California Consumer Privacy Act: Proactive Compliance
As you may have heard, California’s new sweeping consumer privacy law went into effect on January 1, 2020. We wrote about the California Consumer Privacy Act (“CCPA”) last July, explaining its broad scope and some of the ambiguity in its regulations. Businesses should familiarize themselves with the CCPA’s requirements and update their privacy laws if necessary.
The CCPA applies to any for-profit entity that collects and processes personal information of California residents that do business in California, whether or not the business has an actual physical presence within the state. To be subject to the CCPA, a business must meet only one of the following criteria:
- Generate annual gross revenue in excess of $25 million, or
- Receive or share personal information of more than 50,000 California residents annually, or
- Derive at least 50% of its annual revenue by selling the personal information of California residents.
Although enforcement of the CCPA won’t begin until six months after final regulations are published, or July 1, 2020 (whichever comes first), businesses should try to ensure that they are in compliance on January 1, 2020, when the CCPA goes into effect.
The CCPA is designed to give consumers significant rights. The CCPA affords a consumer the right to request from businesses:
- What personal information the business has collected about them within the previous 12 months;
- A copy of their personal information;
- Whether their personal information is being sold or disclosed for a business purpose to others;
- To prohibit the sale of their personal information;
- To delete their personal information; and
- To not be discriminated against for exercising their CCPA rights.
The term “Sale” includes, among other things: “disclosing, disseminating, making available, transferring or otherwise communicating … a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.”
“Personal Information” includes, among other things, names, addresses, email address, social security number, driver’s license number, passport number, IP Addresses, device IDs, cookie IDs, browsing history or other online activity, purchasing history, geolocation data, biometric information, or any other information that “identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The Attorney General enforces the CCPA and noncompliance can derive from civil enforcement actions against violators in the form of monetary penalties from $2,500 for a non-intentional violation, up to a maximum of $7,500 for an intentional violation.
Of significance from an exposure perspective, consumers also have the right to sue businesses, individually or as a class, for breaches of their sensitive personal information, and can obtain statutory damages of up to $750 per consumer, per incident, if the breach results from a businesses’ failure to maintain “reasonable security procedures and practices.” This means a likelihood of class actions for any breaches. However, a business is not liable if it cures any noncompliance “within 30 days after being notified of alleged noncompliance” (although some types of noncompliance – or a data breach – may not be capable of such “cure”).
Although the CCPA is seemingly all-encompassing, there are exceptions to the rights that are afforded to consumers. Assembly Bill 25 amended the CCPA to include a one-year sunset provision exempting certain types of personal information from many of the statute’s provisions. AB 25 exempts employers for one year from abiding by the CCPA with respect to information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.” In other words, if employers are collecting the data of its employees and job applicants for purposes solely relating to employment, the CCPA does not generally apply to the collection of that information. Once again, however, this exemption remains in effect only until January 1, 2021.
Further information that is exempt from the CCPA is personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Biley Act (“GLBA”), the Fair Credit Reporting Act (“FCRA”), the Driver’s Privacy Protection Act (“DPPA”), protected health information that is collected by a covered entity governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), information collected as a part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (“Model Policy”) or pursuant to human subject protection requirements of the United States Food and Drug Administration (“USFDA”), and personal information collected by business to business transactions and interactions.
In addition, the right to delete is not absolute. Although the list below is non-exhaustive, businesses are not required to delete information “if it is necessary” to:
- Complete the transaction for which it was collected
- Provide a good or service the consumer has requested
- Perform a contract between the business and the consumer
- Detect security incidents
- Protect against “malicious, deceptive, fraudulent, or illegal” activities
- Comply with a legal obligation, in particular those of the California Electronic Communications Privacy Act
Ultimately, a variety of steps can be taken to begin compliance with the CCPA, among these approaches are adhering to the following tips:
Identify data flows and your use of analytics/create an internal data map
This means your company should come up with a way to understand what data it collects, how it uses the data, and who has access to it. Understanding how the company collects, processes, transmits and stores personal data goes to the very core of the CCPA
Create an inventory that includes data, collection mechanisms, data transfers, privacy and security practices and transfers to third parties
- Submit a request to learn what has been collected (i.e. “Right to Know”);
- Request their personal information be deleted (i.e. “Right to Delete”); and
- Opt-out of the continued sale of their personal information (i.e. “Right to Opt-out of Sale”).
Specifically, businesses should lay out:
- The categories of personal information collected about the consumer;
- The sources from which that information is collected;
- The commercial or business purpose for which the personal information is collected;
- The categories of third parties that the information will be shared with; and
- Specific pieces of personal information that will be collected about the consumer
Forge a breach response plan
This tip can be interpreted broadly to mean that a company needs to do among other things, the following:
- Create a thorough plan for when a disruption in consumer data security occurs
- Adhere to an incident response plan to stop, contain, and control the incident quickly
- Lay out communication protocols among the various departments in your company
- Create a list of outside experts that may be needed if a data breach occurs (i.e. IT/tech support, attorneys, public relations in case of a massive breach, etc.)
The definition of “Personal Information” under the CCPA is broader for most purposes of the Act than when determining a breach. Here it is limited to a person’s name and either their social security number, driver’s license, bank or credit card information, or medical or health insurance information
- However, a data breach plan is still crucial. Create the plan, test it, and review and update it on an annual basis
Rework/review contracts with third party providers/vendors
This must be done to ensure that they qualify as service providers who fall outside the CCPA disclosure requirements. The CCPA also has a specific definition for “Service Provider” at Section 1798.140 and requires a vendor to be bound by a written contract that prohibits it from:
- Retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract …”
- Using the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract …”
- Disclosing the personal information “for any purpose …”
If a business wants to avoid branding itself as a seller of consumers’ personal information, it would be wise to update its agreements with vendors that collect data on its behalf or with whom it shares data
- What this essentially comes down to is that disclosure of personal information to a “Service Provider” is not a “Sale”, provided that your agreement explicitly prohibits them from selling or using the personal information for any purpose other than the one set forth in your agreement, and contains other restrictions set forth in the CCPA
Include a clear and conspicuous link titled “Do Not Sell my Personal Information” if your company sells personal information of CA residents
Create multiple methods for verifiable consumer requests
Display these methods on the company’s homepage, including a toll-free telephone number and link(s)
Respond to consumer requests in a timely fashion
Develop internal procedures for evaluating and timely responding to requests for information and deletion, as companies will have 45 days to respond to consumer inquiries
- The following response can be a template to work off: “We received a request from this account for access to all personal information we have collected about you in the last 12 months. If this was you, please respond with XYZ. If this was not you, please contact our privacy hotline immediately at XXX, or the State Attorney General’s office at XXX.”
All requests must be completely free of charge
Ensure that measures have been taken to encrypt and protect personal information in your company’s possession
If any part of your business involves collecting the information of minors, you need to obtain their consent to access their personal information
According to the CCPA, a minor is someone under the age of 16
- For minors between 13 and 16, you can obtain consent directly from them
- For minors under the age of 13, you must obtain consent from their parent or guardian
Do not discriminate
If a consumer opts out of giving you their personal information, the CCPA prevents you from treating them any differently. This means that you cannot:
- Raise the price of a product/service;
- Alter the quality of a product/service; or
- Deny the product/service altogether
The only exception to this is if you require the consumer’s personal information to maintain the quality of the product/service or to provide the product/service at all
In conclusion, the CCPA encompasses an extremely broad set of regulations that are still undergoing potential changes. We are awaiting the AG’s final regulations to be submitted, but until then, it is the duty of businesses to make sure they are as compliant as can be with the Act in its current form. The CCPA is in a temporary state of dysfunction right now, but it is a dysfunction that businesses must deal with and adapt to.