Based on personal observation and press reports, it is clear that only a small percentage of businesses that collect or use personal information of California residents have taken meaningful steps to implement the California Consumer Privacy Act (CCPA) even though the statute enters into effect in less than a week. For the procrastinators who have been postponing their entry into the CCPA challenge, here are "10 Things You Should Know about CCPA".
The CCPA regulates the practices of certain categories of businesses that collect, use, and disclose personal information that can be related to an individual. It enters into effect as of January 1, 2020.
CCPA applies to a business that meets one or more of the following:
Entities that are "affiliates" are considered part of the same "business" if they are direct parents or subsidiaries that share common branding.
"Personal information" includes "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household." CCPA applies to personal information about actual consumers, and as a result covers personal information of a business's California employees (with exceptions).
"Consumer" is defines as a natural person who is a California resident. A "California resident" is any individual who is (a) in the state of California for other than a temporary or transitory purpose, or (b) domiciled in the state of California and "outside of the state for a temporary or transitory purpose."
CCPA requires that a business publish a clear and understandable Privacy Notice, and that provide a list of the categories of Personal Information that the business has collected about consumers, sold about consumers, and/or disclosed about consumers for a business purpose in the preceding 12 months, and information about a consumer's rights, as detailed below. The CCPA also requires that the notice be available, before or at the time of collection.
The Notice must
If the types of personal information, the purpose of their use, etc. change, the notice must be updated to disclose the collection of any additional categories of information, or additional use of collected information for any additional purposes taking place after initial disclosures have been made.
The Privacy Notice must be updated not less than every 12 months.
CCPA grants California consumers specific rights regarding their personal information. The businesses must respond to any request to exercise those rights within 45 days of receipt. It must verify the identity of the requestor and adopt a process to ensure the reliability of the authentication. The request for deletion must be passed to a business's service providers.
The consumers rights include:
Entities that are "affiliates" of a business are considered part of the same "business" if they are direct parents or subsidiaries that share common branding. As a result, transfers of personal information within a corporate family may constitute "sales" of personal information that are subject to consent/opt-out rights, if the transfer is conducted for "valuable consideration."
The CCPA creates new and significant potential financial liability. The California Attorney General has enforcement authority and may assess civil fines, with a maximum of $2,500 per "violation" and $7,500 for each "intentional" violation.
In addition, CCPA provides for a limited private right of action in the event of a data breach, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain "reasonable" security standards. The data breach is defined under the California Data Breach Disclosure law, Cal Civ. Code §1798.82; thus the private right of action applies only if the breach affect the data provided under that law.
This privacy right of action presents a significant change in risk profile. The exercise of a private right of action is likely to turn into class action litigation and is likely to be more costly in the aggregate than enforcement by a government authority. In this respect, it should be remembered that the California Attorney General in its 2016 Data Breach Report has identified what constitute "reasonable security". Businesses subject to CCPA should take the time to review and update their information security and response policies and practices to address the new environment and ensure that their policies and processes meet the requirements outlined in the California State Attorney General its 2016 Data Breach Report.
Business that have already implemented a program to address the requirements of the EU General Data Protection Regulation (GDPR) should be aware of the differences between CCPA and GDPR. While CCPA borrows numerous concepts and definitions in GDPR, a program intended to meet the CCPA requirements should take into account that CCPA does require some additional steps. For example:
It is likely that CCPA applies to your business. This paper is intended to provide a glimpse at your business's current obligations under CCPA. But it is only the "trailer" of the CCPA show. CCPA is much more complex. Compliance is likely to require profound changes to your business's structure and development plan, and to require modifications to its technical infrastructure and information systems. Those take time. If you have not yet started paying attention to your obligations, stop procrastinating. Take the plunge.
Be aware that there is more to come; several sequels are already in the works. CCPA Regulations are being finalized and will be published shortly. They are adding flesh, and more nuances and requirements. There is also a CCPA v 2.0. It is a proposal for a California Consumer Privacy Rights and Enforcement Act (CPREA) written and promoted by the original author of CCPA; a draft has already been circulated and published for comments.
Françoise Gilbert has extensive, in depth experience with data privacy and security issues, Internet, eBusiness, and information technology law. Her clients include numerous Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace, and e-business risks, develop and implement information privacy and security strategies and compliance programs, and integrate privacy and security in mergers & acquisitions, outsourcing, cloud computing, marketing, and other relations.
Françoise regularly addresses a wide range of privacy and security issues, such as those faced by regulated entities, Internet businesses, mobile applications or those related to crossborder personal data transfers, security breach disclosure laws, implementation of GLBA or HIPAA Security Safeguards, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross border data flow issues. You can follow her blog here or learn more on her website https://www.dataminding.com/.