CCPA creates new consumer rights and businesses need to create new processes and procedures to support these rights at scale
Will your organization be ready on January 1, 2020, to answer 100 consumer requests in 45 days/ Will you be able to complete 10s of thousands of requests, covering everything collected in the previous 12 months (in this example 1/1/2019):
- To show all the Personal Information (PI) of theirs you have,
- The categories of that shared PI,
- The usage by categories for the previous 12 months
- The uses of that data by category?
And to delete the PI?
And to provide all the PI to them in a usable format?
How will you satisfy these requests? Operationally, it will be a challenge.
You can’t show the data you shared, disclosed, or sold and the categories and usage of that data throughout 2019 unless you’ve rewritten your 3rd party contracts to require them to cooperate.
CCPA requires planning now. It will take time to become compliant, and the risks are large.
CCPA requires new policies, procedures, disclosures, 3rd party agreements, data mapping and preparation for compliance. Data mapping is the process of identifying and classifying all the data collected, it’s source, it’s purpose for each potential user, how it is processed and transmitted, where it is stored. This has become much harder. PI is expanded under CCPA to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” PI includes online identifiers, IP addresses, email addresses, biometrics, preferences and purchases of products and service, images, browsing history, educational or FERPA information, employment information, profiling information that is derived or based on inference.
CCPA Creates Significant Risk from fines and statutory damages for the Unprepared Business
- CCPA has no cap, CCPA significantly increases penalties for “unauthorized access and exfiltration, theft or disclosure” of consumer data, a breach.
- Reasonable and appropriate behavior will require understanding and having security and privacy controls in place, following best practices and standards such as NIST, CSC top 20, ISO27001 and ISO 27701
- Penalties are from $2,500 to $7,500 per record
- a 20,000 CA prospect list breach can lead to a fine from $50,000,000 – $150,000,000 (average size of data breach in the US bis >25000 records)
- Due to the broader definition of PI under CCPA, many companies have significantly more records and more PI data than they realize
- CCPA authorizes a limited private right of action for consumers whose personal information is subject to unauthorized disclosure. CA individuals can obtain the greater of actual damages or statutory damages between $100 and $750 per violation
- In addition to fines, a breach of 20,000 CA prospects can lead to a suit from $2,000,000 – $15,000,000 without proving actual damages to the consumers
- Proxies, activists, lawyers can represent groups of consumers; expect lots of class action suits
Must You Comply?
Yes, if you are a for-profit, that collect and process PI of California residents, households, or devices (regardless of the state or country of that business), have business in California and meet one of the following three criteria:
- Generate annual gross revenue > $25 million
- Receive or share data of > 50,000 California residents annually
- Derive at least 50 percent of annual revenue by selling California residents’ PI (new PI definition which is quite broad)
Summary of Key New Consumer Rights:(Show/Hide)
- Right of the consumer to request disclosure of all the consumer’s PI held by the organization, the categories of information and associated information, the source of the information and how each category of information is used, third parties you have “sold”/ shared the data with and how they have used it.
- Businesses must disclose and deliver the required information within 45 days of receipt of a verifiable consumer request.
- Right to be informed that PI is being disclosed or sold
- Right to opt-out of the sale of PI
- Right of deletion – The business must delete from its records a consumer’s PI after receiving a verifiable consumer request to do so and it must have contractual agreements that require any service providers it has shared PI with to do the same.
- Right to look back – when a consumer makes a verifiable request for access to their PI, organizations are required to provide records covering the 12-month period preceding the date of the request. This means that your organization should already be maintaining accurate records of consumers’ PI starting from January 1, 2019, since CCPA goes into effect January 1, 2020.
Wake Up Call – Why We Are Focusing here on Risks and Costs
Since 1972 the California Constitution gave each citizen an “inalienable right” to pursue and obtain privacy. However, it had no teeth. CCPA is a privacy law with big teeth, and a commitment to take a bite out of businesses not protecting their resident’s data. It’s the first of its kind in the US. 100s of thousands of companies will be affected, most are not ready.
The net of all this is that organizations doing business in California should have already begun to prepare, if you would like to learn more or could use assistance, we and our legal team would be glad to help.
Click a link below for additional information: