What Is the CCPA?
In 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). The act specifies that consumers have a right to know what information is collected about them and a right to forbid the sharing of personal information. Furthermore, it outlines the consequences companies will face for failing to adequately value consumer privacy. Compliance is required by January 1, 2020. Although the CCPA legally affects California companies (and those that interact with California customers) companies based in other states would be wise to review the CCPA requirements as well.
CCPA Legal Requirements
Consumers have the right to know what information is being collected about them. This grants consumers the right to submit a request for details regarding what personal information is collected. Furthermore, companies are obligated to answer such requests. Good documentation and clear communication internally will assist with such requests. If a request is answered in the negative by an uninformed individual, the company may be liable in the future. For example, a consumer asks if emails are stored and an employee, who does not understand the data collection process, answers no. If the real answer is yes, and the customer confirms this through other sources, a company will likely face legal action.
Customers have the right to know if personal information is sold or disclosed and to whom. This requirement covers quite a few scenarios. First, if the information is sold, companies must reveal what information category is sold and the name of the third-party to which it is sold. Second, if companies do not sell information, but rather disclose it, they must explain why the information is disclosed. For example, are addresses disclosed for financial transactions to occur? Third, if no information is disclosed or sold, companies must still send the requestee a response detailing that fact.
Also Read: CCPA vs. GDPR: What’s the Difference?
Consumers have the right to opt-out, meaning they can stop a company from selling their information. A consumer can use this right at any time. Additionally, if a company is going to sell consumer information, they need to alert consumers and clearly offer the opt-out option. The opt-out option requires that departments coordinate efficiently. A company that receives a request to opt-out cannot legally sell information after the date the request is received. However, if the department receiving the request does not immediately notify the department that manages data sales, the information may accidentally be illegally sold.
A consumer who opts-out or requests information shall not be penalized by changes in either price or services provided. This requirement is pretty self-explanatory; however, for the sake of clarity, the CCPA outlines four different prohibited responses to an opt-out request:
- denying goods or services to the consumer;
- charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
- providing a different level or quality of goods or services to the consumer
- suggesting that the consumer will receive a different price/rate for goods or services or a different level/quality of goods or services
As noted above, consumer’s have the “right to know,” and companies are required to clearly disclose information collection activities. CCPA guidelines stipulate that companies must implement at least two methods for consumers to submit information requests and provide a toll-free number. If a consumer requests information, a company is obligated to respond within 45 days and to deliver the information free of charge. If a business uses a website, it must update its privacy policies on the website. Such policies should cover the consumer’s rights, a list of what information is collected, and what information, if any, is sold. A business is only required to supply information once a year to a consumer’s request.
Companies must actively enable consumers to request information or opt-out. CCPA guidelines require that a “Do Not Sell My Personal Information” link be clearly visible on a company’s website. Companies cannot require consumers to create an account if they want to opt-out. In addition to informing customers of their rights, companies should make their customer service representatives aware of all consumer rights. If a consumer requests to opt-out, a company must wait 12 months before re-contacting the customer to ask if he/she would like to reconsider.
In September 2018, California amended CCPA guidelines regarding the “right to erasure.” The amendment stipulates that companies must provide a method for requesting deletion that is “reasonably accessible to consumers.” Under the CCPA, companies are obligated to delete customer data upon request. The amendment simply calls more attention to the deletion clause, a clause that was previously required only within the privacy policies and not as a separate section. However, the “right to erasure” does not apply under several circumstances. These include:
- Data necessary to complete a transaction related to goods or services
- Data required to maintain a company-consumer relationship
- Data used in contracts
- If data is required for security purposes (e.g., detect a security incident, inhibit fraudulent activity)
- Public interest research (e.g., statistics)
- Internal use of data necessary for fulfilling consumer expectations
- Legal obligations
- Free speech clause (i.e., exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.)
Who Must Comply?
