On Jan. 1, the California Consumer Privacy Act, or CCPA, amends the California Civil Code and introduces provisions similar to the European General Data Protection Regulation, or GDPR, putting consumers in control of their personal data and placing obligations on companies to protect personal information. The law applies to companies that interact with California consumers. And even companies to which it doesn’t apply might want to keep an eye out, as other states are looking to follow suit.
As defined by the act, personal information encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Defining the consumer. “Consumers” are defined in the CCPA as individuals, resident in California for more than a temporary or transitory purpose, and anyone domiciled in California who is outside the state for a temporary or transitory purpose.
The act does not specifically apply in an employment context, but the definition of “consumer” is a broad one. And while an amendment, AB 25, excludes personal information collected from job applicants, employees, owners, directors, officers, medical staff and contractors of a business in relation to their role within the business, that exemption will only apply until Jan. 1, 2021, and does not apply to the CCPA’s notice and data breach liability provisions.
Their rights. Under the CCPA, consumers have the right:
- To access data by making a written request (up to twice per year) to understand what data (and categories of data) is held about them and what is done with their data, including how it is shared with third parties. Such requests must be responded to within 45 days — the period can be extended once under limited circumstances. Information must be provided to consumers in a portable format.
- To have their data erased subject to exceptions, such as data security and compliance with a legal obligation. An employer is not, however, required to comply with the request to delete data when it is necessary for the employer to maintain the personal information in certain situations.
- To opt out of the sale of consumer data by the business to third parties.
The Business Effect
What companies are affected and what are their obligations?
Affected businesses. The CCPA applies to any commercial business that does business in California, which either:
- Has annual revenue over $25 million;
- Holds personal data of over 50,000 people, households or devices; or
- Generates at least half its annual revenue through the sale of personal data.
Companies don’t have to be based in California or have a physical presence there to be subject to the law; they don’t even have to be based in the United States, provided they conduct business in California.
Inform. Affected businesses must inform a consumer at or before the point of collection about the categories of information to be collected and what the information will be used for. Notably, AB25 does not exempt businesses from notifying job applicants, employees, business owners, directors, officers, medical staff or contractors about the collection of personal information.
‘Do not sell.’ Businesses will have to include a “do not sell my personal information” option on websites (or through other media); and are precluded from offering a lower level of service to consumers who object to the sale of their data. However, a business can incentivize consumers to allow the sale of their data by offering enhanced products or services, subject to restrictions.
Repercussions. Companies that fail to comply with the CCPA are subject to a fine of up to $7,500 per violation. Furthermore, the act requires organizations to protect the data they have been entrusted with. The CCPA penalizes a company when a consumer’s “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Although the CCPA itself does not define what security procedures and practices are “reasonable,” there is existing guidance from the state of California as well as other sources. In 2016, the California Office of the Attorney General published a Data Breach Report [1] in which 20 CIS Controls [2] are identified as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” The report further indicated that “failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Preparing for Jan. 1, 2020
Following are steps companies should be taking ahead of the Jan. 1 effective date:
- Seek legal advice on whether your business is covered and review your data processing.
- Prepare or revise privacy notices to be given to consumers, as well as job applicants, employees, owners and contractors, when data is collected.
- If your company sells data to third parties, make sure an opt-out is put on your website or in social media channels where data may be collected. Also, map data flows to ensure you can comply with any “do-not-sell” requests and make good any incentives provided to those consumers who accept data sharing.
- Draft policies, template forms and procedures for facilitating and handling data access requests.
- Ensure your security measures are reasonable and comply with CIS controls [2] or standards such as ISO/IEC 27001 [3].
- Ensure that that you have clear procedures in place to proactively and swiftly manage data security breaches, minimizing the potential for damage to your reputation while complying with breach reporting requirements. Stress-test those procedures to make sure they work as they should under pressure.
- Provide security training to employees, contractors and any vendors with access to your systems.
- Introduce monitoring and auditing of your network usage and operations and the processes adopted to comply with the CCPA.
More states to follow? Businesses not affected by the legislation in California may not be in the clear.
Over the course of the past year, Washington, Illinois, Texas, New Mexico and Mississippi all proposed legislation to expand privacy laws in line with the CCPA. Although none survived the legislative process, many more states have introduced bills that are based on or bear a similarity to the CCPA. The fact that some of these bills have little or no prospect of success does not necessarily mean this is the end for privacy legislation in those states.
For further information on state laws on privacy, CWS Council [4] and SIA corporate members [5] can refer to SIA’s Global Overview of Developments in Data Privacy: 2019 Update [6].