Ready, Set, Go. Your Essential Cheat Sheet for CCPA Compliance
As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.
The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:
- Generate annual gross revenue in excess of $25 million,
- Receive or share personal information of more than 50,000 California residents annually, or
- Derive at least 50 percent of its annual revenue by selling the personal information of California residents.
While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, “Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”
A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.
There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.
Under the CCPA any California resident may bring a private right of action, with statutory damages of up to $750 per incident, if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. One of the important ways to reduce potential liability in a data breach is preparation for what is seen as inevitable. Companies need to be realistic: avoiding a breach is difficult, and may not be possible to achieve – so a response plan is essential. A sufficient incident response plan offers a course of action for all significant incidents, not just data breaches.
When a significant disruption occurs, the company needs a thorough, detailed incident response plan to stop, contain, and control the incident quickly. While every plan is different, just like every company is different, all plans share some key elements in common:
- A list of roles and responsibilities for the incident response team members.
- A list of the outside experts – attorneys, forensic investigators, public relations and others – whom the company can call upon.
- The procedures for reporting a breach, and specific identity of who should be contacted, and in what order.
- A business continuity plan.
- A summary of the tools, technologies, and physical resources that must be in place.
- A list of critical network and data recovery processes.
- Communications protocols, both internal and external.
See here for additional information on breach response plans.
California residents, including minors, have the right to know if their personal data is being collected, to whom the data is being sold, and with whom it is being shared. California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.
The Act mandates that any company subject to the CCPA make specific public disclosures, including:
- The categories of personal information collected about the consumer;
- The sources from which that information is collected;
- The commercial or business purpose for which the personal information is collected;
- The categories of third parties the information will be shared with; and
- Specific pieces of personal information collected about the consumer.
The policy must include a clause notifying consumers of their right to opt out of having their personal information sold or disclosed to third parties. If the business has not sold or disclosed consumers’ personal information to a third party in the preceding 12 months, the privacy policy must reflect this fact.
Read further for tips that make for stronger policies and more efficient workflow.
Part 4 – Verified Requests for Data
Under the Act, companies must develop or identify internal mechanisms to respond to a consumer’s exercise of their right to access the information collected about them, verify their identity, respond within the mandated 45 days, and document both the request and response.
The California Attorney General has proposed regulations to help businesses determine when a request is a verified consumer request (VCR), which are likely to go into effect, substantially in their current form, in April 2020. To comply with the Act, companies need to adopt verification procedures that meet both the Act and the Attorney General’s regulations. For example, rather than immediately releasing requested data, companies should consider the following response: “We received a request from this account for access to all personal information we have collected about you in the last 12 months. If this was you, please respond with XYZ. If this was not you, please contact our privacy hotline immediately at XXX, or the State Attorney General’s office at XXX.”
Companies should also consider limiting what information they collect about consumers. Doing so will mitigate the vast new burdens imposed by the CCPA, as well as inadvertent disclosure of that information to unauthorized third parties under the new law.
There will no doubt be consumer lawsuits against companies alleging that they failed to properly comply with CCPA, but we can also expect follow-on suits against companies who tried in good faith but failed in one or another aspect of implementation by “sharing” personal data of a consumer with the wrong consumer. Read more on how to avoid that here.
Under Section 1798.105 of the CCPA, consumers have the right to request a business to delete “any personal information about the consumer which the business has collected from the consumer.” The business must fulfill such requests — and to direct “any service providers to do the same — within 45 days of receiving a “verified request” or “verifiable request” from the consumer. This right to delete data should be included in the company’s privacy policy.
The CCPA gives consumers two related rights regarding the sale of personal information: 1) a “right to opt out” of the sale of personal information, and 2) for consumers under the age of 16, a “right to opt in.” To meet their obligations regarding the “do not sell” rights in the CCPA, businesses must provide a “reasonably accessible” and “clear and conspicuous link” on their homepage, titled “Do Not Sell My Personal Information.”
The CCPA also contains a non-discrimination provision in Section 1798.125 that relates to the prices and quality of goods and services a business provides to its consumers. To protect consumers who exercise their privacy rights under this law, the provision prohibits businesses from: (1) denying them goods or services; (2) charging them a different (i.e., higher) price; (3) providing them goods or services of a different (i.e., lower) quality; or (4) suggesting that (2) or (3) will occur. Read more in depth about these consumer rights here.
Conclusion
The CCPA is not the last word in privacy for the businesses subject to the Act. Alistair McTaggert, the driving force behind the CCPA, is collecting signatures for another sweeping privacy law that will, if approved by California voters in November 2020, further complicate the privacy landscape in California. In addition, several states have adopted, or are considering, privacy legislation that is similar, but not identical to, the CCPA, but which businesses will have to consider. Moreover, the federal government continues to debate privacy laws and regulations, which may or may not pre-empt state laws. Finally, we can expect a variety of private lawsuits and Attorney General actions that will create case law and practical application of the CCPA. For all these reasons, companies will need to address privacy on an ongoing basis – including consultation with legal counsel and privacy experts — as we grapple with new developments.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.