Companies and governments around the globe rely more and more on digital data to perform basic operations. As this reliance has grown, so have risks to individual privacy. As a result, political leaders have started to try to protect privacy through legislation. The United States has yet to respond with a comprehensive federal privacy law, which has left the states to develop their own privacy protections. Enter the California Consumer Privacy Act (CCPA), California’s attempt to protect individual privacy through consumer empowerment.
This article is written for startups (and small businesses operating online) who could use some help with the basics of CCPA compliance.
This is a lengthy post, but it provides an overview of the CCPA and what CCPA compliance looks like as a matter of day-to-day practice. Please remember that the CCPA is a very new law with an uncertain future--there will be amendments, updated regulatory guidance from the California Attorney General, additional ballot-initiated changes, and possibly (down the road) federal preemption. If you have additional questions about CCPA compliance or would like to get started with Aptible please take a look at our CCPA Next Steps.
Please note: This post is for informational purposes only. Aptible is not a law firm, and this post is not legal advice. You should contact an attorney to obtain advice with respect to any particular issue or problem.
The CCPA is California’s GDPR-like response to Congress’s failure to enact federal privacy legislation. The CCPA advances the privacy protections--and rights--of California residents with respect to their personal data. Like the GDPR, the CCPA goes beyond just requiring businesses to provide notice about what a business does with consumer data. Indeed, California residents now have a number of different rights (more on those below) that they can exercise in order to ensure companies aren’t using their data in ways they don’t know about or approve of.
In general, in order to comply with the CCPA, you need to make appropriate disclosures about your data processing activities, communicate to consumers about their rights, and empower them to exercise those rights.
The story of how we got the CCPA is a long one, but know that it did not start with the California legislature. A real-estate developer and privacy advocate led the way by collecting enough signatures to get the draft text on the ballot for California voters to consider. That’s when the state legislature intervened, and shortly thereafter drafted and passed a different version of the proposal. California Governor Jerry Brown signed the CCPA into law in June 2018.
In October 2019, the California Attorney General issued proposed regulations that aim to clarify some of the ambiguities in the text of the CCPA itself. With final regulations pending at the time of this writing (and the prospect of additional ballot initiatives and legislative amendments), some things are uncertain, but there is enough between the statute and the proposed regulations to know how to get compliant. But keep in mind that changes could come soon.
The CCPA will take effect January 1, 2020, and you should aim to be compliant by then. However, the CCPA precludes the California Attorney General from bringing an enforcement action until either six months after publication of the final rules (we’re waiting for those still) or July 1, 2020, whichever is sooner.
The CCPA applies to all for-profit businesses that (a) collect personal information about California residents or determines how that personal information is processed, (b) do business in California, and (c) meet one of the following thresholds:
The bar is low: while many startups may not hit the $25 million or 50%-of-revenues thresholds, it’s very possible to receive the personal information of 50,000 consumers (i.e., California residents) in a year. And this threshold is even easier to meet because individuals tend to have multiple devices.
The CCPA is concerned with “personal information,” defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This definition of “personal information” is broad, but the CCPA takes the extra step of providing explicit examples of some information types that are usually thought to constitute personal information, such as names, email addresses, Social Security numbers, biometric information, and more. But it also includes categories of information not uniformly considered to be personal information, such as IP addresses, Internet activity (think browsing activity and search history), and employment-related data.
To see the full list, check out the text of the CCPA’s definition of “personal information” here.
While there isn’t an official CCPA “audit,” that doesn’t mean you can’t be held accountable. Indeed, the California Attorney General can bring an enforcement action against violators for up to $7,500 for each intentional violation. There is also a private cause of action for some unauthorized breaches of consumer information.
As mentioned above, the CCPA grants consumers specific rights as to their personal information. Here are some of the key rights the CCPA provides to consumers:
1. Right to Know
Consumers have the right to know about personal information companies have collected, used, disclosed, or sold about them. This means that you must disclose this right to consumers and adopt a process to receive and verify consumer requests.
2. Right to Delete
Consumers have the right to have their personal information deleted. Here, you must disclose this right and, like the right to know, adopt a process to receive and verify consumer requests to delete their data. With respect to the right to know and the right to deletion, you need to be mindful of the standard you use to verify a consumer’s identity. That is especially true for the right to delete--where the standard and process you select will vary based on the sensitivity of the information of concern and the potential harm to a consumer that could result from an unauthorized deletion.
3. Right to Opt Out
Consumers have the right to opt out of the sale of their personal information. We’re getting repetitive but, again, you have to make disclosures about the consumer’s right to opt out, and provide them with a way to opt out. This gets tricky for some minors, and you want to be careful that you have the appropriate opt-out or opt-in process in place for various age groups.
4. Right to Non-discrimination
Consumers have the right not to be discriminated against as a result of exercising their other rights. In other words, if a consumer opts out of the sale of their personal information, with one minor exception, you can’t charge them different rates or offer them different goods or services because of that exercise.
Now for the exception: as part of a financial incentive program, you may offer price differences in exchange for the ability to sell personal information as long as the differences are based on the value of that data. But again: you may not unlawfully discriminate against a consumer for exercising any of their CCPA rights. How you get the balance right is hard.
There are a few operational changes you will need to make to be CCPA compliant:
Step one is to determine if (and how) you’re subject to the CCPA. The details on the CCPA’s scope are provided above, but note that even if you are not directly subject to the CCPA’s requirements, you may still have to support a covered business's compliance efforts in some way, so it is helpful to determine early how the CCPA might indirectly implicate you (i.e., as a third party or service provider).
If you are subject to the CCPA, you should map out your data-processing activities. This involves identifying where and how you collect, process, and transmit data. Record your findings in a data use inventory, a log of everything related to your relationship with the data you have. Consolidating this information in a central location will help you achieve and maintain CCPA compliance--it makes the disclosure process that much easier, for instance.
As described above, the CCPA gives consumers a number of rights with respect to their data. In order to respond to consumers who exercise their rights, you need to have processes in place to give consumers access to their data, to delete their data, and to let them opt out of the sale of their data. Additionally, you need to make sure you can verify consumers making requests--just because email@example.com asks for all the data you have related to her doesn't mean that the request is legitimate.
Under the CCPA, you need to disclose the categories of third-party recipients of the data you collect. The best way to stay organized and ensure you are compliant is to log in advance all of your vendors that receive or process your (or your customers’ or users’) data. You should also make sure that your contracts with vendors contain commitments that the vendor will protect consumer data.
The CCPA gives consumers a private right of action for violations that relate to security breaches. In other words, consumers may be able to sue you if your CCPA violations cause a data breach. Thus, it’s important to make sure that you have a security program in place to sufficiently protect consumer information. For more on security best practices, check out Aptible’s Security Management Guide.
Finally, you should train your employees so that they understand your CCPA obligations. Specifically, make sure that everyone working with consumer personal information knows how to respond to consumer requests when they inevitably start pouring in.
If you’re curious to learn more about the CCPA, check out the CCPA itself, the AG’s proposed regulations, and the AG’s Notice of Proposed Rulemaking Action. Moreover, privacy-focused organizations have published information on CCPA compliance, including the IAPP.
Finally, if you'd like to chat about how to design a CCPA-compliant privacy program, please get in touch with us anytime, or contact your Customer Success Manager directly.