The California Consumer Privacy Act (CCPA), formally known as AB 375, was passed in 2018 and went into effect on 1 January. The California Attorney General notes, “[The CCPA] creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes.”[1] The CCPA was passed on the heels of the European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018. Juliana De Groot, a Marketing Operations Specialist at Digital Guardian, notes, “Companies that already comply with the GDPR may find that they currently meet many of the requirements set forth in the California Data Privacy Protection Act. With many experts predicting that other states will follow suit in the coming years, companies across the U.S. that take proactive steps today to better protect consumer data will be best equipped to ride the waves of change.”[2] If you are late to the game and wondering whether your company must comply with the CCPA, De Groot lays out the parameters for businesses that are definitely affected by the CCPA. Those parameters are:
- For-profit entities which do business in California and collect personal information of consumers.
- “Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)…”
- “Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
If you’re not worried about the CCPA because your company isn’t headquartered in California, Maria Korolov (@MariaKorolov) warns, “Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.”[3]
What is the CCPA?
Korolov explains, “AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.” If you’re wondering how steep the penalty is for noncompliance, Korolov reports, “Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record.” A company holding even a modest number of records (e.g., the 50,000 threshold) could be seriously damaged by a violation. Jeff John Roberts (@jeffjohnroberts) writes, “The effect of California’s law, which is being copied in nearly two dozen other states, could therefore be enormous. But that’s only if people assert their new rights after the law goes into effect on Jan. 1 — which is a big ‘if’ considering that relatively few have taken advantage of a similar privacy law in Europe.”[4] Samantha Ann Schwartz (@SamanthaSchann) reports, “GDPR and the CCPA have relatively similar protocols for what data is protected, but the CCPA includes information traced back to households or devices.”[5]
Even before the law went into effect, the cost of compliance was fairly steep. “For businesses affected by the privacy rules,” Roberts writes, “the burden of complying is very real. Requirements include giving consumers two ways, such as an online form and a toll-free number, to ask for their data and to demand that it be deleted. A nonpartisan report commissioned by California’s attorney general says the state’s businesses will have to spend an extra $55 billion for upfront costs, such as legal advice and engineering, or an extra $55,000 to $2 million for individual firms.” Tim Day, a senior vice president at the U.S. Chamber of Commerce, told Roberts, “Many small and midsize companies may not comply with the law, calculating that they won’t be punished or that any penalty will be cheaper than jumping through CCPA’s hoops.”
Ensuring compliance
If a company is not currently compliant with the CCPA, it has a six-month grace period before California’s Justice Department begins enforcing the law starting 1 July. Schwartz suggests three things companies should consider before enforcement begins. They are:
1. Don’t look at the CCPA in isolation. Schwartz notes, “The CCPA will likely become the ‘de facto standard’ for other states developing data privacy legislation. … While industry waits on Congress for an all-inclusive federal law, states will look to the CCPA for guidance.”
2. Know the ‘new’ definition of privacy. “With more state laws cropping up,” Schwartz writes, “myriad definitions for the same ‘behaviors’ will arise.”
3. Revisit the current data management strategy. Schwartz writes, “Consumers don’t have time to read the fine print or opt-out of data actions every day. Consumers trust businesses until something goes wrong. … To alleviate those concerns, companies can adopt CCPA features into existing privacy policies and security processes. … The CCPA is giving companies, who don’t service California residents, the chance to get ahead of future privacy legislation.”
Alan L. Friel (@advmediatechlaw), a partner at BakerHostetler in California and a professor at UCLA and Loyola Law School, notes, “Businesses that have delayed CCPA preparedness are scrambling to do so.”[6] He recommends companies still scrambling take the following actions:
Know your data. “Companies should create a data inventory or data flow map to understand all the ways in which they may obtain PI, the types of PI they collect and share, the purposes for which they use it, the parties with whom they share it and why, how it is retained and secured, and their current data disposal practices.”
Identify third party partners. “With respect to disclosures, it is important to identify all the vendors and other third parties with whom PI is being shared and review the existing contracts with those parties for compliance with existing and future laws. The CCPA includes complex rules regarding vendors and other recipients of PI. Unless the Cal AG’s regulations narrow the definition of ‘sale,’ the ways in which data recipients are categorized will affect how a business is able to share the PI of an individual who has submitted a ‘do-not-sell’ request.”
Test compliance procedures. “It may be instructive to run a test internally to assess how prepared the company is to respond to a consumer request to access and/or delete his or her PI — can you verify the validity of the request? Find all the relevant PI? Provide all the information the CCPA requires in a disclosure? Remove all the PI from your systems, or establish a legal basis for retention? Honor a do-not-sell request?”
Validate your security data security policy and procedures. “Ensure that the company has implemented sound and reasonable data security policies and procedures. The CCPA does not change California law in this regard, but it does drastically raise the stakes for security incidents by providing a private cause of action, with the possibility of statutory damages, for certain types of data breaches attributable to security inadequacies.”
Thanks to the six-month grace period, it’s not too late for companies to become compliant. The full impact of the law won’t be known until enforcement begins and penalties are assessed. Friel concludes, “A new era of consumer privacy rights has dawned in the United States, and businesses will need to have a sound understanding of the PI they collect, process, use and share in order to be able to comply with the CCPA as well as potential additional state or federal laws that may follow.”
Footnotes
[1] Xavier Becerra, “California Consumer Privacy Act (CCPA),” California Department of Justice, Office of the Attorney General.
[2] Juliana De Groot, “What is the California Consumer Privacy Act?” Digital Guardian, 15 July 2019.
[3] Maria Korolov, “California Consumer Privacy Act (CCPA): What you need to know to be compliant,” CSO, 4 October 2019.
[4] Jeff John Roberts, “New California Law Giving Consumers Control Over Their Data Sets Off a Scramble,” Fortune, 18 December 2019.
[5] Samantha Ann Schwartz, “3 things to do before California’s privacy law goes live,” CIO Dive, 18 December 2019.
[6] Alan L. Friel, “The California Consumer Privacy Act: Everything You Wanted to Know But Were Afraid to Ask — 100 Days Out, Part Two,” Law.com, 6 November 2019.