2018 was the year of data breaches. Companies such as Facebook, Google, Uber, and Marriott were all splashed across front pages and in every major news cycle due to unethical data practices or unauthorized access by third parties. These breaches have caused not only individuals but also governments to take notice and create buzz around how exactly companies use consumer data and what rights are afforded to them and that’s why compliance CCPA compliance came into existence.
California’s new data privacy law, which will take effect January 1, 2020, along with Vermont’s data broker laws which became effective May 22, 2018, is just the beginning of the privacy wave sweeping the U.S. In a nutshell, the California Consumer Privacy Act (CCPA) will entitle people to know the types of personal information that businesses collect about them, and give them the right to disallow the sale of their personal data to other parties.
Although the effective date for the CCPA seems far away, it’s imperative for companies to start preparing now to avoid headaches and costly fines.
Here’s the deal:
The CCPA was developed based on the GDPR. As stated in AB-375, voters in 1972 amended the California Constitution to include privacy as an inalienable right. The CCPA expands this to include digital data, stating, “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale of their personal information.”
The policy itself cites previous attempts to safeguard the privacy of California citizens.
But here’s the kicker: Nothing like the CCPA compliance has been attempted before.
A QUICK OVERVIEW OF WHO THE CCPA AFFECTS:
Quick definitions before we dive in:
Like any law that’s passed, CCPA has specific definitions that are important to know so you can fully understand the reaches of the law.
Businesses are defined as those that collect information on Californians and meet 1 or more of the following:
- Generate $25M+ in gross annual revenue
- Handles data of 50K+ people or devices
- 50%+ of revenue comes from selling personal information
- Any organization that controls or is controlled by a business and share common branding with the business, such as a company or subsidiary
Personal information is defined as:
- Information that identifies, relates to, describes, is capable of being associated with…a consumer or household.
- Narrows the definition of publicly available information to exclude information “that is used for a purpose that is not compatible with the purpose for which the data is
maintained and made available in government records for which it is publicly maintained.
- Organizations in breach can be fined up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations
- California citizens have the right to private action lawsuits against companies due to data breaches with a $100-$750 fine per violation and larger fines if damages can be proven
- The six month grace period does not apply for data breaches, charges can be brought on January 1st, 2020
THE POLICY INCLUDES THE FOLLOWING FOR CALIFORNIA RESIDENTS:
RIGHT TO OPT OUT
- Consumers have the right to opt-out of their information being sold. Businesses MUST provide a “clear and conspicuous” “Do Not Sell My Personal Information” link on their homepage, which would link to an internet web page where consumers can opt out of the sale of their information. Businesses must NOT require a consumer to create an
account in order to do this.
- Businesses are prohibited from selling the personal information of consumers’ ages 13–16 unless they opt-in. For consumers under the age of 13, consent from a parent or legal guardian is required.
RIGHT TO DELETE
Consumers have a right to deletion; however, there are some important exceptions.
Businesses do not have to comply with a request if there is a need to maintain the data in order to:
- Complete a transaction between the consumer and the organization
- Maintain adequate cyber security or to prosecute attackers
- Repair errors for service functionality
- Exercise free speech
- Ensure the success of public or peer-reviewed scientific, historical, or statistical research in the public interest
- Comply with a legal obligation
- Use the data for internal purposes that align with the context of the data provided.
RIGHT TO EQUAL SERVICE
If a business discriminates against consumers for exercising their rights from the CCPA, they will be in violation of the act. The CCPA compliance defines service discrimination as the following:
- Denial of goods or services
- Charge different prices or rates for goods or services
- Provide different levels of service quality to a consumer if they act on their CCPA rights
- Financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature
RIGHT TO KNOW
- What personal information is being collected about them and request a copy of that information
- How/where it was sourced
- How the data is used
- If there is a disclosure or sale of their personal information
- What other parties have access to the information
WHY SHOULD THIS MATTER TO YOU?
Alastair Mactaggart, a chief proponent of the CCPA states: While this law just covers California currently, large companies will soon have to offer similar rights to Americans.
Below are the critical reasons your company should address compliance for the CCPA and prepare for future regulations.
1. PRIVACY POLICIES & NOTIFICATION
The CCPA will require companies to include the following in their privacy notices:
- What categories of personal information are being collected and the purpose of use
- Explicitly show the categories of personal information collected, shared, or sold
- Make clear that consumers have the right to opt-out of the sale of their information
- Include all privacy rights that California consumers may now exercise
2. BUSINESS PROCESSES & DATA MANAGEMENT
Companies will have to know what personal information they are storing on Californians’, every place it lives in their systems, and if that information abides with their current retention policies.
3: CONSUMER REQUESTS
Companies need to implement protocols to handle all consumer requests regarding their personal data. Consumers have the right to request a detailed record of data that a business holds on them as well as information about what is being done with their data in terms of both business use and third-party sharing. This record must cover the previous 12 months from receipt of the request and consumers must receive their request from the business within 45 days of placing it.
To ensure that you cover all your bases, let’s review some of the steps to do this.
- Establish and maintain a records system to monitor all data flows in your organization. Personal data will need to have a primary source that the rest of the organization will use to fulfill CCPA requirements.
- Establish a request process such as a dedicated web page for requests, a dial-in number, fax number, or an application.
- Establish protocols to authenticate requests to verify that it is coming from the actual person.
- Employees need to be trained to carry out the requests correctly.
- Synchronize the CCPA database with other data sets to ensure that consumer records are up-to-date.
4. SECURITY PRACTICES
Companies need to go beyond the bare minimum requirements when protecting data breaches from external criminals and internal sources. Consider your vulnerabilities and work to mitigate the risk of an attack.
5. THIRD-PARTY AGREEMENTS
The CCPA will disrupt your current data supply chain in some way and you should be prepared. Companies that use third-party data processors need to ensure they are meeting CCPA compliance. Third-parties may not always be located in the state of California or even in the United States, so it is important to make clear what is at stake for non-compliance and ensure the they do not hinder your ability to meet compliance with the CCPA.
Ensure your third-party vendors do the following:
- Have a data inventory database to better manage and process requests
- Provide documentation of processing and a record of request fulfillment
- Synchronized data mapping standards between you and all your vendors to better manage data
- Ensure there is a distinction between the transfer of data for processing and the transfer of data for a sale
WHAT COMES NEXT
With the California Attorney Generals Office holding public hearings to get input on the CCPA compliance it’s safe to say that this is an evolving bill that will continue to grow and change over the next 12 months. Auritas can help your company not only become compliant with CCPA and GDPR, but also stay up-to-date with important changes to both of these laws that may impact your business.
For more information, please contact one of our CCPA & GDPR experts at CCPA@auritas.com.
Interested in more? Click here to view our CCPA webinar