The toughest data protection legislation in the United States applies to businesses everywhere. The CCPA protects the personal data of Californian consumers, wherever it is being processed. We explain how.
The California Consumer Privacy Act (CCPA) came into effect on Jan. 1, 2020, with enforcement starting on July 1, 2020. It provides certain rights to consumers regarding their personally identifiable information (PII). It places obligations on businesses to protect the personal data, to uphold the rights of the consumer regarding their data, and it places restrictions on what the business can do with the data.
It is known as the toughest data protection legislation in the United States. There are many parallels with the European General Data Protection Regulations. Significantly, just as GDPR can apply to businesses outside of Europe, the CCPA isn’t restricted to businesses located within California. Both sets of regulations take a person-centric view. They protect the data and rights of the individuals regardless of the location of the business that has the data. If, that is, your business falls within the scope of the CCPA.
GPDR applies to all organizations. With the CCPA there are qualifying criteria. If you match them you must comply with the Act. That’s the case whether you’re based in California, elsewhere in the United States, or anywhere else in the world. And the differences between the CCPA and the GDPR are sufficient to force a qualifying, GDPR-compliant business to need to take steps to comply with the CCPA—so qualifying European businesses don’t get a free pass.
Which Businesses Are in Scope?
Before we can answer that we need to get some definitions out of the way.
Consumer means a natural person who is a California resident. They “consume” goods or services from businesses. It’s their PII that is being protected by the Act. The definition of personally identifiable information is wider under CCPA than it is under GDPR. It includes:
- A consumer’s real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar unique identifiers.
- Commercial information including records of personal property, products or services purchased, obtained, or considered, and other purchase histories or trends. Considered means there was an interaction between the business and the consumer, but the consumer did not ultimately purchase the goods or services they considered buying. The act of shopping around can leave digital breadcrumbs almost as plentiful as if a purchase had been made.
- Biometric information, geolocational data, and electronic network activity information including—but not limited to—browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Professional, education, and employment-related information.
Business means an organization where all of the following are true:
- It is an organization that is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity, structured, and run for the financial profit of the owners or shareholders. That is, it is a legally operating organization that is in business to make money.
- It either collects consumers’ personal data, or someone else collects it on the organization’s behalf.
- Either alone or with others, it defines the purposes and means of the processing of consumers’ personal data. That is, what data is gathered and how it will be processed.
- It does business in California.
Surprisingly, the phrase “does business in California” is not defined within the Act. However, it has been defined under California Corporate law to mean “entering into repeated and successive transactions of its business in this state, other than interstate or foreign commerce.”
Under California tax laws it has been applied to companies doing business online without any physical presence in California. A company based outside of California that has web servers hosted in some other third state, that receives 50,000 web visitors from California residents may be in scope of the CCPA. And it need not be an e-commerce site. If the site tracks any visitor information regarding the consumers or pushes targeted advertising to them, that may be enough to nudge them into the “does business in California” category.
A business is within the scope of the CCPA if any of the following are true.
- It has annual gross revenues greater than USD 25,000,000.
- It buys or receives for commercial purposes, or sells or shares for commercial purposes, the personal data of 50,000 or more consumers, households, or devices annually. Devices are included because they are owned and used by a consumer and information about the device can be used to help identify the consumer.
- It derives 50 percent or more of its annual revenue from selling consumers’ personal data.
Transparency and Notices
- What personal data and the categories of data that the business holds about them.
- The sources from which the personal data was collected.
- The purposes behind collecting or selling personal data.
- Third parties that the personal data will be shared with. For example, if you were an insurance broker one category would be insurance companies.
- That their personal data is deleted by the business. This is only possible in some cases. There are nine exceptions, and the consumer must be told what they are. For example, if the consumer is in the middle of a contract with the business and has financial obligations towards it, the business has a legitimate interest to retain their personal data until their financial obligations to it are cleared.
- The categories of the consumer’s personal data that the business has sold.
- To whom the personal data was sold, by category, for each purchaser of the data.
- To whom the data was shared (not sold) for a business purpose. In our insurance broker example, this would be a list of insurance companies that the consumer’s personal data was shared with, to let those insurance companies are able to provide insurance quotes.
The consumer must also be informed that they have the right not to be discriminated against for exercising any of their rights under the CCPA. They must have access to the same prices, goods, and services as any other consumer.
You must provide two methods for consumers to submit requests or to exercise their rights, including a toll-free number. If your business operates exclusively online and has a direct relationship with the consumer, you don’t need to provide a toll-free number. Instead, you must provide an email address for submitting requests, and a means to submit requests through the website itself.
All businesses collect some information on their customers. Information gathered online has to be accompanied by notices. You need to inform the consumers of:
- The categories of personal data that will be collected.
- The purposes for which the categories of personal data will be used.
