In the first part of this blog series we took a look at the the California Consumer Privacy Act (CCPA) that is coming into effect in January 2020. The implications of being off side with the new regulations are not trivial and apply to more than 500,000 US businesses according to the IAPP - not to mention any business around the world that has the personal data of California businesses and meet the relevant threshold. That is A LOT of businesses. Now how is that possible you ask? Let’s take a closer look at the businesses who will fall under the CCPA’s umbrella come 2020.
The Two Big Questions You Need to Answer
1) Do you collect any personal data on California consumers?
Or more specifically, Do you collect, buy, rent, obtain, receive, access, use, share, or sell personal information of California residents? In case you've forgotten, you can find a definition of personal information in our previous blog.
Now before you answer too quickly, the complicating factor in this question is that it includes both active and passive data collecting – in other words, if your website monitors any activity of California residents and collects online identifiers – you'll likely need to comply.
2) Does Your Business Fall Under the Scope of the CCPA?
If you answered yes to question number one, you need to answer a few other questions:
- Is your annual gross revenues of $25 million or more; or
- Does your organization, alone or in combination with others, obtain, sell or share the personal information of 50,000 or more California residents, households or devices annually? or
- Does your company earn 50 percent or more annual revenue from selling California residents’ personal information?
To sum up, based on this scope, who is not doing business in California? It’s the fifth largest economy in the world.
What Will You Have to Do to Comply?
To comply companies falling under the scope of the CCPA will be required to meet six mandatory requirements.
1 |
TransparencyandDisclosure |
Businesses must inform consumers, at or before the point of collection, about:
A business cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice. |
2 |
Give Access |
When a business receives a verifiable consumer request to access their personal information, they must promptly comply. The business must deliver personal data in a readily usable format that allows the consumer to transmit the information to another entity (strongly resembling to GDPR’s data portability). A business, however, is not obligated to provide the requested information more than twice within a 12-month period. |
3 |
Delete |
When a consumer asks a business to delete their personal information, they must delete the information from its records and direct any service providers to do the same. It is important to note however that this right to deletion (similar to GDPR's "right to be forgotten") is subject to numerous exceptions (e.g. to complete a transaction, to comply with a legal obligation). |
4 |
Comply with Opt-out Requests |
When a business receives a direction from a consumer not to sell their personal information or in the case of a minor, it has not received consent to sell their personal information, it must comply with such request |
5 |
Do NotDiscriminate
|
Businesses are not allowed to discriminate against consumers who exercise any of their new privacy rights under the CCPA. This means that they can’t:
However, there should be a big warning sign beside the following exception to this Do Not Discriminate rule in the CCPA. Nothing will stop a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. It is yet to be seen how companies will attempt to rely on / abuse this exception. At the other end of the spectrum, businesses might elect to offer financial incentives, that are not unjust, unreasonable, coercive or usurious, including payments to consumers as compensation, for the collection and sale of their personal information. |
6 |
ServiceProviderManagement |
Businesses are required to have a written contract in place with any service providers that process personal information on their behalf that prohibits them from retaining, using, selling or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract. |
Some Good Things to Know Before 2020
There are some things you will need to address if your organization is impacted by CCPA. While not intended to be an exhaustive list, the following six items are a good place to start:
- Disclosure Request Channels. Businesses are required to provide two or more different channels for consumers to exercise their right to disclosure. This must include, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address.
- Implement a Process to Provide Consumer Information. Businesses must have a process in place to support disclosure and delivery of requested information within 45 days of receiving a verifiable request. The consumers’ requested personal information can be delivered through their account with the business, by mail, or electronically in a readily usable format, which should allow consumers to transmit the information to another entity.
- Update Your Online Privacy Policy. Businesses are mandated to disclose the following
information in their online privacy policy or if they do not maintain a website, in their description of consumers’ privacy rights and update that information at least once every 12 months:
- A description of a consumers’ rights and one or more designated methods for submitting requests and a separate link to the “Do Not Sell My Personal Information” webpage.
- A list of the categories of personal information the business has collected about consumers in the preceding 12 months.
- A list of the categories of personal information the business has sold or disclosed about consumers in the preceding 12 months or if it has not sold or disclosed, that fact.
- Privacy Training. Businesses must ensure that employees handling inquiries about the business’s privacy practices or compliance with CCPA understand the requirements of CCPA and know how to direct consumers to exercise their new privacy rights.
- Provide a “Do Not Sell My Personal Information” Link. Businesses must provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their personal information without having to create an account with the business.
- Duty to Implement and Maintain Reasonable Security Procedures and Practices. The CCPA mandates that businesses implement and maintain reasonable security procedures and practices appropriate to the nature of the information to adequately protect it.
All in all, there is a lot to do - starting with figuring out whether your business falls into the scope of CCPA and if so, what you need to start thinking about.
The third and final part of this blog series will shed light on the heavy enforcement measures giving teeth to the CCPA. We will also provide a 10-item To Do List on where to start and what you can do now to become CCPA-compliant by January 1st, 2020.
Submit a Comment