With the gestation period of a sperm whale almost behind it, yet strangely enough, still slightly undercooked, the California Consumer Privacy Act of 2018 (CCPA) is due to become operative on New Year’s Day, January 1, 2020.
Almost like a New Year’s resolution. Without the hangover.
Unlike the typical 80% failure rate by February for New Year’s resolutions, this one is going to last.
Teething problems? More than likely.
Unexpected consequences? Expect some.
Deer in the headlights / stunned mullet syndrome for some? Wouldn’t be surprised.
So, what’s the CCPA all about?
CCPA is intended to provide protection for the personal information of Californian consumers that certain businesses obtain by any means, directly or indirectly, online or offline, then process and share and/or sell to other third parties.
The intent is to increase Californians’ right to privacy by giving them an effective way to control their personal information, by way of rights to:
- Know what personal information is being collected about them
- Know if their personal information is sold or disclosed, and to whom
- Say no to the sale of their personal information
- Access their personal information
- Exercise these rights without fear of discrimination in the form of unjust, unreasonable, coercive or usurious pricing or quality.
Some definitions
A consumer is a natural person who resides permanently in California but may at any time be located temporarily outside the state.
A business is an organisation that is for-profit, collects or uses consumers’ personal information, decides on why and how that information will be processed by a service provider, does business in California, and has at least one of the following:
- Annual gross revenue of at least USD25m
- The personal information of at least 50,000 consumers
- At least 50% of annual gross revenue derived from selling consumers’ personal information.
A service provider is a for-profit entity that processes a consumer’s personal information on behalf of a business.
Personal information refers to data that directly or indirectly relates to or could reasonably be linked to a specific consumer, household or device. Excluding publicly available information, anonymised (or pseudonymised) and aggregated data as well as data specifically covered by other legislation (such as protected health information, medical information, and personal information used in clinical trials or processed by credit reporting agencies), it includes the following information categories:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- biometric information, including physiological, biological or behavioural characteristics, including DNA.
- internet or other electronic network activity information, that includes browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- geolocation data.
- audio, electronic, visual, thermal, olfactory, or similar information (these terms are not defined in the legislation but presumably relate to the output of various devices used to scan and record physical aspects of a consumer). professional or employment related information.
- education information, provided that it is not publicly available.
- inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
Collect means buy, rent, gather, obtain, receive or access, by any means, any personal information pertaining to a consumer.
Sell means rent, disclose, release, disseminate, make available, transfer or otherwise communicate personal information for monetary or other valuable consideration.
Key elements of the CCPA
A thorough reading of the legislation is required to become familiar enough with it to ensure sufficient steps are taken to be compliant with it. Guidance from lawyers should be sought.
For the purposes of this article, the key intentions of the legislation are to:
- Require a business that collects a consumer’s personal information to inform consumers before or at the point of collection as to the categories of personal information to be collected and the purposes for which those categories of personal information will be used, by way of an online or offline privacy policy that gets updated at least once every 12 months
- Prohibit a business from collecting additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice
- Prohibit a business from deeming an online consumer’s hovering over, muting, pausing or closing a given piece of content as permission for the business to sell the consumer’s personal information
- Grant the consumer the right to request that a business that collects or sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of personal information that it collects, the categories of sources from which the personal information is collected, and the categories and identities of third parties to which the information was sold or disclosed
- Require a business to implement methods to ensure requests for information are made by the consumer who owns the requested information, when technically feasible
- Require a business to make disclosures about the personal information collected and the purposes for which it is used, when verifiably requested by the consumer owning that information, but no more than twice in a 12-month period
- Require a business to deliver by mail, or electronically in a readily useable format that allows the consumer to transmit the information to another entity without hindrance, the information requested by the consumer, covering the 12-month period (which at its earliest begins on 1 January 2019) preceding receipt of the request, within 45 days of receiving the request from the consumer, and at no cost to the consumer other than when a fee is permissible
- Grant the business the right to once only extend by an additional 45-90 days the time period allowed to provide the required information, provided the consumer is notified of the extension within the initial 45-day request handling period
