The California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is the first significant piece of state legislation that expands the data privacy rights of the residents of California and imposes specific obligations on companies collecting and accessing the personal data of residents in the state to maintain the security and privacy of such data. The CCPA takes effect on January 1, 2020. Compliance with the new law is likely to be time consuming and costly and, and like its cousin, the European Union’s General Data Protection Regulation (GDPR), will send many U.S. and international companies scrambling to determine how to implement a number of new data privacy initiatives.
Complicating matters, until last Friday, September 13, 2019, certain key provisions of the CCPA have remained in flux. Now, after several months of anticipation, we finally have a relatively clear outline of what the CCPA will require (and how businesses can comply) after California lawmakers voted on six proposed amendments.
We have rounded up below the impact that these amendments have on the CCPA and outlined five key steps companies can take now to prepare for the CCPA before 2020.
Final CCPA Amendments
The newly passed bills amend several key aspects of the CCPA, including:
- Amending the definitions of “personal information” (which now expressly excludes de-identified or aggregated consumer information) and “publicly available” information (amended to include information available from government records)
- Providing a one-year exemption for employee data and personal information collected through business-to-business transactions
- Providing some relief for businesses run solely online from having to offer both a toll-free phone number and online method to process individual data access and deletion requests
- Adding a narrow carve-out to California residents’ data sharing opt-out right for data sharing between motor vehicle dealers and manufacturers for warranty repair or recall purposes
5 Steps to Prepare for Compliance
1. Determine whether the CCPA applies to your company
Determining whether the CCPA will apply to your company, and to what extent, is a crucial first step in the process of complying with the new law. The CCPA will cover every for-profit entity doing business in California that meets any of the following criteria:
- Has $25 million or more in annual revenue.
- Possesses the personal data of more than 50,000 consumers, households, or devices.
- Earns more than half of its annual revenue selling consumers’ personal data.
These criteria apply to a company regardless of whether it is physically located within the state, and encompass any information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
Notably, the CCPA contains a number of carve-outs which may affect the law’s applicability to certain companies. For example, the CCPA does not cover data already subject to federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA) or the Drivers’ Privacy Protection Act (DPPA).
2. Update data inventory, business processes and data strategies
The CCPA expands California residents’ right to data privacy. Most prominently, the CCPA now affords California residents the right to know whether and what kinds of their data is collected, the right to have their personal data deleted, and the right to opt out of having their data sold. Notably, among other things, the “sales” opt-out right is entirely distinct from and in addition to GDPR data subject rights. Therefore, while businesses that have rolled out privacy programs and protocols to comply with the GDPR should be well-positioned to apply such programs to CCPA compliance as well, the CCPA is not simply a GDPR analogue and therefore requires additional assessments, and technological and business process updates.
To keep up, companies will need to update their systems that manage data to track a wide array of data processing activities, including, but not limited to, any business processes, products, devices, applications, and third parties that process consumer personal data. For those companies that process various types of data for different purposes, it will be necessary to have the infrastructure that can identify and separate multiple types of data. For example, a single company may deal in data that will be sold, data that will be passed to or processed by third parties, and data sets that may be subject to exemption from the CCPA.
3. Update privacy policies
Companies that process data from the European Union will be intimately familiar with the process of rolling out new privacy policies that encompass expanded rights to receive notice. However, the scope of the CCPA differentiates from the GDPR in several ways, which will require even those that have recently updated their privacy policies to do it once more.
Companies must now notify all California consumers, at or before the time of collection, as to which categories of information are being collected, and for what purposes they are using the information. While including descriptions of the information collected and areas of potential uses of such information may already be in your existing privacy notice, the CCPA also requires companies to include a process through which consumers can request specific information about their personal data and opt out of having their personal data disclosed to third parties in certain circumstances. Therefore, companies will need to update their privacy policies accordingly and be prepared to roll out those new policies and procedures by January 1, 2020.
4. Update third-party processor agreements
Those companies that use third-party vendors to process their data – including third-party technology and software providers, consultants, and marketing tools – will need to update their vendor contracts as well to require those vendors to do the following:
- Comply with the CCPA.
- Restrict vendor data usage rights where appropriate to help reduce the company’s overall CCPA compliance footprint.
Such an update may include language requiring that the vendor provide records of processing, assistance and cooperation with individual rights requests, and onsite assessment and auditing, among others. Some companies have initiated such updates to their vendor contracts by pushing out unilateral amendments to their vendor base.
5. Implement protocols to comply with consumer rights and requests
Updating privacy policies and third-party processing agreements is a helpful initial step in complying with the notice requirement of the CCPA, but companies will need to do more in order to respond to a consumer request for additional information. As described above, California residents will have the right to request access to the personal data collected on them within the last 12 months, opt out of having their personal data sold and, in certain situations, request that their personal data be deleted.
Companies will need data management systems and protocols – both human and technological – in place to ensure the data they collect can be separated, siloed, and deleted, when necessary. Additionally, companies must be able to deliver the data to consumers, free of charge, in a readily usable format.
_____
Complying with the CCPA will require employee training and updates to databases, policies and business processes. The CCPA allows companies a 30-day grace period to correct an alleged violation of noncompliance, but companies should create a plan of action sooner rather than later. The new law is both complex and ambiguous, and compliance will be time consuming and, in some cases, expensive. Failure to comply with new law can result in a lawsuit or penalty from the Attorney General’s office of up to $7,500 per violation.
Understanding where to invest your compliance efforts to mitigate risk has never been more important. For further questions or information, please contact one of the authors.