- The collection of any additional categories of information or other uses of the data that will take place after the initial disclosures have been made. In other words, if you’re going to collect more data using the data that has been provided, you must declare it in advance of the original data being collected. And likewise, if you’re going to do other types of processing once the extra data has been gathered, you must inform the consumer.
If you sell or otherwise disclose personal data, you must state what categories of personal data have been sold or shared in the last 12 months. If no personal data has been sold or shared, you need to state that fact.
Do Not Sell My Personal information
You must provide a clear and conspicuous link on your website titled “Do Not Sell My Personal Information.” This must allow the user to register that they neither give their consent nor opt-in to the selling or sharing of their personal data. This link must be accessible without registering or creating an account on the website.
There are civil penalties of USD 2,500 for non-compliance violations of the CCPA or USD 7,500 for each subsequent violation—called a willful violation, because you didn’t fix the initial problem. Notably, the CCPA also provides for private plaintiffs to bring a civil class-action lawsuit against the business to seek damages of between USD 100 and USD 750 per affected consumer, or actual damages whichever is greater.
Consumer Data requests
When a consumer wants to exercise a right that gives them access to their personal data, you must respond within 45 days of receiving a “verifiable request.” This means the request must be recorded somewhere, and you must make sure that the consumer who made the request really is that consumer. If you send the details of person A to person B you’ve just made a non-compliant transaction.
If the request is unusually complex or you are handling a large number of requests you can extend the 45 days by another 90 days. If you do, you must inform the consumer within the first 45 day period and provide them with the reasons that have led to the extension.
You need to supply the data for the previous 12-month period from the date of receipt of the request. The data must be returned in a “readily usable format” such as PDF or in printed form. You can’t expect the consumer to obtain the same type of software you use for processing just to load in their data to see it. They must be able to send the information they receive from you to anyone they like, and everyone should be able to open and read the document “without hindrance.”
The data must be “in writing.” So if the data is encoded—you might store dates as Julian day numbers—it must be rendered back into words and dates.
You can return the data to them through their account with the business, or by mail, or email at the consumer’s choice.
And after all that, you cannot charge for handling data requests.
How To Prepare
That might seem bewildering, and it was just the highlights. There’s a lot packed into the CCPA. Where do you start?
Unless you have done one recently, the first thing you must do is a data mapping exercise. These are also called data landscaping exercises. You need to identify and document the scope of, and the purpose behind, your data collection and processing activities. That includes:
- Precisely, what personal information do you collect?
- How is that information being used in the business?
- Where is that information stored?
- What are the workflows that move personal data around your business, and out to partners?
- Who do you share the personal data with, and why?
- What internal policies do you have in place governing the use and safeguarding of personal data? Are they still sufficient?
Without knowing why you collect personal data, what data you collect, and in which systems it is stored, you will find it very difficult to protect the personal data and to respond to data access requests or data deletion requests. But if you have a documented set of locations for each type of data, and a procedure that guides a staff member through the data gathering process, a data access request becomes manageable rather than onerous.
If it can be automated or partially-automated, so much the better. Of course, before you can think about automation you still need to know the why, what, and where of your personal data processes.
Review your technical safeguards
Data protection legislation shies away from listing the particular types of protection you must use to safeguard personal data. Any solutions they stipulate can become outdated, and what is right for one business to implement will not be appropriate for another. But the personal data must be sufficiently protected. Make sure these standard precautions are in place:
- Data in transit: This can be handled using SSL/TLS, VPNs, and other solutions that secure the connections between endpoints.
- Data at rest: Ensure databases and any other silos of personal data residing on your networks are protected, encrypted if possible, and have restrictions placed on their access according to staff roles. You need to minimize the creation of random spreadsheets that contain personal data. How can you police them, and include them in data access and deletion requests?
- Network security: Adopt as many of the standard security best practices as you can, proportional to the amount of personal data you hold, your perceived risk, and your budget.
- Email security: Most malware attacks start with an email. As well as technical solutions remember that your employees are the ones on the front line opening the email. Don’t forget staff cyber security awareness training. Some email services such as Microsoft 365 deliver email in a way that is secure in transit and at rest.
Fulfill Communication Responsibilities
Add the required notifications to the points on your website that gather personal data, and make these equally clear.
Document how you are going to verify that a consumer really is that consumer when you receive data access or deletion requests. What evidence do you need to obtain, how will you request it, and what communication will be sent to the consumer to request it?
Review Your Partners
Businesses that you share data with can get you into trouble too if they fall foul of the CCPA.
You need to consider Data Protection Agreements, or Data Protection Addendums to existing contracts, or very stringent due diligence on other businesses that you share personal data with.
Seek Professional Help
This article is not a substitute for professional legal advice, nor does it create an attorney-client relationship, nor is it a solicitation to offer legal advice. The Devil’s in the detail—as always—and businesses can have any mixture of use-cases.
Seek appropriate professional guidance if you do not have the appropriate skillset in-house to interpret the Act.