We can’t deny the fact that data security and privacy regulation is increasing rapidly throughout the world, including in the US. Apart from strengthening the requirements for securing consumer personal information, individuals are now being given an increasing array of legal rights when it comes to the collection, disclosure, use, and sale of their personal data.
At the same time organizations’ increasing appetite for big data as well as need for more types of personal data elements, persists, in the face of mounting security concerns and risks about permissible use.
If your company just completed the frustrating and tedious task of complying with the European Union’s General Data Protection Regulation (GDPR), or was lucky to escape compliance with the provisions of GDPR, the State of California with its California Consumer Privacy Act (CCPA) has thrown you a curveball.
Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into the law in June 2018. It’s the first US law that follows in the footsteps of GDPR. Also, here’s the catch; before you gladly assume that you will not have to comply with the CCPA just because your business isn’t located in California, we would like to remind you that businesses both inside as well as outside of California would be affected by its requirements.
With more than eight months left to ensure compliance with the CCPA, you might be tempted to think that there’s a lot of time to assess your exposure to this new law. However, we would like to remind you that the CCPA represents a considerable shift in the way your business must operationalize various consumers’ privacy rights. And this will need a considerable effort on your part with the implementation of expensive technology solutions. To make compliance easy, here are 7 important questions your company should ask while assessing your CCPA risk .
The CCPA will apply to your company if it operates in California and meets one or more of the following thresholds:
We will remind you that the CCPA does not distinguish between online and brick-and-mortar companies. And this means that even if your business has no physical footprint or staff in the state of California, it could still be considered a business in California; therefore, you will have legal responsibilities under the CCPA. So, a physical business presence in California isn’t mandatory for the law to apply.
According to the CCPA, personal information broadly includes any information which relates to, identifies, describes, can be associated with, or can reasonably be linked with, directly or indirectly, a specific consumer or household.
We will simplify this for you. This information can be a name, unique personal identifier, postal address, online identifier, email address, Internet Protocol address, account name, driver’s license number, Social Security number, passport number, certain education information, and biometric information among others.
And, crucially for marketers, it includes behavioral data derived from digital interactions between a brand and consumers, and any inferences your company draws from such data, like a consumer’s buyer persona or preferences.W e will stress that you can only know and understand your risks under this law if you fully understand the scale of personal information that you collect. Equipped with this valuable knowledge you’ll be able to reduce risks while proving your compliance.
This is critical question that you need to consider while assessing your CCPA risk. Note that under the CCPA, the word “selling” encompasses or covers any exchange of consumers’ personal data “for either monetary or other valuable consideration.”However, we know that the phrase “other valuable consideration’ does leave some room for interpretation. For example, if your business discloses or transfers personal information to any third-party under an agreement, it may be considered a “sale”. The vendor may sell the information without your company itself deriving any benefit from such sale.
It is clear that no money has to change hands in order for personal data to be sold; that being said, what that may mean is yet to be seen. As a result, your business should ideally start preparing for compliance with a broad definition in mind.
The CCPA was signed into law in California on June 28th, 2018; it will take effect on January 1st, 2020.
Once it takes effect, consumers will have the right to request your business disclose all specific pieces of information pertaining to them for the past twelve months. That means it goes back as early as January 1st, 2019. Your business will have to disclose whether consumer’s personal data was released or sold to a third party. As a result, we will urge you to not delay considering the impact of CCPA on your business.
We will advise you to prepare in 2 phases—prepare to meet all the requirements that are set forward in this legislation by January 1, and then monitor changes to the regulation and make adjustments as soon as possible.
The good news is that the Attorney General may choose not to bring an enforcement action under the law until 6 months after adoption of the regulations, or July 1st, 2020, whichever is earlier. It is likely you will need that extra time to finalize the implementation of your new privacy processes and for raising awareness within your company to ensure your employees comply with the new practices as well.
It is worth mentioning that many of the provisions in the CCPA include complying with your consumers’ requests for their personal information. On the other hand, some provisions require your business to retain customer data you collect in specific instances. Your businesses must:
A consumer can ask your business to disclose all the data you have on them and who you have shared with or where it is stored and used. A consumer may also request you to delete their personal information. When a consumer makes such a request, you have 45 days to comply with the request.
It’s also worth mentioning that, similar to GDPR, CCPA provides a private right of action, which means that any resident of California can bring their own legal action against your company if you have violated CCPA in regards to their personal information. Note that the law provides a fine of $750 (maximum) per incident in a private right of action.
You should keep in mind that CCPA creates numerous exceptions. CCPA, by its terms, won’t restrict your business’s ability to do the following:
We would also like to clarify that CCPA doesn’t apply where:
On the basis of the above information, it is vital that your business perform suitable internal diligence in order to determine if one or more exceptions apply, and to what extent. If you do this, it will help refine both the scope and expense of implementation while solidifying your overall readiness efforts.
Although the CCPA has already been amended once, and it might go through more updates before it comes into effect, your business should start preparing now. You will have to update privacy notices, other procedures and policies, and your website before the law takes effect. We reckon that at the very least, your business must start mapping all the personal data that it collects as well as locations where such personal data is stored in order to promptly meet or respond to any request under the CCPA.
You should also work with someone who is knowledgeable about the law in order to determine how your business, clients, vendors and other third parties are defined under the CCPA, and then concentrate on the implications for your business.
Privacy Team, Credio Inc