California is the first state to pass a comprehensive consumer privacy law with far-reaching implications. First, the California Consumer Privacy Act (CCPA) can affect organizations without a physical location in California. Second, it may push other states to accelerate passage of similar laws, as well as cause Congress to pass a national privacy law.
Your organization needs to know if it is covered under the CCPA in order to begin preparing for its technical effective date of Jan. 1, 2020. Here is your eight-step process for doing that.
- Know Your Obligation to the CCPA
Dorsey & Whitney explains that the CCPA “goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation (GDPR).” And similar to GDPR, many U.S. firms are wondering if they are subject to the CCPA.
Coverage starts with the consumer, which the CCPA defines as “a natural person who is a California resident.”
Next, the CCPA applies to any for-profit legal entity that meets the following general criteria:
- Collects consumers’ personal information
- Determines how and why that information is processed
- Conducts business in California, even if only online
- Meets one of the following annual criteria:
- Gross revenue of at least $25 million
- Collects personal information for at least 50,000 consumers, households or devices
- Derives half of its annual revenue from the sale of personal information
CCPA-defined consumers have the right to:
- Know what personal information is being collected on them
- Know if that information is being sold and to whom
- Opt out of that information being sold
- Obtain a copy of their personal information
- Receive equal service and price regardless of whether they exert the above rights
- Sue for damages if their personal information is breached
The CCPA’s very broad view of personal information includes the following:
- Demographic information (i.e., name, address, email)
- A unique identifier, such as an IP address
- Account or Social Security number
- Driver’s license or passport
- Personal property records
- Online activity
- Biometric, geolocation, employment and education data
- Any inferences that an entity draws from the above information
In addition, Privacy Law Blog points out that the CCPA’s definition of personal information “includes information that is identifiable to a household, not necessarily a consumer.”
The CCPA does grant an exemption for GLBA-regulated firms, but financial institutions need to understand the exact nature of that exemption. It only extends to data that is covered under GLBA. Other CCPA-defined personal information that an entity collects is covered under this law. For example, information collected through webpage tracking—something not covered under GLBA— would be subject to the CCPA.
Importantly, the right to sue for damages in the event of a data breach is not part of the exemption and applies to GLBA-regulated firms and their GLBA-covered data.
- Map Consumer Data
If you are covered under CCPA, start by mapping all of the personal information under your control. Chronicle of Data Protection recommends asking the following questions in order to do this:
- What personal information do you collect or possess?
- How do you collect it?
- Where and how do you store it?
- Do you share it with other entities?
- Is such shared data part of a sale, a provision of service, or used for some other purpose?
As of Jan. 1, 2020, CCPA-defined consumers will have the right to request their information. Even though enforcement of the law will not begin until at least July 1, 2020, covered entities will still need to comply with such consumer requests at the start of next year. Personal information that is held by a third party on your behalf will likely pose the biggest risk. So, in addition to conducting your own data-mapping exercise, make sure all of your third-party vendors do the same and share the results with you.
- Update Privacy Disclosures
The CCPA gives consumers the right to know exactly what personal information is being collected about them. In order to comply with that, businesses must provide a disclosure “at or before the point of collection.” It must “inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”
Covered entities must also disclose where that personal information is gathered from, the categories of third parties with whom it is shared and any specific pieces of personal information collected.
These disclosures will need to be ready by Jan. 1, 2020, and New Jersey Law Journal warns that they “will be a large part of compliance.” They should be available “through a publicly posted privacy notice, and specifically upon request by a consumer.” They must also be updated annually.
- Create a Homepage Privacy Link
The law also calls for a privacy link on the homepage of any covered entity’s business website. It must be “clear and conspicuous,” titled “Do Not Sell My Information,” and linked to a page that allows consumers to opt out of having their personal information sold.
As soon as possible, covered entities should begin the IT change management process for adding this link to their homepage because it must be visible as of Jan. 1, 2020.
- Develop a Process for Handling Consumer Requests
Starting on Jan. 1, 2020, covered entities must be ready to respond to consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Therefore, covered entities need to develop appropriate procedures for processing the following types of consumer inquiries:
- Request a copy of their personal information
- Request that their personal information be deleted
- Find out what categories of their personal information are being sold
- Request to opt out of the sale of personal information for those over 16 years old
- Request to opt in for the sale of personal information for those between the age of 13 and 16
- Obtain consent from a guardian to sell personal information from a consumer under 13 years old
It is important that covered entities pay attention to the above age requirements, as the law indicates that, “a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.” This could prove to be a risk area in complying with the CCPA.
- Identify and Implement System Changes
In order to implement the above procedures, corresponding systems will need to be updated. Go ahead and make your IT team aware that changes are coming, so they can prioritize them within their change management process. Likewise, get started on writing the new procedures in order to give your IT team as much time as possible to incorporate them into your systems by Jan. 1, 2020.
- Train Employees
Once systems are updated, begin training employees on the key aspects of the CCPA, your corresponding procedures and system updates. This education should take place prior to Jan. 1, 2020, and the result should be that employees, especially those in customer-facing roles, understand the following:
- Their physical location or that of company headquarters does not determine CCPA coverage
- For this law’s purposes, a consumer is a resident of California
- Where to direct or how to process consumer requests regarding their personal information
- Whether your organization has decided to apply this law across its entire footprint for consistency sake or only to California consumers
- Strengthen Data Security
The CCPA allows consumers to seek damages for breached personal information if it is the “result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” This has the potential to significantly up the financial and reputational ante of a data breach. Therefore, covered entities should review and update their information security and privacy policies and actively monitor their data security defenses to ensure this risk is mitigated to the greatest extent possible.
A Lot Might Happen in the Coming Year
Debate in California about the CCPA has not stopped. Both its opponents and supporters are still advocating for additional changes, which could mean that the law will be amended again before 2020. In addition, the California Attorney General has until July 2, 2020, to publish the law’s corresponding regulations, which will provide further clarification about complying with it.
Beyond California, other states may begin passing their own laws, although how similar is uncertain. If they do, Congress may step in with a national privacy law in order to provide some consistency for companies operating in multiple states.
As of now, those are the unknowns. The current state of the CCPA is the only known, and that is what covered entities must start preparing for as soon as possible. The upside is such preparation, in particular the data mapping, will put you in a better position to comply with any subsequent privacy laws that are enacted.