- Grant a consumer the right to request deletion of their personal information
- Grant the business the right to refuse to process consumer requests for deletion of their personal information if that information is required for business purposes as described in the legislation such as legal obligations, research purposes, and dealing with security incidents
- Require the business to delete the personal information of a consumer from its records, and direct any service providers to delete the consumer’s personal information from their records, when verifiably requested by the consumer owning that information
- Grant the business the right to consider consumer requests as unfounded or excessive, particularly due to their repetitive character, and either charge such consumers a reasonable fee to take the requested action, or refuse to service the request and notify consumers accordingly
- Require the business to inform the consumer, without delay and at the latest within the time period permitted for response to a consumer request, of the reasons for not taking action on a consumer request
- Require the business to make available to consumers two or more designated methods for submitting requests for information access or deletion, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address
- Require the business to provide a clear and conspicuous link titled ‘Do Not Sell My Personal Information’ on its Web site homepage if it maintains an Internet Web site
- Grant the consumer a right to opt out of the sale of personal information by a business and any third parties who have received that personal information from the business
- Prohibit the business from selling the personal information of consumers who have exercised their opt-out right, for a period of 12 months from the opt-out date
- Prohibit any third party that received any consumers’ personal information from selling that information unless the applicable consumers are explicitly advised, given the opportunity to opt-out of such sale, and have elected to allow the sale
- Prohibit the business from discriminating against consumers who exercise their opt-out right
- Grant the business the right to request authorisation to sell their personal information from consumers who opted-out more than 12 months ago
- Grant the business the right to offer financial incentives to consumers for collection of their personal information
- Require a business to provide consumers with notice of the terms of the financial incentives program, and before entering them into the program, obtain their prior opt-in consent that is revocable at any time
- Prohibit a business from selling the personal information of a consumer under 16 years of age, unless such a consumer, or their parent or legal guardian when the consumer is under 13 years of age, affirmatively authorises such sale via an opt-in action
- Require a business to engage with service providers for the purposes of processing consumers’ personal information by means of a contract that prohibits the service provider from retaining, using, and disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract
- Require a business to train certain employees regarding consumer’s rights under the CCPA
- Grant the consumer a right to seek damages for privacy violations in the event of unauthorised access and exfiltration, theft or disclosure of their unencrypted or non-redacted personal information as a result of the business’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of that information, subject to the business’s inability to cure and prevent further occurrences of the violation within 30 days of receiving notice of the violation.
Some issues with the CCPA
In our opening statement we opined that the CCPA is undercooked. Despite amendments made to it since June 2018, it still contains uncertainties and omissions.
While some examples follow, a thorough review by your lawyers is required to reveal the complete scope of the issues, their potential for causing you problems immediately or down the track, and approaches for dealing with that potential.
With luck, these issues will be resolved fairly quickly.
Uncertainty
One of the thresholds for determining if a business will be subject to the CCPA is annual gross revenue of at least USD25M. It’s not stated if this amount is to be derived from doing business in California only or the entire USA.
Choosing to believe the annual gross revenue is based on earning it anywhere in the USA is probably a fairly safe bet but stranger things have happened than the alternative.
Omissions
There are three thresholds that can determine the applicability of the CCPA for a business: annual gross revenue, the number of Californian consumers who personal information is collected, and the proportion of annual gross revenue that is derived from selling the Californian consumers’ personal information.
What’s lacking here is any guidance as to when these thresholds are to be measured, how formally and how often.
The CCPA only requires the business to advise consumers if and why it doesn’t action their requests. Common sense, good manners and better practice require that a business should not only acknowledge receipt of a consumer request but also advise the consumer of the completion of that request.
It wouldn’t hurt for the CCPA to require a business to make such positive confirmations, to avoid leaving consumers uncertain about whether their opt-out or personal information deletion requests have been actioned or not.
Do you need to comply with the CCPA?
If you clearly meet the criteria specified in the definition of ‘business’ above, then just as clearly, you’ll need to comply with the CCPA.
