June 03, 2019
The California Consumer Privacy Act (CCPA) was signed into law on July 2018 with enforcement beginning on or after January 1, 2020, and no later than July 1, 2020. While the law is commonly referred as the “GDPR of the US,” there are some major differences. The CCPA comes from an “Opt-Out” framework whereas GDPR is “Opt-In.” This means that even the “similarities” in the laws cannot be handled in the same way or with the same tools.
The CCPA was written and passed within a 36-hour period. Due to the short approval period, there are inconsistencies that are driving confusion among organizations on how to comply. Privacy experts are working to resolve many of these questions, but in some cases, it is simply that the law itself has conflicting statements. One of the most vexing of these shortcomings is seen in Personally Identifiable Information (PII). It has been so broadly defined, that almost any data could be considered PII under the CCPA. One example of how broadly the definition is written is discussed in a post on The Privacy Law Blog, where the author points out that the CCPA’s definition of personal information “…includes information that is identifiable to a household, not necessarily a consumer.”
Fines for violating the CCPA are administered per record and have no maximum limit, whereas the GDPR politely limits total potential damages to 4% of global revenue.
Now that we’ve established that the law has a few vagaries, but also has the teeth to levy expensive fines, let’s get into some details. Here is a short primer.
The CCPA is designed to protect California residents only. For-profit organizations will need to comply with the CCPA under the following guidelines:
The organization does $25M in revenue annually. (It is unclear if this is revenue only from California or worldwide.)
The organization controls more than 50,000 PII records that are bought or sold, directly or indirectly, on an annual basis. (The law indicates these are California records.)
More than 50% of revenue is based on the sale of personal information. (Again, the law does not specify if this only applies to California or total records.)
Businesses that fall under HIPAA health care or Gramm-Leach-Bliley Act financial regulations have special but narrow exceptions, so it is important to know exactly how the law applies for these specific circumstances.
If you have determined your organization will likely fall under the regulation, it was time to get moving yesterday. This is not one of those laws where checking a few boxes will get you to the finish line of compliance, so urgency is paramount. The following recommendations will help your organization work towards compliance, but care must be taken to ensure the deadlines are met.
Security frameworks and policies are the backbone of privacy. The CCPA allows consumers to seek damages for breached personal information if it is the result of a business violation. It is the duty of the business to implement and maintain reasonable security procedures and practices. Policy should be reviewed to ensure the CCPA standards are integrated into them, before following through with implementation.
The CCPA gives consumers the right to know exactly what personal information is being collected about them. To comply with this right, businesses must communicate to the customer what personal information is being collected, for example at the point of sale. Businesses must inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. All privacy policies must be updated annually.
If your organization is regulated under CCPA, start by mapping all the personal information under your control. Some of the basic questions are:
What personal information do you collect or possess?
How do you collect it?
Where and how do you store it?
Do you share it with other entities?
Is shared data part of a sale, a provision of service, or used for some other purpose
Consumers have the right to request their information and have the option for a 12-month look-back period to see how their data was used. This means it is important to map out information flows, so the requests can be fulfilled. If your organization uses 3rd party providers for marketing assistance, make sure they are also in compliance since the responsibility ultimately falls on the primary organization.
Complying with the CCPA will likely require modifications to your systems and procedures. Working through your policies and data mapping will set the foundation for remediation. Depending on the system complexity, this could be a substantial effort. System remediation needs to integrate compliance requirements, minimize data, and protect privacy which can increase planning and implementation efforts. Make sure your IT team has as much time as possible to incorporate changes into systems before the January 1, 2020 deadline.
According to the law, businesses must have a privacy link on the homepage of their website. It must be titled “Do Not Sell My Information,” and linked to a page that allows consumers to opt out of having their personal information sold. The link to the homepage must be visible by January 1, 2020 as well.
Organizations need to be ready to respond to consumer requests about their personal information that will be allowed under the CCPA. These requests must be processed free of charge and within 45 days. Entities must develop appropriate procedures and technologies for processing consumer inquiries such as:
Requesting a copy of their personal information
Requesting that their personal information be deleted
Finding out what categories of their personal information are being sold
Requesting to opt-out of the sale of personal information for those over 16 years old
Requesting to opt-in for the sale of personal information for those between the age of 13 and 16
Obtain consent from a guardian to sell personal information from a consumer under 13 years old
It is important that covered entities pay attention to these age requirements, as the law indicates that, “a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
The above roadmap should help you begin to position your organization for compliance with the CCPA and prepare for the majority of its’ requirements. Each organization has specific challenges, so be aware of your own unique context. You should also expect additional components of the law to come into effect as it develops.
The CCPA will significantly affect the way privacy is handled in the US Organizations. US organizations must be compliant by January 1, 2020 to avoid the penalties administered by the State of California. Other states are also in the process of creating their own legislation that will have similar regulations on consumer privacy. Consumer privacy within organizations will become of greater in importance in the following years.