How the California Consumer Privacy Act (CCPA) Will Impact Business
How the California Consumer Privacy Act (CCPA) will Impact Business
In a blog post we wrote a few months back called Four Data Protection and Privacy Laws You Must Know we discussed GDPR, China’s Cybersecurity Law, the Colorado Protections for Consumer Data Privacy law or HB 18-1128 and the California Consumer Privacy Act (CCPA) or AB-375 which is set to take effect on January 1, 2020.
Many business owners, compliance professionals, and IT security staff have been scrambling to deal with the impact that GDPR has had when it took effect on May 25th, 2018. Over 12 major fines have been levied against organizations worth 359,205,300 Euros. Marriot, British Airways, Lithuania, and of course Google in France are just several well-known brands that have suffered significant fines for breaches or improperly handling sensitive consumer data.
The CCPA is following in GDPR’s footsteps when it comes to levying fines for not following the stringent guidelines of the law. For example, the California Civil Code that defines one major sanction reads “civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater.”
Thus, a breach of 50,000 customer records, the minimum number of records to qualify for enforcement under the CCPA would result in damages of $37 million dollars if the $750 figure was used. Our clients are concerned, and we want to provide straight to the point, clear definitions and requirements of the legislation so they can understand exactly what is expected from a compliance standpoint.
What Exactly is the California Consumer Privacy Act (CCPA)?
Plainly, the California Consumer Privacy Act (CCPA) is a bill intended to enhance privacy rights and consumer protection for residents of California. The intention of CCPA is to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer. This is not the GDPR’s “right to be forgotten”
- Not be discriminated against for exercising their privacy rights.
Our clients have had numerous questions about how the law will change the way they handle sensitive data and the various requests they may receive from their customers who request data collection information or want to know other information about their PII. Let’s start with what businesses can do in order to comply with the major responsibilities mandated by the legislation. The following are fairly straightforward measures a business should take prior to the legislation going into effect on January 1, 2020, from the California Civil Code:
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the customer’s personal information
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number
- Update privacy policies with the newly required information, including a description of California residents’ rights
- Avoid requesting opt-in consent for 12 months after a California resident opts out
- Implement processes to obtain parent or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes
In the case of the CCPA what exactly is personal information or PII? CCPA defines personal information as information that: “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier perhaps a log in name, online identifier such as an IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
Which Businesses are Affected by the California Consumer Privacy Act (CCPA)?
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to “implement and maintain reasonable security procedures” and practices in protecting consumer data.
What are “Reasonable Security Procedures” According to the CCPA?
A million attorneys were born out of the term “reasonable” and just as many organizations are still sitting back and waiting to see how GDPR will be enforced, they will likely do the same with CCPA. That said, the minimum requirements are fairly clear. Organizations will need to identify where on their systems PII is located and take “reasonable” steps to protect that data.
Unlike, GDPR the CCPA does not mandate that data controllers or data processors take appropriate technical measures to ensure adequate security. Rather, because the legislation was put together without technical IT security expertise in 3 months versus the GDPR which took 4 years, the legislation is overwhelmingly wordy at 10,000 words and 31 pages and rushed to a vote so much of the legislation is not clear. It, however, does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law. This essentially means that prosecutors and class action lawsuits will likely be those trying to find a precedent for what “reasonable” security practices will be.
Sorry, we couldn’t be more precise from a security standpoint here, however, what we feel certain of is that the further up the security maturity model is, the more likely the organization will be to avoid penalties.
6 Key To-Do Items for the CCPA
Let’s conclude this blog post with a few plain, straightforward pieces of advice.
First, personal data is according to the CCPA is data:
- Provided directly by users in online forms
- Collected by tracking tools and related technologies
Second, you must provide customers the right to opt-out of the sale of their personal information. Use a link on your website that reads, “Do Not Sell My Personal Information” and add that field to your customer database. In addition, do not discriminate against them by not offering discounts or free merchandise that you are providing to other folks in your database.
Third, provide a toll-free telephone number for customers and prospects in your database to request that their data be deleted. Under certain legal restrictions, you may not be able to do this.
Fourth, obtain consent for minors and retain that consent with the record in your database.
Fifth, update your privacy policies on or before January 1, 2020, and post them to your site and anywhere else you have them posted currently.
Sixth, do not request opt-in consent for 12 months after a California resident opts-out by noting this in a field in your database, CRM, and marketing automation platforms.
In the 80/20 world, implementing these 6 recommendations will better protect your organization from CCPA fines. The next 20 percent will be putting in documented controls that will “reasonably” protect your customer and prospect data from a breach. While organizations will not be able to defend against every cyber-attack, documenting how they tried to protect PII may minimize the costs and penalties from CCPA.