Effective January 1, 2020, the most expansive state privacy law in the U.S. will come into effect. The CCPA will have a significant impact on the way businesses operate in California and the U.S. as a whole.
In honor of Hanukkah, this blog will answer eight [not so crazy] questions about the CCPA.
- What is the CCPA?
The California Consumer Privacy Act of 2018 (“CCPA”) is the first comprehensive data privacy law in the U.S. and will impact not only businesses in California but companies that collect personal information (“PI”) about California residents, regardless of whether the company is in California or not. While you may be thinking that the CCPA doesn’t apply to you or your business, if you have a website and you’re collecting PI, it very well may.
2. Does it apply to my business?
The short answer is, maybe. The CCPA does not cover every business, but the criteria (as of today) are as follows:
A legal entity that: (a) collects consumers’ PI, (b) determines the purposes and means of processing consumers’ PI, (c) conducts business in the state of California, and (d) satisfies one or more enumerated thresholds:
- Earns annual gross revenues above $25,000,000
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the PI of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ PI.
The backstory to how this law came about is quite interesting, but as you can tell, it’s written very vague, and until harder definitions are adopted, it’s unclear how far this law’s reach will be.
3. What Rights Do Consumers?
The CCPA enumerates serval rights consumers receive. These rights include, but are not limited to;
(i) the right to know what PI is about them;
(ii) the right to know whether their PI is sold or disclosed and to whom;
(iii) the right to say no to the sale of PI;
(iv) the right to access their PI; and
(v) the right to equal service and price, even if they exercise their privacy rights. Again, it should be noted that this is a simplified list, and the law provides much more detail.
4. What is PI?
The definition of personal information is: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Deidentified (anonymized) or aggregated (information about a category of consumers) PI does not apply; provided that, you met the requirements of proper deidentification or aggregation of the PI.
This definition is intentionally broad, and besides basic contact information, the law provides a non-exhaustive list of PI including, “biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic, and employment information, and inferences drawn to create a profile about the individual to reflect preferences.”
5. Does it CCPA apply even if my business isn’t located in California?
“Doing business” in California does not necessarily mean having a physical presence in California. It can include companies outside of California collecting PI of California residents. So the answer is yes, it could/will apply to qualified businesses outside of California.
As a side note, each U.S. state has a definition of what constitutes “doing business” in that state, and you should check with your accountant or attorney to see if you need to register to do business in a particular state.
6. What happens if I’m in violation?
The two main enforcement mechanisms are outlined below:
Fines: The CCPA allows for fines of up to $2,500 per violation or $7,500 per intentional violation (without a cap) – CCPA provides businesses with a period of 30 days to cure alleged breaches of the law before a fine is issued.
Lawsuits: The CCPA offers a private right of action only to consumers whose PI is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of its duty to implement reasonable security procedures appropriate to the nature of the information.
- It should be noted that this applies only to a subset of PI (e.g., Social Security number, driver’s license number, medical information, and other information subject to California’s breach notification statute), and it does not apply if the PI is redacted or encrypted.
7. What can I do to become compliant?
The first thing to do is to read the CCPA. I can feel your disgust for that response, but it’s true; the first thing you should do is read the CCPA and have a feel for it. Next, you should figure out (a) what data you have, (b) where that data is located, and (c) who has access to it.
A great way to do this is by using a method called “data mapping.” You can make the data map in an excel spreadsheet or Word document. The data map portrays the lifecycle of data when it comes into your organization, and when it leaves.
An example would be mapping the lifecycle of data that flows through your website’s intake/order form. Consumer fills out the intake/order form, you get the data to your inbox or CRM platform, and the data is used for X (contacting them, filling an order, etc.). You should know: (a) what data you collect from the form (name, address, email, credit card, SSN?); (b) where the data from the intake form is stored (in the cloud, on your company’s server, a local drive?), and (c) who (employees, contractors, third-party vendors?) has access to it.
8. Anything Else?
There’s always something else!
- California’s Attorney General, Xavier Becerra, outlined the rules for compliance in October 2019. The AG’s office has until June 1, 2020, to start enforcement.
- Other U.S. state legislatures are putting privacy bills on the floor of their respective houses. Most notably, New York, who failed to pass a bill that is arguably more stringent than the CCPA.