Let’s say though that you’re a for-profit organisation and you collect personal information from Californian consumers. You’re pretty close to the annual gross revenue threshold that will trigger your need to comply with the CCPA.
Your last forecast shows you exceeding the threshold but the recent forest fires in California have dampened demand somewhat. It could go either way.
Prudence and good risk management dictate that you err on the side of caution. It’s far better to comply with the CCPA when you didn’t really need to than it is to not comply when you really did need to. It’s never a good idea to attract the attention of the regulators in any way, shape or form.
Proceed as if there’s no doubt that you need to comply with the CCPA, because if you’re that close now, odds are that you’ll cross the line next time around. And you’ll be totally prepared for it.
Are you able to comply with the CCPA?
If you’re definitely going to need to comply with the CCPA, or it’s a prudent risk mitigation stance to adopt, the looming question is: are you able to?
Policies, processes and procedures, people and various forms of technology will be needed by businesses to establish the environment for enabling the handling of consumers’ personal information in accordance with the obligations specified in the CCPA.
Some changes may be required to established systems and practices to accommodate certain elements of the CCPA. A number of contracts with service providers for handling consumers’ personal information may need to be revised or replaced.
For certain, businesses will need to train some amount of staff in the inner workings of the CCPA, to allow efficient and effective handling of consumer requests, understanding of what can and can’t be done, and keeping pace with the inevitable changes to, and unexpected consequences of, the legislation.
Bear in mind also that the business will likely have internal requirements to satisfy in respect of the consumers’ personal information and the value that can be extracted from it using various forms of analytics.
The regulators had allowed an 18-month lead-time for businesses to plan, prepare for, test and implement approaches for achieving CCPA compliance. In recognition that issues with the legislation still exist, no enforcement actions for non-compliance will be applied for the first six months after its enactment.
Despite the grace period, achieving compliance with the CCPA obligations that apply to a business needs to take priority over development of any business-specific capabilities.
Whether you’re quietly confident about your preparations for CCPA go-live or more than a little nervous about it, don’t waste the opportunity provided by the grace period to ensure that everything needing to be done for compliance gets done.
The CCPA allows consumers to institute civil action against a business that fails to adequately protect their personal information. It also allows the Attorney General of California to institute civil action against any person, business or service provider who intentionally violates the CCPA. Penalties can be substantial.
The introduction of the GDPR in May 2018 followed a 2-year grace period. By February 2019, more than 10,000 GDPR data breaches and fines had occurred just in the UK. A third of large UK and EU business are expected to not be fully GDPR-compliant until sometime in 2020. See here for further details.
GDPR provides a salutary lesson for businesses that need to be compliant with CCPA. A formidable and relentless bureaucracy will do its job without fear or favour, and probably with maximum publicity.
As the first piece of legislation of its kind to be introduced in the USA for local application, many other states and even the Federal Government will likely pay close attention to its effect on the behaviour of the businesses it aims to cover, the success of its disincentives for non-compliance, and the frequency of its amendment to close the inevitable loopholes that allow its spirit to be bypassed for the sake of profit.
How Gatekeeper can help
A business’s contracts with consumers for the collection and processing of their personal information, and with service providers for the processing of consumers’ personal information, can be securely stored in Gatekeeper’s centralised contracts database and contract documents repository.
Custom fields can be added at both supplier and contract levels to show information like "CCPA applies", CCPA-compliance status setting and date last updated.
Workflows using predefined rules can be leveraged to ensure suppliers are reviewed with respect to CCPA applicability, and relevant contracts are reviewed to ensure that required CCPA-specific language is used.
Public forms and workflows can be leveraged to create and store records of consumers’ requests for their data as well as compliance or dispute of these requests as required by CCPA.
Notifications can automatically alert the relevant people to ensure CCPA compliance can be checked and other related activities initiated according to a pre-agreed timetable.
Global search can be used to quickly locate key documentation concerning CCPA matters.
For more information on how Gatekeeper can help businesses comply with the new CCPA legislation, contact us today for an initial conversation.
Disclaimer
This article does not purport to be, and should not be considered as, legal advice.