Interest in the California Consumer Privacy Act (CCPA) is heating up. I wrote about CCPA almost a year ago, saying it is quite clear in what it sets out to do — and how it’s arguably the toughest privacy-related law any U.S. state has enacted.
But given the fact CCPA goes into effect next January 1, it doesn’t appear to have the same visibility as the General Data Protection Regulation (GDPR) had in Europe seven months prior to its effective date.
I say this based on conversations we’ve had with clients and prospects, and also because during one keynote at the Gartner Data & Analytics Summit back in March, it appeared that only about 10% of the 4,000 attendees (indicated by a show of hands) had heard of CCPA. That’s very concerning.
If your business is already managing GDPR compliance — or if your firm is located in California — you’re likely aware of and already planning for CCPA. But if you’re not familiar with this law and its potential ramifications (and there are implications, even if your business is outside of California), the high-level overview that follows can help you know more.
As with any pending or approved data privacy law, you’ll want to engage your legal and data privacy experts (often, with the advice of outside counsel) to interpret what CCPA will mean to your business.
WHO HAS TO COMPLY WITH CCPA?
Your business will need to comply with CCPA if it is one or more of the following types:
- For-profit legal entity
- Collects personal information (PI) or has it collected by others
- Determines (solely or jointly) purposes of processing PI
- Does business in California
- Any legal entity that controls such a business and shares common branding
In addition, CCPA compliance is required if your business meets one or more of these criteria:
- Annual gross revenue is $25 million or greater
- Works with PI for 50,000 or more consumers or devices
- Earns 50% or more of its annual revenue from selling PI
WHO AND WHAT IS PROTECTED BY CCPA?
CCPA protects its state’s consumers as defined here:
- “Consumer” is a natural person who is a California resident. “Natural” means an individual human being , as opposed to a legal person, which may be a private (i.e., business or non-governmental organization) or public (i.e., government) organization.
- “Resident” is defined in the tax code as being where an individual files his or her taxes. If a business cannot determine where an individual files taxes, then the business may need to assume that the individual is a California resident — effectively making the law “national.”
CCPA protects PI, meaning information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (Note: This is a very broad definition and much more comprehensive than what is protected in the GDPR.)
“Publicly available information” (i.e., lawfully made available from federal, state or local government sources) is excluded; however:
- The data sources must also be used for the purpose the data was originally maintained and shared.
- Social media and search engines are not considered to be publicly available sources.
CCPA RIGHTS AND HIGHLIGHTS
Under CCPA, California consumers will now have certain rights related to their PI, including:
- Right to Know: If asked by a consumer, a business must disclose what PI and categories of PI the business collects about the consumer, the categories of sources that the business acquired PI from, and the categories of any third parties the business sells or otherwise gives the PI to.
- Right to Delete: A business must delete a consumer’s PI, if asked.
- Right to Access: A consumer can obtain the PI the business holds for them.
- Right to Opt Out: A consumer can ask the business to stop selling or giving PI to third parties.
- Right Against Discrimination: A consumer cannot be discriminated against for exercising his or her rights.
Other CCPA areas to note:
- The business must disclose to the consumer what PI categories it collects and the purposes it uses the PI for.
- The business has certain responsibilities in the event of a breach.
- Children are considered a special category, as CCPA gives parents more control over what personal data businesses can collect from minors.
- CCPA-compliant disclosure and notification are critical.
- The law may be subject to change in the near-term (though significant revisions aren’t likely) — and also to later as CCPA is implemented and challenged.
Businesses must be able to handle verifiable consumer requests (VCRs) regarding PI; for example:
- Must segregate PI in these requests.
- Requests to provide information are only for the 12 months prior to the VCR.
- Must respond to a VCR within 45 days.
Additionally, a business can incentivize consumers to provide their PI and permit businesses to process and sell PI. But consumers cannot be penalized if they choose not to approve use of their PI.
In the event of a data breach, CCPA states that a business may have to compensate consumers from $100 to $750. (More detail can be found here.) While this amount may not seem excessive, penalties add up quickly as the fines are per consumer and per incident.
Additional penalty areas to be familiar with:
- Penalties can be assessed at the highest level based on a business’ compliance efforts (or lack thereof).
- Litigation (e.g., class actions) is possible.
- Any reputational damage must also be counted.
OUR CCPA “PLAYBOOK”
The governance of data, processes, people and technology are at the heart of meeting the CCPA challenge. To prepare for CCPA, your organization needs to know what CCPA-sensitive data you have, where it resides and why you have it.
First San Francisco Partners developed our CCPA Playbook as a technology-based metadata solution (such as Collibra or Alation) that can quickly put you on the road to compliance, while laying the foundation for a privacy-by-design governance program for the future.
The CCPA Playbook helps our clients develop a plan in 10 days by:
- Determining where you are in terms of your organization’s response to CCPA based on a breakdown of its 150 constituent elements (essentially a gap analysis)
- Identifying the tasks that have to be carried out to become CCPA-compliant
- Resolving how your organization has to configure and operate your metadata solution to support CCPA compliance
- Deriving a detailed project plan for how CCPA compliance will be reached after completion of the CCPA Playbook
- Loading pre-specified CCPA-relevant content from the Playbook into metadata to update business glossary definitions and reference data code sets
For more information about our CCPA consulting services, download our CCPA infosheet, The Clock Is The Clock Is Ticking on Complying with CCPA, or contact us to talk with one of our CCPA specialists.
First San Francisco Partners (FSFP) is not a law firm, nor does it represent one. Therefore, neither FSFP, nor any of its employees, consultants, and sub-contractors provide legal advice on data privacy regulations (e.g. GDPR, CCPA).
FSFP expects that any enterprise that engages FSFP leverages the enterprise’s Legal and Data Privacy experts, often with outside Counsel, to interpret all data privacy regulations or laws (e.g. GDPR, CCPA) as they require.
Furthermore, FSFP expects that the designated enterprise’s Legal and Data Privacy expert(s) participate throughout any engagement involving FSFP to provide advice, guidance and interpretation (along with advice and/or guidance from designated outside Counsel) of the impact of all data privacy regulations or laws (e.g. GDPR, CCPA) on the enterprise.
FSFP’s role is not to provide this advice and/or guidance, but rather FSFP partners with the appropriate enterprise Legal and Data Privacy experts and other key personnel in Data Governance, IT, Risk, Procurement, etc., to translate the Legal and Data Privacy experts’ interpretation into operationalized practices supporting data privacy compliance.
FSFP does not guarantee compliance with any applicable laws and/or regulations (e.g. GDPR, CCPA) in any jurisdictions (e.g. California, European Union.) The expectation is that the enterprise reviews and vets the FSFP work products – including, but not limited to – content, deliverables, Readiness Assessment tools (e.g. GDPR, CCPA) – essentially all artifacts – with accredited legal experts for final opinions
Article contributed by Malcolm Chisholm. He brings more than 25 years’ experience in data management, having worked in a variety of sectors including finance, insurance, manufacturing, government, defense and intelligence, pharmaceuticals and retail. Malcolm’s deep experience spans specializations in data governance, master/reference data management, metadata engineering, business rules management/execution, data architecture and design, and the organization of enterprise information management.