California Consumer Privacy Act (CCPA) is top of mind for so many companies small to enterprise. We're still in the early stages of getting ready for CCPA and I was fortunate to be featured on the National Technology Security Coalition (NTSC) blog.
Curious what you should do now to get on your CCPA journey? Check out the original blog post here!
In 2018, the General Data Protection Regulation (GDPR) in Europe became one of cybersecurity’s hottest buzzwords and made top headlines everywhere. If you are ready for a new privacy buzzword in 2019, the California Consumer Privacy Act (CCPA) will be your topic du jour. Passed in June 2018 with an effective date of January 1, 2020, the CCPA is the most comprehensive general data privacy bill of its kind to pass in the United States at a state level. CCPA increases the transparency of the collection and selling of physical and digital data. Under CCPA, California residents will now have more choices and control over what happens to their personal information that companies collect.
While the California State Legislature may amend CCPA prior to its effective date, steps exist that companies should take now to comply and prepare for January 2020. In this article, we’ll lay out the CCPA fundamentals and a 10-step plan companies should follow.
Unlike GDPR, CCPA contains minimum thresholds businesses need to meet for the law to apply. CCPA covers for-profit organizations doing business in California that collect consumers’ personal information and that meet one of the following criteria annually:
1. Exceed $25 million in gross revenue.
2. Buy or receive the personal information of 50,000 or more consumers, devices, or households (such as website traffic).
3. Derive 50% or more of their annual revenue from selling consumers’ personal information.
Companies can be assessed civil penalties of up to $2,500 per violation, or up to $7,500 for intentional violations. An often overlooked section of CCPA is that statutory damages can consist of the actual damages or fall between $100 and $750 per California resident per incident, whichever is greater in the event of a data breach where the “nonencrypted or nonredacted first name or initial with last name plus other data such as an account number is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the company failing to implement reasonable security measures.”
Coverage and Personal Information
CCPA covers consumers and, as currently written, also includes employees. Like GDPR, CCPA expands the common definition of personal information used in state data breach statutes. CCPAdefines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples of personal information (CCPA excludes deidentified or aggregate consumer information) include the following:
- Geolocation data and inferences extracted from data: Using someone's precise location data without permission expressly granted or using an IP address to track users.
- Unique personal identifiers such as cookie numbers or a company devised number.
- Browser or search history.
- Biometric data such as fingerprints or an eye retina scan.
- Professional or employment-related Information such as salary, title, or certifications.
- Psychometric data such as information gathered from aptitude or personality tests.
- Audio and visual data such as data from audio or video files.
- IP addresses: If an IP can identify a household, it may be considered personal data.
A few central themes emerge with CCPA including providing notice to customers about data processing, honoring individual rights, and ensuring companies take data protection seriously. Below, we will break out these main focal areas and explain what it means for companies:
- Privacy Notices: Companies will need to update privacy notices to specifically state what data is collected, categorize the data collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual.
- Individual Rights: One big difference between GDPR and CCPA is that CCPA gives consumers the specific option to opt out of their data being sold. If a consumer opts out, companies cannot penalize or discriminate against them by charging a higher price or servicing them differently unless a company can prove that the difference in charging a certain price or offering a specific service is reasonably related to the value provided by the data sold. For example, if the service offered to the customer is $10 and the customer opts out of the sale of their data, the company cannot charge $20 unless the customer receives $10 of additional value. This piece of the regulation is one of the areas where privacy professionals and businesses are asking for more clarity from the California Attorney General during their current open comment sessions.
- Consent, Children, and Sale of Data: Companies that collect data and sell it to third parties, and especially those that sell children’s data, will have to make specific changes. If data on children is collected and sold, additional requirements exist. Data collected on children under the age of 13 requires opt in with parental consent. Data collected on children between 13-16 requires opt in consent from that child. A company must also include a link on the homepage (or another option such as a toll-free phone number) where a user can opt out of the sale of data. Once received, companies must manage the opt out request within 45 days. Companies will need to create a process that addresses removing this individual for purposes of data sales from its databases, spreadsheets, and any associated third parties.
- Security: The CCPA also requires businesses to maintain reasonable security procedures. As noted above in the fines section, civil damages and a private right of action can occur in the event of a data breach if the company is found to have not employed reasonable security measures.
Next Steps for Companies to Comply with CCPA
To get started on your CCPA compliance journey, follow these 10 steps as a guide.
1. Start now to plan a CCPA compliance strategy.
The CCPA will take effect in11 months. Remember the massive panic in companies scrambling last April and May to get ready for GDPR? Don’t wait until the end of the year when the busy holiday season means employees focused on wrapping up year-end activities. Create a plan now that considers company meetings, holidays, and big initiatives.
