’ve collected. This right helps consumers limit the amount of personal data they have out there.
Note that the right is to request deletion. You do not have to comply with a request to delete personal information if you need the information to:
- Complete a transaction
- Detect security incidents
- Exercise free speech
- Defend against legal claims
- Otherwise use the personal information internally and “in a lawful manner that is compatible with the context in which the consumer provided the information”
Right to Equal Services and Prices
The final right awarded to consumers concerns equality. This means that an organization cannot discriminate against a consumer who does not want their personal information collected by offering them subpar services or charging them inflated rates.
A company can, however, offer incentives to users who provide personal information. It would be legal to offer financial incentives, such as a discount, for consumers who have permitted the organization to collect and/or share their personal information.
Organizations that were affected by the GDPR may have already made several steps in the right direction. We broke compliance down into six steps that will help make sure you are respecting the rights of consumers and complying with the CCPA’s guidelines.
In order to comply, you’ll need to: map your data, identify your vendors, secure access and storage, establish proper procedures, know the deadlines and edit your culture.
Data mapping, according to DWT LLP is the “process of understanding and classifying what data is collected; how data is collected, processed and transmitted; with whom it is shared; where it is stored; how it’s used, for what purpose and by whom”.
So, your first task is to create an inventory of the personal information you’ve already collected and map it out. Until now, organizations have collected personal data without having to track it or consider how it’s stored.
After data mapping you’ll better understand your current data situation, so you can improve how you organize and secure data. Going forward, your efforts here will help you fulfill access requests quicker and understand your security efforts.
Identify Your Vendors
Just as you took the time to pinpoint your data, pinpoint your vendors. According to the CCPA, a third party means a person or business who is not any of the following:
- The business that collects personal information from consumers under the CCPA (i.e., not your organization if your organization is the one collecting the information);
- A person or business to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract with specific stipulations laid out.
Using this definition, identify the third parties with whom you share personal information and confirm that they use and store this data in a CCPA-compliant manner.
Make sure that your vendors are willing and able to fulfill deletion and opt-out requests. Your organization is liable for third-party non-compliance, so if the vendor is unable or unwilling to meet deadlines, that is your responsibility.
Secure Access and Storage of Data
The CCPA has very high standards regarding how companies track, access and store their data. Ensure that personal data is secure enough that you don’t risk a data breach but accessible enough that you can quickly respond to access requests.
In the event a breach does happen, use a CAPA Form Template to brainstorm the root cause and steps to prevent similar issues.
Consumers whose personal data has been breached have the right to sue the business if the business failed to maintain reasonable security practices appropriate to the nature of the information.
Organizations should identify private, personal data and take appropriate steps to secure it. You should work closely with your security professionals and database administrators to strike a balance between security and accessibility.
Establish Proper Procedures
Your next step is to establish organizational processes that help your employees comply with the CCPA. Build compliance directly into the procedures that your staff are to follow.
For example, when an access request is made, the organization must send the data record in an accessible format to the consumer’s account. But the organization’s job begins long before the business receives the request.
Watch The Inside Job: Detecting, Investigating and Preventing Data Theft to learn the industry’s best practices for information security.
The CCPA requires that every company have at least two ways to receive consumer requests: a toll-free number and, if you have a website, an online form.
Once these intake methods are set up, you need to have employees whose job is to monitor requests. Create a streamlined process for receiving a request, verifying a consumers’ identity, obtaining a data record in a secure manner and sending it back.
Know the Rules
Make sure those in your organization who carry out requests know the rules. There are deadlines and exceptions that apply when a consumer exercises their right to access.
As stated earlier, organizations have 45 days to fulfill an access request. However, the CCPA offers a one-time extension that may be useful in the early stages as you get acquainted with the CCPA’s rules.
Additionally, businesses reserve the right to charge a “reasonable fee” or refuse to respond if consumers make “excessive” requests. Knowing this exception could save a lot of time and effort down the road.
While the Attorney General will not begin enforcing the CCPA until the second half of 2020, it’s important to still know the potential for penalties. Violating the CCPA can trigger both financial and reputational damage.
If a consumer believes an organization is violating their rights under the CCPA, they must send in a written notice to the business notifying them. Violations may include breaches, theft, transfer and disclosure resulting from inadequate security practices.
If the organization fixes the violation within 30 days (and sends back a written notice informing the consumer of the corrections), the consumer cannot file a lawsuit. If the organization does not fix the violation, the CCPA allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
In addition to statutory damages, organizations that violate the CCPA will be subject to civil injunction and a civil penalty up to $2,500 per unintentional violation and $7,500 per intentional one.
In addition to lawsuits and civil fines, the amount of time spent notifying victims, recovering documents and navigating the law can grow quickly. A breach, for example, will require a lot of time and effort from your legal team, forensics, IT and public relations. It will also have a negative impact on your organization’s reputation.
Prior to the CCPA, breaches and crooked data sales could stay under the radar. Now, the CCPA will hold organizations accountable for the ways in which they collect, store and share personal data.