Understanding Compliance: California Consumer Privacy Act
In effect since Jan. 1, 2020, the California Consumer Privacy Act and the penalties it describes will begin being enforced today, July 1. This comes after many had called for delaying the enforcement deadline due to the COVID-19 pandemic's adverse impact on businesses.
However, this official beginning of enforcement has been further complicated by the ongoing nature of amendments to the law that are still being evaluated in committee by California's Legislature. Additionally, in May, the lobbyists behind CCPA successfully landed the California Privacy Rights Act, which expands many of the protections codified in the original law, on the November ballot.
So although CCPA enforcement is now underway, the CCPA itself and California privacy law as a whole is still a work in progress. To help your organization sift through all of this developing information, we've compiled some key terms and concepts to provide you with a CCPA overview that will serve as an introduction to U.S. privacy regulations.
CCPA Compliance: Penalties for Noncompliance
Now that the grace period is officially over and enforcement has begun, expect fines to begin being levied against noncompliant entities. In the event that a business fails to remedy a violation within 45 days of notification of noncompliance, the California Attorney General may impose a maximum of $7,500 per violation for intentional violations and $2,500 for violations deemed unintentional. If a breach occurs, any affected consumer may pursue action to recover damages of up to $100-750 per incident or actual damage, whichever is greater.
CCPA Overview: Who Must Comply?
The CCPA applies to entities that do business in California, collect the personal information of California residents, determine the purpose and means of processing that data, and meet at least one of the following criteria: have an annual gross revenue greater than $25 million; receive or share the personal information of 50,000 or more California consumers, households, or devices; or lastly, derive at least 50 percent of their annual revenue from selling consumers’ personal information.
Although these criteria are fairly straightforward, it’s worth noting the reference to the personal information of California “consumers, households, or devices.” This is a much broader definition of personal information than we have seen in other privacy and data protection regulations, and it potentially makes the 50,000 threshold fairly easy for an organization to cross.
Begin Your CCPA Compliance Process Now
If your business meets the criteria described above, it’s important to have a CCPA compliance plan. Although the CCPA is not quite as intensive as the European Union’s General Data Protection Regulation (GDPR)—it doesn’t require the appointment of a data protection officer (DPO) or the conducting of data protection impact assessments (DPIAs) for example—it is similar enough to the GDPR to suggest that undertaking and implementing a CCPA compliance effort will take considerable time and resources. The good news is that if your organization has undertaken steps to comply with the GDPR, much of that effort will also be applicable to the CCPA. Alternatively, if you have ignored the GDPR up until now, the CCPA should serve as a warning that the ongoing global rise in privacy regulation is now beginning to permeate the United States.
Begin your CCPA compliance now.
CCPA Overview: Perform an Individual Rights Gap Analysis
One of the GDPR compliance obligations organizations have most struggled to meet is the requirement to appropriately respond to the rights exercised by individuals with regard to their personal information. Many of the rights granted to California residents under the CCPA are similar to those afforded EU citizens under the GDPR, and the ability to comply with requests related to those rights can require significant modifications to your business’s processes and systems.
For example, under the CCPA, a consumer has the right to request access to the information a business may have about that individual. The business must provide that consumer with details about the collection, sale, and sharing of his or her personal information within 45 days. If the request for access was made electronically, the business must provide the data in a portable and “readily useable format.”
Similarly, consumers can request that a business delete their personal data. There are certain exceptions under which a business can deny the request—such as the performance of a contract—but if one of the exceptions does not apply, then the business must be prepared to honor the consumer’s request. The sooner you can identify the systems that are involved in responding to these consumer requests and the impact honoring the requests will have on your business, the sooner you can identify gaps in your current processes and procedures.
CCPA Overview: Update Your Privacy Notice
If you have a privacy notice on your website (and you should), the CCPA requires all businesses that are subject to the law to include a description of California consumer privacy rights on that page, as well as a “clear and conspicuous link” titled “Do Not Sell My Personal Information” that provides the consumer or their representative the ability to opt out of the sale of the consumer’s personal information. The consumer must be able to understand their rights and know how to exercise them, as well as be informed of the categories of personal information the business is collecting, selling, or sharing. These requirements are similar to those in the GDPR requiring “concise, transparent, intelligible and easily accessible” communication with data subjects, but unfortunately, the requirements under the CCPA are specific enough that updates to your privacy notice will be required to be compliant.
One interesting option provided by the CCPA, is that a business may maintain a separate webpage dedicated to California consumers that includes the required link and text, rather than updating existing pages, provided the business “takes reasonable steps” to direct California residents to the dedicated page. This is a potentially feasible option at the moment, but as additional states follow California’s lead and implement data protection laws of their own, maintaining a state-specific page for each state's privacy regulation is likely to become unwieldy.
CCPA Overview: Create or Update Existing Data Maps
Although it’s not specifically called out in the CCPA, you should have inventories of the personal information your business collects on consumers, as well as maps showing how the data is processed and stored. You can’t effectively respond to requests by California residents to access or delete their personal information if you don’t know what systems contain the data. Additionally, you can’t effectively protect what you don’t know you have.
CCPA Overview: Take a Data-Centric Approach to Security
One of the goals of the CCPA, along with the GDPR and other privacy regulations, is to ensure that individuals' personal information is adequately protected. The CCPA specifically allows California consumers to pursue legal action against companies in the event of “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” Consequently, one of the first steps you should take is simply to minimize the amount of personal information your business collects and stores. The second step you should consider is deidentifying the remaining personal data as much as possible.
The CCPA encourages organizations to deidentify the personal information they collect. Like the GDPR, the CCPA makes specific references to pseudonymization as a deidentification technique. In fact, the definition of pseudonymization in the CCPA closely resembles the GDPR definition:
“Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
Stated another way, pseudonymization is the replacement of sensitive or identifying data with mathematically unrelated values such as a pseudonym or token. Pseudonymization can be performed in such a way as to maintain much if not all the business utility of the data, while protecting the data from unauthorized access, disclosure, or compromise in the event of a breach.
Now is the Time to Act
Enforcement is underway, so now is the time to ensure your organization is compliant. One of the best places to start is by securing the personal data your organization holds. Utilizing a technology like pseudonymization will allow you to protect the sensitive data in your organization while meeting your compliance obligations under laws in multiple jurisdictions.