2. Identify a lead sponsor and cross-functional team.
Complying with CCPA will require input initially and on an ongoing basis with departments such as marketing, product, IT, HR, finance, customer support, security, privacy, and legal.
3. Determine needed resources.
Begin to determine what resources (such as software tools, attorneys, and consultants) will be required to help with compliance.
4. Start the data mapping process.
Understand what data you collect that qualifies as personal information, where it is located (including with any third parties), and for what purpose it is used. For any company that did a data inventory to comply with GDPR, companies need to ensure those processes reflect the United States processing activities and see if any changes are needed. The data mapping exercise is really important, especially to determine if data collected from children is currently sold. If so, obtaining the appropriate consents will be required and can take time.
5. Understand how to handle individual rights requests.
To effectively honor individual rights requests, businesses will have to know where the data resides and create a strong process to funnel the request through various departments. Much like incident response plans are tested, individual rights plans will also need to be simulated. Determine what the company will do if a request comes in from someone who is not a California resident. Will the company honor all requests only if the individual is a California resident? If so, what will the response to that individual say? Many companies are finding that it will be operationally easier to apply the CCPA as a denominator and honor all individual requests in compliance with CCPA. If a company created individual rights processes for GDPR, they will need updating to reflect the ability to opt out of the sale of information. It is highly encouraged that companies test these processes just like practicing an incident response plan.
6. Draft privacy notices.
A privacy notice tells the company’s story about what data is collected, how it is used, who it is shared with, and what choices an individual has about their data such as the right to access or delete personal data. An accurate privacy notice can be completed only after performing the data inventory work. Specifically, CCPA requires a privacy notice be provided at or before the point of collection that informs consumers as to:
- “The categories of personal information it has collected about that consumer.”
- “The categories of sources from which the personal information is collected.”
- “The business or commercial purpose for collecting or selling personal information.”
- “The categories of third parties with whom the business shares personal information.”
- “The specific pieces of personal information it has collected about that consumer.”
In the privacy notice, the company needs to list all individual rights available to the consumer and the steps they can take to request these rights. If the company sells data, the company will need to update its website by including a “Do Not Sell” link on the homepage and include in its privacy notice all the methods available to an individual to opt out of the sale of data.
It is important to remember that if a business collects data for one purpose, it is prohibited for using the data in a manner not disclosed by that purpose. Businesses may need to make other disclosures that the privacy and legal teams will need to consider based on the business’s data processing activities.
7. Strengthen security measures.
CCPA requires “reasonable” security measures. Teams need to perform a comprehensive review of their security program and determine what changes are needed appropriate to the type of data collected and stored. Updates could include additional proactive monitoring software, hardware, headcount, encrypting or redacting of data, or even personnel changes.
Security teams will need to understand the full lifecycle of a data record, which may include service providers or third parties such as SaaS tools where data is entered and stored. Performing a thorough privacy and security assessment for each service provider will help mitigate any mishandling of personal data.
Companies also need to review data breach plans to identify necessary changes. It’s critical that companies practice their response to a data breach plan. A data breach simulation brings together all the key decision makers in the event of a data breach and ensures that the plan works. Pilots practice in flight simulators. Schools and workplaces practice fire drills. Similarly, companies need to practice responding to incidents such as a data breach to help identify missing components during a scenario when no pressure exists.
8. Review training programs.
Review existing training programs and determine if there are any needed enhancements. As employees often move between roles, it will be imperative to train employees and create an accurate standard operating procedure (updated as the business process changes) for honoring individual rights. This is a great opportunity to extend annual training modules to also include quarterly security and privacy reminders.
9. Create or update privacy programs.
Create or update the company’sprivacy program so data inventories, the privacy notice, and any process changes affecting the ability to honor individual rights always accurately reflect the business’s activities.
10. Prepare for future privacy laws and regulations.
Get ready for the next privacy regulation such as the State of New York evaluating a law similar to CCPA, a federal privacy law such as the American Data Dissemination Act introduced in January 2019 by Sen. Marco Rubio (R-FL), the Data Care Act introduced by more than 15 Senators in December 2018, model legislation introduced by Intel in November 2018, and Brazil’s General Personal Data Protection Act (Lei Geral de Proteção de Dados or LGPD) taking effect in August 2020.
As you can see, more privacy regulation is on the way beyond the CCPA. Getting started now to understand how you collect, use, and share data, identify policy gaps, and create sustainable processes will make compliance less cumbersome and provide you an opportunity to create stronger privacy and security programs.
If you have a thought on what you want to hear about privacy, reach out to firstname.lastname@example.org. Jodi Daniels is Founder of Red Clover Advisors, a data privacy consultancy that assists companies with GDPR compliance, operationalizing privacy, digital governance and online data strategy. www.redcloveradvisors.com or Jodi@redcloveradvisors.com