The California Consumer Privacy Act (CCPA) is a new regulation on the horizon that organizations must understand and, if applicable, take action to comply. CCPA becomes effective January 1, 2020 and time is running out. The intent of this post is to provide insight into what CCPA is, how it applies, and key considerations for compliance.
Some have compared CCPA to General Data Protection Regulation (GDPR) and, in reality, there is some overlap but there are also several differences. Similar to GDPR, CCPA reinforces a key principle: privacy is a fundamental right and individuals must be able to control the collection and use of their personal data.
CCPA is focused on giving the consumer rights to know what personal information is collected, to whom it’s sold or disclosed to, and the ability to exercise rights without fearing discrimination. The regulation also imposes responsibility on organizations to process consumer requests, manage risk to consumer personal information, and respond to breaches in a timely manner. The CCPA holds organizations accountable by enforcing fines for violations when they haven’t taken proper steps to protect consumers’ personal information.
The core consumer rights granted by CCPA are described below. As with any regulation, caveats are in place to promote fairness to both the consumer and organizations collecting and processing their personal information. For example, the right to deletion is granted but there are nine exceptions in place that enable organizations to retain consumers personal information (regulation section 1798.105(d))
- Right To Disclosure – Consumers have a right to know what personal information is collected and whether it’s sold or disclosed and to whom. The Right to disclosure also enables the consumer to receive a copy of their personal data in a standard format.
- Right To Deletion – Consumers may present a request to delete their personal information retained by the organization.
- Right To Opt-out – Consumers may exercise the right to say no to the sale of their personal information.
- Right To Nondiscrimination – When consumers exercise rights enabled by the CCPA, organizations must not apply financial penalties, deny goods and services, or provide an unequal service as a result of their requests.
CCPA is applicable to for profit organizations collecting personal information from California residents and determining what is done with the data. Additionally, one or more of the following must apply for organizations to be subject to CCPA:
- Annual gross revenue is greater than $25mil
- Personal information from >50k consumers, households, or devices
- Derive greater than 50% of annual revenue generated from the sale of consumer’s personal information
As with any regulation, the definition of personal information influences the impact on organizations need to comply. CCPA defines personal information as information that identifies, describes, or could be reasonably linked to a consumer or household (regulation section 1798.140(o)). Personal information includes the items listed below. The list is not definitive and can change at any time.
- Identifiers: real name, social security number, driver’s license number, email address, postal address, IP address, account ID or online identifier.
- Commercial Information: personal property records, purchase history and patterns
- Biometric Information: DNA, fingerprint data, and iris scan data
- Electronic Activity: search history, browsing history, and cookie data
- Geolocation: GPS data
- Inferences/Profiling: behavior, personal preferences, psychological state
Now that we’ve established what CCPA is and how it applies, the question becomes what do you have to do to prepare for compliance. Those organizations familiar with GDPR will notice these steps.
Key Considerations For CCPA Compliance
- Assess Applicability – Identify the California residents, devices, and households targeted by the organization. Determine whether the organization must comply with the CCPA.
- Perform Data and Processing Inventory – Understand what personal data collected and processed. Additionally, identify the third parties the data is sold to. This critical step will require significant effort if the data inventory and flows don’t exist. The effort is worth it because the output can be used for other privacy initiatives and improves the organization’s ability to protect the data.
- Update Website – The CCPA requires all web sites to contain a link labeled “Do Not Sell My Information”. This link must be conspicuously placed on the web site home page and must enable the consumer to opt out of the sale of their personal information.
- Support Consumer Rights – Make available two methods to allow consumers to submit requests: toll free number and form on website is acceptable. Additionally, implement processes to intake and satisfy requests in a timely manner (45 days from receipt of verifiable request). The process must include a preliminary assessment to verify the request before fulfillment.
- Apply Technical Measures and Controls – Organizations must implement practices to understand the privacy impact as new software is introduced, scope of data collected changes, or processing of personal data changes. Furthermore, leadings practices must be established to protect personal data in the possession of the organization. Data Protection Impact Assessments (DPIAs) are used to assess privacy implications and establish appropriate security controls to manage risk. This is followed up with leading practices such as encryption to protect the personal data of California consumers. This is important to limit the organization and consumer exposure in the event of a breach or data leakage. Additionally, the CCPA allows the California Attorney General to impose significant penalties if breached or leaked data is unencrypted or not redacted. There are many additional considerations for data protection but we’ll stop here for now.
The CCPA is primarily focused on privacy but the impact is felt throughout many departments in the organization. Understanding what personal information you have, how it’s processed (including the sale of the data), and how it’s protected is on the critical path to establishing CCPA compliance. The first two items are needed to establish the right processes to support consumer rights. The latter item is needed to ensure personal data is handled responsibly – reasonable measures.
This post provides a basic understanding of the CCPA and what organizations must do to prepare for compliance. The regulation is comprehensive and requires a deeper dive to understand how it applies to your organization and the specific next steps needed to achieve compliance.
Before the draft of this post was completed the state of Nevada passed its own privacy law advancing the privacy rights of consumers. The regulation is more narrow than CCPA but will become effective on October 1, 2019. The message here is privacy laws will continue to be passed and organizations will be pressed to comply. Get ahead of the wave and develop a strong privacy framework that enables reasonable consumer/data subject/individual rights based on your business model, and enforce it by adopting privacy by design methods and effective security program to protect the organization’s data and technology assets.