CCPA creates new consumer rights and businesses will need to create new processes and procedures to support these rights at scale.
Will your organization be ready on January 1, 2020, to answer 100 consumer requests in 45 days? Will you be able to complete 10s of thousands of requests, covering everything collected in the previous 12 months (in this example 1/1/2019):
- To show all the Personal Information (PI) of theirs you have
- The categories of that shared PI
- The usage by categories for the previous 12 months
- The uses of that data by category
And to delete the PI?
And to provide all the PI to them in a usable format?
How will you satisfy these requests? Operationally, it will be a challenge?
You can’t show the data you shared, disclosed, or sold and the categories and usage of that data throughout 2019 unless you’ve rewritten your 3rd party contracts to require them to cooperate.
CCPA requires planning now. It will take time to become compliant, and the risks are large.
CCPA requires new policies, procedures, disclosures, 3rd party agreements, data mapping and preparation for compliance. Data mapping is the process of identifying and classifying all the data collected, it’s source, it’s purpose for each potential user, how it is processed and transmitted and where it is stored. This has become much harder. PI is expanded under CCPA to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” PI includes online identifiers, IP addresses, email addresses, biometrics, preferences and purchases of products and service, images, browsing history, educational or FERPA information, employment information, profiling information that is derived or based on inference.
CCPA Creates Significant Risk from fines and statutory damages for the Unprepared Business
- CCPA has no cap, CCPA creates significant penalties for not being compliant including a breach, defined by CCPA as the “unauthorized access and exfiltration, theft or disclosure” of consumer data
- Reasonable and appropriate behavior will require understanding and having security and privacy controls in place, following best practices and standards such as NIST, CSC top 20, ISO27001 and ISO 27701
- Penalties are from $2,500 to $7,500 per independent violation
- Each consumer right or PI that is violated under CCPA is considered an independent violation
- a 20,000 CA prospect list that wasn’t properly processed or was breached can lead to a fine from $50,000,000 – $150,000,000 (average size of data breach in the US is >25000 records)
- Due to the broader definition of PI under CCPA, many companies have significantly more records and more PI data than they realize
- In addition to fines, CCPA authorizes a limited private right of action for consumers whose personal information is subject to unauthorized disclosure. CA individuals can obtain the greater of actual damages or statutory damages between $100 and $750 per violation
- Proxies, activists, lawyers can represent groups of consumers; expect lots of class action suits
- A class action suit for statutory damages due to a breach of 20,000 CA prospects could be $2,000,000 – $15,000,000 without proving actual damages to the consumers
Must You Comply?
Yes, if you are a for-profit, that collect and process PI of California residents, households, or devices (regardless of the state or country of that business), have business in California and meet one of the following three criteria:
- Generate annual gross revenue > $25 million
- Receive or share data of > 50,000 California residents annually
- Derive at least 50 percent of annual revenue by selling California residents’ PI (new PI definition which is quite broad)
Summary of Key New Consumer Rights:(Show/Hide)
- Right of the consumer to request disclosure of all the consumer’s PI held by the organization, the categories of information and associated information, the source of the information and how each category of information is used, third parties you have “sold”/ shared the data with and how they have used it
- Businesses must disclose and deliver the required information within 45 days of receipt of a verifiable consumer request
- Right to be informed that PI is being disclosed or sold
- Right to opt-out of the sale of PI
- Right of deletion – The business must delete from its records, a consumer’s PI after receiving a verifiable consumer request to do so and it must have contractual agreements that require any service providers it has shared PI with to do the same
- Right to look back – when a consumer makes a verifiable request for access to their PI, organizations are required to provide records covering the 12-month period preceding the date of the request
- This means that your organization should already be maintaining accurate records of consumers’ PI starting from January 1, 2019, since CCPA goes into effect January 1, 2020
Wake Up Call – Why We Are Focusing on Risks and Costs
Since 1972 the California Constitution gave each citizen an “inalienable right” to pursue and obtain privacy. However, it had no teeth. CCPA is a privacy law with big teeth, and a commitment to take a bite out of businesses not protecting their resident’s data. It’s the first of its kind in the US. 100s of thousands of companies will be affected, most are not ready.
The net of all this is that organizations doing business in California should have already begun to prepare, if you would like to learn more or could use assistance, we and our legal team would be glad to help.
Click a link below for additional information: