We can’t deny the fact that data security and privacy regulation is increasing rapidly throughout the world, including in the US. Apart from strengthening the requirements for securing consumer personal information, individuals are now being given an increasing array of legal rights when it comes to the collection, disclosure, use, and sale of their personal data.
At the same time organizations’ increasing appetite for big data as well as need for more types of personal data elements, persists, in the face of mounting security concerns and risks about permissible use.
If your company just completed the frustrating and tedious task of complying with the European Union’s General Data Protection Regulation (GDPR), or was lucky to escape compliance with the provisions of GDPR, the State of California with its California Consumer Privacy Act (CCPA) has thrown you a curveball.
Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into the law in June 2018. It’s the first US law that follows in the footsteps of GDPR. Also, here’s the catch; before you gladly assume that you will not have to comply with the CCPA just because your business isn’t located in California, we would like to remind you that businesses both inside as well as outside of California would be affected by its requirements.
With more than eight months left to ensure compliance with the CCPA, you might be tempted to think that there’s a lot of time to assess your exposure to this new law. However, we would like to remind you that the CCPA represents a considerable shift in the way your business must operationalize various consumers’ privacy rights. And this will need a considerable effort on your part with the implementation of expensive technology solutions. To make compliance easy, here are 7 important questions your company should ask while assessing your CCPA risk .
1. Does The CCPA Apply To My Business?
The CCPA will apply to your company if it operates in California and meets one or more of the following thresholds:
- Works with personal information of California residents
- Has yearly revenue of more than $25 million,
- Either alone or in combination with other businesses, annually sells, buys, receives for its business commercial purposes, or shares for commercial reasons, the personal data of at least 50,000 consumers, devices, or households
- Generates at least50%of its yearly revenuesfrom selling consumers’ personal information.
We will remind you that the CCPA does not distinguish between online and brick-and-mortar companies. And this means that even if your business has no physical footprint or staff in the state of California, it could still be considered a business in California; therefore, you will have legal responsibilities under the CCPA. So, a physical business presence in California isn’t mandatory for the law to apply.
2. What Is Personal Information Under The CCPA?
According to the CCPA, personal information broadly includes any information which relates to, identifies, describes, can be associated with, or can reasonably be linked with, directly or indirectly, a specific consumer or household.
We will simplify this for you. This information can be a name, unique personal identifier, postal address, online identifier, email address, Internet Protocol address, account name, driver’s license number, Social Security number, passport number, certain education information, and biometric information among others.
And, crucially for marketers, it includes behavioral data derived from digital interactions between a brand and consumers, and any inferences your company draws from such data, like a consumer’s buyer persona or preferences.W e will stress that you can only know and understand your risks under this law if you fully understand the scale of personal information that you collect. Equipped with this valuable knowledge you’ll be able to reduce risks while proving your compliance.
3. Is My Business Selling Consumer Data?
This is critical question that you need to consider while assessing your CCPA risk. Note that under the CCPA, the word “selling” encompasses or covers any exchange of consumers’ personal data “for either monetary or other valuable consideration.”However, we know that the phrase “other valuable consideration’ does leave some room for interpretation. For example, if your business discloses or transfers personal information to any third-party under an agreement, it may be considered a “sale”. The vendor may sell the information without your company itself deriving any benefit from such sale.
It is clear that no money has to change hands in order for personal data to be sold; that being said, what that may mean is yet to be seen. As a result, your business should ideally start preparing for compliance with a broad definition in mind.
4. When Does The CCPA Go Into Effect?
The CCPA was signed into law in California on June 28th, 2018; it will take effect on January 1st, 2020.
Once it takes effect, consumers will have the right to request your business disclose all specific pieces of information pertaining to them for the past twelve months. That means it goes back as early as January 1st, 2019. Your business will have to disclose whether consumer’s personal data was released or sold to a third party. As a result, we will urge you to not delay considering the impact of CCPA on your business.
We will advise you to prepare in 2 phases—prepare to meet all the requirements that are set forward in this legislation by January 1, and then monitor changes to the regulation and make adjustments as soon as possible.
The good news is that the Attorney General may choose not to bring an enforcement action under the law until 6 months after adoption of the regulations, or July 1st, 2020, whichever is earlier. It is likely you will need that extra time to finalize the implementation of your new privacy processes and for raising awareness within your company to ensure your employees comply with the new practices as well.
5. What Must My Business Do With The Consumer Information?
It is worth mentioning that many of the provisions in the CCPA include complying with your consumers’ requests for their personal information. On the other hand, some provisions require your business to retain customer data you collect in specific instances. Your businesses must:
- Clearly disclose to requesting consumers the categories as well as specific pieces of personal information you have collected
- Before or at the point of data collection, you should inform consumers about the specific types of personal data to be collected as well as the purposes for which the types of personal information will be used
- You should disclose and deliver personal information (for free) as requested by your consumers. However, keep in mind that your business is not under an obligation to furnish personal data to a consumer more than two times in a twelve-month period.
- You should re-identify or else link any information that, in the usual course of business, isn’t maintained in a way that would be deemed personal information.
6. What Does My Business Have To Do To Comply With CCPA?
A consumer can ask your business to disclose all the data you have on them and who you have shared with or where it is stored and used. A consumer may also request you to delete their personal information. When a consumer makes such a request, you have 45 days to comply with the request.
It’s also worth mentioning that, similar to GDPR, CCPA provides a private right of action, which means that any resident of California can bring their own legal action against your company if you have violated CCPA in regards to their personal information. Note that the law provides a fine of $750 (maximum) per incident in a private right of action.
7. Are There Any Exceptions To The Law?
You should keep in mind that CCPA creates numerous exceptions. CCPA, by its terms, won’t restrict your business’s ability to do the following:
- Comply with criminal, civil, or regulatory investigations or inquiries
- Comply with state, federal, or local laws.
- Cooperate with any law enforcement agency
- Defend or exercise legal claims
- Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
- Sell or collect consumer information provided every aspect of that business conduct takes place outside the state of California
We would also like to clarify that CCPA doesn’t apply where:
- Compliance with the law would violate or interfere with evidentiary privileges
- The personal information is medical information that is protected health information under the Health Insurance Portability and Accountability Act of 1996 or governed by the Confidentiality of Medical Information Act.
On the basis of the above information, it is vital that your business perform suitable internal diligence in order to determine if one or more exceptions apply, and to what extent. If you do this, it will help refine both the scope and expense of implementation while solidifying your overall readiness efforts.
Although the CCPA has already been amended once, and it might go through more updates before it comes into effect, your business should start preparing now. You will have to update privacy notices, other procedures and policies, and your website before the law takes effect. We reckon that at the very least, your business must start mapping all the personal data that it collects as well as locations where such personal data is stored in order to promptly meet or respond to any request under the CCPA.
You should also work with someone who is knowledgeable about the law in order to determine how your business, clients, vendors and other third parties are defined under the CCPA, and then concentrate on the implications for your business.