5 Things to Know About the California Consumer Privacy Act
By KATHERINE CATLOS and JACK HAKIM October 25, 2019
Reprinted with permission from Corporate Compliance Insights (March 11, 2019 Issue)
The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is the most comprehensive privacy law passed in the United States. It’s not just that there are new consumer rights associated with personal information (PI) and more severe penalties, but the definition of PI is very broad. The CCPA defines PI as any “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Cal. Civ. Code §1798.140(o)).
California’s expansive definition of PI includes:
- Personal identifiers;
- IP addresses;
- Commercial information, including records of personal property, products or services purchased, obtained or considered or other purchasing or consuming histories or tendencies;
- Internet or other electronic network activity information;
- Professional or employment-related information; and
- Any consumer profile inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Of note, Assembly Bill (AB) 25 clarified that employee data is presently excluded from the CCPA, but this exemption sunsets on January 1, 2021 as privacy advocacy groups, unions and industry-side advocacy groups “duke out” how the CCPA applies to the workplace, employees and independent contractors.
Understanding where PI about California consumers is located throughout your organization, where it flows within the organization and how it is protected will require a significant, dedicated effort.
Here are five things every organization needs to know about the CCPA.
1. New Consumer Rights
Please keep the aforementioned broad definition of PI in mind as you read about these new consumer rights.
For each new consumer right, there is a corresponding obligation/risk-mitigating measure required of covered businesses. Below we describe several key CCPA consumer rights and their reciprocal business obligations.
The Right of Disclosure
A consumer has the right to request that a business that collects a consumer’s PI disclose the categories and specific pieces of personal information the business has collected (Cal. Civ. Code §§1798.100, 1798.110, 1798.115).
A business that collects a consumer’s PI shall, at or before the point of collection, inform consumers as to the categories of PI to be collected and the purposes for which the categories of PI shall be used. A business shall not collect additional categories of personal PI or use PI collected for additional purposes without providing the consumer with notice.
A business shall provide this information to a consumer only upon receipt of a verifiable consumer request.
The 12-Month “Look Back”
Within 45 days of the “verifiable consumer request” for PI, a covered business must provide the categories and the specific pieces of personal information collected, sold and/or disclosed; the categories of sources from where the personal information was collected; the business or commercial purpose for which the personal information was collected; and the categories of third parties with whom the personal information is shared for the 12-month period preceding the request (See Cal. Civ. Code § 1798.130(a)(2)).
The business’s response “may be delivered by mail or electronically; if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance” (See Cal. Civ. Code §1798.100(d)).
This means that your organization should already be maintaining accurate records of consumers’ PI starting from January 1, 2019, since CCPA goes into effect January 1, 2020.
The Right of Deletion
A consumer shall have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer. This is generally known as “the right to be forgotten.” A covered business must delete from its records a consumer’s PI after receiving a verifiable consumer request to do so, and it must have contractual agreements that require any service providers it has shared PI with to do the same (Cal. Civ. §1798.105). There are multiple exceptions provided in the code.
The Right to Opt-out of the Sale of PI
A consumer shall have the right, at any time, to direct a business that sells PI about the consumer to third parties not to sell the consumer’s PI (Cal. Civ. §1798.120).
The Right not to be Discriminated Against
A business shall not discriminate against a consumer because the consumer exercised any of the consumer rights under this title (Cal. Civ. Code §1798.125).
2. Financial Risk
There is significant financial risk for CCPA noncompliance, including:
Violations can cost between $2,500 and $7,500 per violation per affected individual (Cal. Civ. Code §1798.155). For instance, a California prospect list of 20,000 persons improperly processed or breached can lead to a fine from $50 million to $150 million. The average size of data breaches in the U.S. is over 25,000 records and is quite common.
Private Consumer Actions
The CCPA provides a private right of action for any consumer whose nonencrypted PI is subject to an unauthorized access, exfiltration, theft or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. Affected consumers may recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater (Cal. Civ. Code §1798.150). A class-action suit for statutory damages due to a breach of 20,000 California prospects could be $2 million to $15 million without proving actual damages to the consumers.
Reports of data breaches and ill-advised privacy practices often lead to a steady erosion of consumer trust and loyalty for many businesses, putting business reputation at risk. Since it can take years to regain consumer confidence, it opens the door for competitors to fill the space.
3. Getting Compliant Takes Teamwork and Stakeholder Buy-In
The CCPA imposes legal and technical challenges requiring data mapping to understand where all PI and the metadata reside (i.e., category, business uses), where data flows within an organization, creating mechanisms to enable consumers to make disclosure, opt-out and deletion requests, training and potentially hiring new employees to respond to consumer requests, the adoption of new policies and procedures, review of third-party agreements, security practices and operational capabilities that can scale to satisfy large numbers of simultaneous consumer requests (class-action suits) on their new rights.
Although many of these tasks should be augmented with automation technologies, knowledgeable resources are still needed, and there are tasks that will require human intervention and judgments.
Data discovery and mapping of PI can be a significant undertaking, especially when businesses must decide how PI could be deleted, the uses of said PI and the impact of the categorization of business uses on the rights and the exceptions that exist within the CCPA. For instance, if the PI is needed to carry out the services under contract – for debugging, etc. – it does not need to be deleted under a right to delete (Cal. Civ. Code §1798.105(d)(1), (3)).
4. There is a Lot You Can Do to Reduce Your Risk Under the CCPA
Understanding your PI will allow you to determine what can fall under an exemption to the CCPA, what data you need to encrypt and redact and what should be deleted – thereby resulting in policy changes that will reduce your risks. Most defenses to a CCPA claim will require you to understand how to best categorize and use your data. You do not want to be doing data discovery, classification, mapping and life cycle planning in the middle of responding to customer requests. Redoing service provider and third-party contracts can ensure you can be compliant and, where appropriate, to transfer the risks to those parties.
Expect more private action class-action suits than prosecutions from the Attorney General’s office. Compliance with the CCPA will add yet another dimension to reduce the risk of breach. Mitigating the scale and scope of breaches should be a key focus.
5. Yes, You Probably Need to be CCPA Compliant
If you are a for-profit business that collects and processes PI of California residents, households or devices (regardless of the state or country of that business), you will have to comply with the CCPA if you meet just one of the following three criteria:
- Generate annual gross revenue of over $25 million,
- Receive or share data of over 50,000 California residents annually or
- Derive at least 50 percent of annual revenue by selling California residents’ PI (new PI definition which is quite broad) (Cal. Civ. Code §1798.140(c)).
It’s not hard to meet this criteria. You will fall within the CCPA if your organization:
- Has a phone app that captures location or other PI data;
- Reaches out to prospects and customers from lists where the lists in total are greater than 50,000 during a year; or
- Any combination above that gets you to 50,000.
Noncompliance can be expensive, and not starting and having a plan will increase your risk and costs dramatically. Preparation can meaningfully reduce risk for businesses covered by the CCPA. There is a lot you can and must do. At the very least, understand what PI under CCPA you have, know your present risks and develop the path to reducing – if not eliminating – those risks.
About the Authors:
Katherine Catlos Esq., CIPP/US, CIPM is a partner in the San Francisco office of Kaufman Dolowich & Voluck LLP, where she handles employment law and privacy law matters.
Jack Hakim, Chief Privacy Officer, Partner, at EC Wise Inc., where he handles the Compliance, Privacy and Data Management practices.