While many are beginning to turn their thoughts to the holidays—looking forward to attending office parties, enjoying time with family, or eating too much— data privacy and information management professionals do not have that luxury. Instead of sugar plums, our heads are full of opt-out options, thirty party disclosures, and privacy notices. Yes, the California Consumer Privacy Act (“CCPA”) is arriving on January 1, 2020, and immediate action is required to get your business ready for it.
Despite amendments having only been signed by the Governor on October 11, 2019 and proposed regulations having only been issued by the Attorney General on October 10, 2019, the CCPA will take effect on January 1, 2020 and with it companies that do business with California residents must be prepared to implement a whole new set of personal data protections and rights. If you do business in California
or even just with California residents, as all natural persons who are residents of California are considered consumers under the CCPA, there are several important questions that your company should answer before the new year to help ensure compliance.
1. What Type of CCPA Entity Are You?
The CCPA divides businesses into three categories: (1) covered businesses, (2) service providers, and (3) third parties.
Covered business are for-profit entities that do business with and collect the information of California residents (including employees and applicants). To be a covered business, your company must (1) have annual gross revenues in excess of $25 million, (2) receive personal information of more than 50,000 California consumers, households or devices, or (3) derive more than 50% of its revenue from selling consumer information.
Service providers are for-profit entities that process information on behalf of a covered business for an allowable business purpose and who receive consumers’ personal information from the covered business, which must be in accordance with a written contract that prohibits the use, disclosure or retention of personal information for any purpose other than the allowable business purpose.
Third parties are vendors or other organizations that do not fit into either the covered business or service provider definition. Third parties that receive California consumer personal information may be subject to the CCPA through contractual arrangements with their business partners.
Depending on the circumstances and contracts at issue, your company may fall into one, two or all three of the foregoing categories based on how you are receiving, disclosing, and using personal information in a given situation.
2. Are you Selling Personal Data?
If you determine your company is a covered business, you must also decide whether your company is “selling personal data,” and thus subject to additional notice and compliance obligations. Selling information is not limited to circumstances in which money is directly paid by a third party for access or use of the personal information, but includes exchanges of personal information that are tied to any valuable consideration. For example, simply allowing another business with whom you already have a contract for a separate service to use personal information for its own analytics purposes may constitute a “sale” because the information is exchanged in connection with consideration.
There is, however, an important exception to the “sale” of personal information for personal information communicated to a service provider according to a compliant service provider contract, discussed further below.
If your company is engaged in the sale of personal information, you will need to take several additional steps on January 1, including incorporating a “Do Not Sell My Personal Information” button or link on your company’s website. This button must link to a page that informs the consumer of how to opt out of the sale of his or her personal information and enables the consumer to do so. Your company must also ensure that the consumer’s election remains in force for at least 12 months before you make a new request to sell the consumer’s personal information.
3. Have You Updated Your Privacy Notices?
The CCPA requires that privacy notices be made available at or before the time of collection, and such notices must describe the categories of personal information collected and purposes for which the information will be used. These notices will likely be more detailed and provide more information on your company’s use of personal information than your current notices. Covered businesses must disclose:
- Descriptions of the consumer’s right to access and delete personal information, obtain information about disclosures, opt out of any sales, and not be discriminated against for exercising his or her CCPA rights;
- The methods for submitting requests to exercise those rights and obtaining information, including a toll-free telephone number and web address;
- The categories of personal information your company has collected in the past 12 months, the business or commercial purposes for collecting such information, and the categories of third parties with who such information is shared; and
- Categories of personal information sold or disclosed for a business purpose in the last 12 months.
Additionally, it will be critical to review your privacy notice and policies to capture the broad definition of personal information under the CCPA. The CCPA defines personal information to include cookies, IP addresses, device identifiers, customer observations and inferences, and information that can reasonably be linked to a consumer or household. Your current policies may not capture all of these items as “personal information.” It is necessary to both revise your privacy notices now, in light of the fast-approaching effective date, and be prepared to update them when regulations are finalized in April or May 2020.
Employee personal information is also within the scope of the CCPA. Each employer must extend the rights and protections of the CCPA to personal information it collects on job applicants, employees, owners, directors, officers, medical staff, or contractors, including informing its employees of the categories of personal information the employer will collect. Simply put, employees are consumers for purposes of the CCPA with some exceptions on enforcement discussed further below.
4. Are Your Vendor Contracts CCPA Compliant?
All vendors with whom you share personal information must be classified as either service providers or third parties. This is critical for providing the appropriate notices regarding the disclosure and sale of personal information as required by the law.
Service provider contracts should be updated to specify the business purpose for which personal information is processed, expressly prohibit the sale of personal information, and prohibit the use, disclosure or retention of personal information for any other purpose other than the contracted for business purpose.
Third party contracts should also be reviewed to ensure that third parties are prohibited from reselling personal information unless there has been explicit notice to the consumer and the right to opt out of such resales. Third party contracts will also likely constitute the sale of personal information unless your company can establish that it was directed by the consumer to intentionally disclose the personal information and intentionally interact with the third party. Properly documenting and updating these contracts will be key to ensuring that your company is not inadvertently selling personal information under the CCPA.
5. Will You be Able to Respond to Consumer Access, Deletion, and Opt-Out Requests?
In addition to the opt-out rights for the sale of personal information discussed above, any covered business—even those not selling personal information—must ensure the right of access to and deletion of consumer personal information. Starting January 1, your company must both inform consumers of these rights and be ready to implement their requests.
This will include developing a process to verify the requestor’s identity prior to complying with the request, determining how such requests will be processed by your company, ensuring that data will be provided in a portable and usable format, and making sure that your service providers and third parties can implement such requests when directed.
Importantly, there is a year-long mortarium for offering these rights to employees for any personal information held in connection with their employment, but the data breach private right of action discussed below and the requirement to inform employees and applicants about categories of personal information and purposes for which it will be used still apply to this information during the moratorium. Now is a good time to develop employee and worker privacy notices.
Although the California Attorney General will delay enforcement until July 2020, the law has a 12-month lookback period built in. Thus, while the ink is still fresh on amendments and regulations, businesses have the remainder of the year to implement compliance mechanisms. The penalties for failing to do so are steep: the California Attorney General can bring a civil action for an injunction and a penalty of up to $7,500 for each intentional violation, and consumers have a private right of action for breaches of unencrypted sensitive-category information resulting from a business’s violation of its duty to “implement and maintain reasonable security procedures and practices.”
By answering these questions today, your company will be more ready for CCPA and you won’t have to spend your new year playing catch up.
And even if you are not covered by the CCPA, you should consider whether to voluntarily comply with some or all of the CCPA requirements. As data breaches continue to occur, the pressure will mount on other state legislatures and Congress to take action to follow the lead of the European Union, with its GDPR regulations, or California, with the CCPA, to further protect personal identifiable information. CCPA like legislation is currently pending in multiple states, including Massachusetts, Maryland, and New York. Taking steps now to conduct data mapping of the personal information maintained by your company, update your privacy policies and analyze your data security processes will help you prepare for these new laws and regulations. In fact, Microsoft announced on November 11, 2019 that it will implement the requirements of CCPA nationwide. By recognizing that additional state laws are inevitable, Microsoft is looking to promote itself as industry leader on consumer privacy by extending the CCPA protections to all its customers across the United States. Similar steps can help your company be proactive instead of reactive to your clients and customers data privacy concerns and needs.