Is your business achieving CCPA compliance? | Baker Tilly
Article
Is your business achieving CCPA compliance?
Feb. 26, 2020
Chances are that over the last few months, different companies you interact with, like Hulu, Spotify or Lyft, have sent you notices about new privacy laws and procedures.
The onslaught of emails and notifications marked the beginning of new privacy laws under the California Consumer Privacy Act. Effectively, January 1, 2020 introduced one of the most impactful consumer privacy laws in recent memory.
Under the law, consumers receive additional privacy rights regarding the use of their personal information by large companies.
While consumers rejoice over the reclamation of (some) power, it is now up to businesses to comply with the new regulations. Now is the time to ask yourself: How does the new law affect your company? Is your company in compliance? Do you know what steps you need to take to make sure you get there?
What is the CCPA?
According to the California Attorney General, the California Consumer Privacy Act (CCPA) creates new rights relating to the access, deletion, and sharing of personal information collected by businesses.
It allows residents within the state of California to review personal information gathered by large companies around the world, ranging anywhere from purchase histories and location tracking to compiled “profiles” that slot people into categories such as religion, ethnicity and sexual orientation. And effective January 1, 2020, consumers can force these companies to stop selling that information or even to delete it in bulk.
Notably, the law’s definition of data “sales” is so broad that it covers almost any information sharing that benefits companies, including data transfers between corporate affiliates and data dissemination to third party “data brokers.”
However, the law does clarify at least two instances that do not qualify as selling personal information: 1) The business uses or shares the information with a service provider that is necessary to perform a business purpose – as long as it meets conditions in Section 1798.135. and the business does not collect more information than is needed for the business purpose, and 2) The business transfers the personal information to a third party as an asset that is part of a merger, acquisition, or bankruptcy.
Admittedly, the new rights do have limits, but the very existence of the law signals changes to a data collection industry that has gone unregulated and unchecked for so long.
What personal data does the law cover?
The CCPA covers much of the obvious personal information like your name, username, password, phone number and physical address. It also includes information used to track your online behavior, such as IP addresses, location information, browsing history and device identifiers.
Furthermore, the bill covers characterizing information such as race, religion, marital status, sexual orientation and military or veteran status. It also covers biometric information like fingerprints or facial recognition.
What data does the law not cover?
The law does not protect any data found in public government documents. Thus, companies can still learn your marital status through public records, for example. However, the law notes that businesses must collect this information directly from government records, not from other sources like social media accounts.
Who is required to comply with the CCPA?
Although California enacted the bill in 2018, the CCPA officially went into effect January 1, 2020. Companies have an extended grace period of six months to make the necessary changes. Then, starting July 1, 2020, the California Attorney General receives the right to bring enforcement action against those who fail to comply.
Businesses are subject to the CCPA if they meet one or more of the following criteria:
The business has gross annual revenues in excess of $25 million;
The business buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
The business derives 50% or more of its annual revenues from selling consumers’ personal information.
In addition, businesses that handle the personal information of more than 4 million consumers will have further obligations.
It is also important to understand that businesses located outside of the Golden State are also on the hook to comply with the new rules. If your non-California business has customers or potential customers within California and you meet one of the above criteria, you must conform to CCPA regulations.
What are the new obligations for businesses?
As the law provides a variety of privacy rights to California consumers, businesses regulated by the CCPA will have a number of obligations to those consumers including disclosures, General Data Protection Regulation (GDPR)-like consumer data subject rights (DSRs), an ‘opt-out’ for certain data transfers, and an ‘opt-in' requirement for minors.
1. Businesses subject to the CCPA must providenotice to consumers at or before collecting data.
2. Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile application.
3. Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes. As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
4. Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
5. As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
6. As proposed by draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate compliance. In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
Essentially, businesses must disclose what information they collect, what business purpose they have for doing so, and what third parties they share the information with.
In addition, businesses must also comply with official consumer requests to delete specified data as requested. Consumers have the ability to opt out of the sale of their data and in return businesses cannot retaliate by altering prices or levels of service. However, businesses do have the right to offer “financial incentives for being allowed to collect data.
What happens if you do not comply?
It is up to the California Attorney General to issue non-compliance fines. As the law stands today, failure to comply with the above regulations will result in a fine of $2,500 per violation if unintentional. The fine increases to $7,500 per violation if the act was intentional.
What are some actions I can take to be compliant?
Ahead of January 1, a number of major tech companies began to take necessary steps towards CCPA compliance. One of the most common courses of action was adding new user features.
For example, in December 2019, Twitter introduced a privacy center where users can learn more about the company’s approach to the CCPA and customize the types of information that the platform may use for ad targeting.
Google also created an opt-out add-on that institutes a protocol that blocks websites from transmitting data to the company. Some companies elected to hire outside firms to design special buttons and links that direct users to interactive forms where they can specify how the company may treat their personal data.
These steps may be easier for companies with the financial means to do so. But what about the small and medium-sized businesses? What are some steps you can take to make policy implementation less daunting?
Some considerations as you implement new compliance policies include:
Evaluate your current capabilities by identifying and classifying personal data.
Take a look at your data-governance capabilities.
Create a strategy to monetize data in a way that meets CCPA privacy regulations.
Take stock of your privacy controls, keeping an eye out for gaps in meeting CCPA requirements. Then prioritize the processes and technologies that need to be updated.
Be proactive and set up a CCPA program management office to handle regulations accountability, remediation, and implementation.
Implement regulations monitoring procedures to ensure your business continues to be in compliance in the long run.
How does the CCPA relate to the GDPR?
As some have already pointed out, the CCPA bears resemblance to the General Data Protection Regulation (GDPR) enacted by the European Union (EU) in 2018. Under the GDPR regime, every EU citizen receives the right to know and decide how their personal data is used, stored, protected, transferred and deleted.
The law affects any organization anywhere in the world that targets or collects data related to the people of the EU. Failure to comply with GDPR regulations results in severe fines which either max out at €20 million or 4% of global revenue (whichever is higher), plus individuals have the right to seek compensation for damages.
There are some notable differences between the GDPR and the CCPA. First, the GDPR requires companies to receive consent to collect data – essentially the ability to opt-in – or to have some valid reason for collecting user information.
Secondly, it requires companies to minimize data collected. The CCPA does not require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.