Any business that collects personal information on California residents (and then sells or discloses that information to another party) falls within the purview of the CCPA. According to the CCPA documents, a “business” refers to a sole-proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, that does business in the State of California. Compliance extends to companies based outside of California but that still do business with California residents. Additionally, if a California resident is traveling outside the state, the law still applies to companies collecting information in California.
The CCPA does not affect federal regulations already in place that involve collecting personal information — such as the following:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley Act (GLBA) – partial exemption.
- Fair Credit Reporting Act (FCRA)
- Drivers’ Privacy Protection Act (DPPA)
Businesses only fall under CCPA guidelines if they:
- Have annual gross revenues in excess of USD 25 million
- Sell/disclose/collects/shares the personal information of 50,000 or more consumers, households, or devices
- Earn 50 percent of revenue from selling the personal information of customers
The business exemptions assist smaller entities that, due to limited resources, would likely find it difficult and expensive to conduct CCPA audits and comply with the guidelines.
What Does Personal Information Mean?
Since the whole concept of the CCPA involves protecting personal data and one’s right to privacy, it’s worth understanding the definition. CCPA defines “personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. A few examples include names, addresses, property records, products obtained, geolocation data, and sensory data. If the information is publicly available, it does not fall under the CCPA protection. Unfortunately, this definition is on the vague side. What if a person publicly posts information on Facebook? Does it then fall under the “publicly available” category?
The best option for businesses is to err on the side of caution. If there are any doubts about the status of information, contact a CCPA expert or check out the legislations website.
The Attorney General, in most cases, will penalize non-compliant businesses. The Attorney General deals with statutory violations, with a penalty of up to USD 7,500 per violation. If a company fails to utilize proper security measures which result in the disclosure of consumer information, consumers may sue for USD 100 – USD 750 per violation (or actual damages if greater).
If your company deals with California residents but hasn’t considered how to begin CCPA compliance, check out the beginner’s guide below.
Step 1: Designate a CCPA Lead
Like almost all compliance policies, whether privacy or security related, the first step is to have a knowledgeable person at the helm to create a compliance strategy. Even better, assemble a small team tasked with preparing for the 2020 CCPA compliance deadline. A well-rounded team, including both legal and operations experts, will help expedite the compliance process and reduce the likelihood of strategy gaps.
Step 2: Take Stock and Catalog
Step 3: Distribution
Step 4: Categorization
Helen Streck, CEO of Kaizen Infosource, aptly noted: “If you don’t classify (this) data, deleting it upon request is almost impossible, as is complying with other regulatory obligations for recordkeeping.” Companies can utilize the same style of a spreadsheet (or similar organization software) for cataloging (step 2) but must link it to a person versus broad categories of information. For each piece of information collected for an account, companies must record:
- When it was collected/acquired
- If it was sold
- If it was transferred to a third party
- whether the data falls under federal purview (e.g., HIPAA)
- If the data was purchased
Step 5: Record External Interactions
Since consumers have the right to know how their information is used, companies must meticulously record external relationships that involve consumer data. For example, keep track of what data is sold to whom. For example, consider creating a map linking third parties to the type of personal information they receive. Even if the information isn’t sold, but is disclosed, companies should still note those relationships.
Step 6: Establish Easy Deletion and Modification Procedures
Since the CCPA only allows 45 days for companies to respond to a consumer request, having a well-organized, intuitive modification system is crucial. Any such system should accomplish the following procedures:
- Process consumer requests
- Verify a request is from a customer whose information is collected
- Determine where that data is stored (as it may be stored/used in different capacities)
Lastly, make sure to train employees on how to use any such system.
California’s law, although passed by only one state, impacts business across the country. Additionally, many of the CCPA guidelines mirror those of the EU’s GDPR guidelines. Taking the time to understand the new privacy landscape will ensure compliance and attract greater customer loyalty. To receive help with your CCPA action plan or to learn more about the CCPA policy requirements in general, contact RSI Security today.