California Consumer Privacy Act: What You Need to Know
- Chris Achatz
- January 15, 2019
Learn what the law is, when you need to start implementing compliance measures, how it applies to businesses outside of California, and what operational documents will help you comply.
What is the CCPA?
The California Consumer Privacy Act (“CCPA”) is arguably the most significant data privacy law in the U.S. It creates substantial new privacy rights for consumers, comparable to the access, restriction, and erasure rights that European citizens enjoy under the EU General Data Protection Regulation (the “GDPR”). The extensiveness of covered personal information and industry applicability under the CCPA goes beyond what is typically covered by U.S. privacy laws. The CCPA will significantly impact data-driven businesses’ data practices, with new and burdensome compliance obligations regarding consumer data collection and use. Businesses that fall under the scope of the CCPA will need to start updating their data practices and procedures now in order to comply with certain CCPA disclosure requirements. Businesses that fail to comply with the CCPA may be subject to monetary penalties, regulatory enforcement actions, and private rights of action.
The CCPA comes on the heels of the GDPR, which became effective May 25, 2018. While the CCPA is a far cry from the GDPR, there are certain similarities. Many companies that made significant efforts to update their policies and procedures to prepare for the GDPR will be happy to discover that these efforts will contribute to their compliance with the CCPA.
When does the CCPA come into effect?
The CCPA became law on June 28, 2018 and will take effect on January 1, 2020. The act was drafted in record time, and as a result, it suffers from drafting errors and ambiguities. The California Attorney General, the primary enforcement body, must promulgate rules and procedures that will clarify the CCPA’s substantive requirements. Upon taking effect, consumers will be able to request that a business disclose specific pieces of information for the preceding twelve months—going back as early as January 1, 2019—that such business has collected about the consumer, whether such information was disclosed to a third party, and whether such information was sold to a third party. Therefore, organizations must not delay in considering the CCPA’s impact.
Does the CCPA apply to my company?
Companies, especially those that are outside of California or acting as service providers, may wonder if they are subject to the CCPA. The CCPA applies to a “business” as defined under the act. As a preliminary point, the CCPA only applies to companies operated for “profit or financial benefit.” If your company fits that description, you must consider whether your company collects personal information about California residents, determines the purposes and means of the processing, and does business in California.
Although the act uses “consumer” throughout, defined as a California resident, the location of the consumer at the time of collection is not limited. The CCPA defines “personal information” broadly and opens the scope to both individuals and households, but it contains limited exceptions for deidentified, aggregate, or pseudonymized information. There is an unresolved question as to what would constitute determining the “purposes and means of the processing” under the CCPA. Those that are acquainted with the GDPR will be familiar with this phrase as used in the definition of a controller. Similarly, the definition of a service provider under the CCPA matches that of a processor under the GDPR.
If the above qualifications are met, the CCPA will apply if your business meets one of three thresholds*:
(1) has greater than $25 million in annual gross revenue;
(2) annually handles personal information for 50,000 consumers; or
(3) derives half of its annual revenue from selling consumers’ personal information.
*It is important to note that the first threshold only relates to the size of the company, whereas the second and third thresholds relate to how much personal information of California residents the company annually handles or sells on a gross and relative scale, respectively.
The CCPA only imposes obligations on a business and not on service providers directly. As defined under the CCPA, a “service provider” is a for-profit entity “that processes information on behalf of a business.” If your company does not meet the requirements above to qualify as a business, your company may still be subject to the vendor management obligations that a business is required to impose on its service providers. For example, a business that falls within the scope of the CCPA must require by contract that a service provider that is processing information on behalf of the business only retain, use, or disclose such personal information for the specific purpose of performing the services as specified in the contract.
What do I need to do?
If the CCPA applies to your business, there are a number of functional policies and procedures that can help your business comply with the law. As mentioned above, some of these updates are similar to the updates required under the GDPR, but each will need to be reviewed for its own unique CCPA-specific obligations. The new requirements can be bundled into three functional areas: (1) individual rights; (2) data security; and (3) vendor management.
- In order to meet the new CCPA data security obligations, you will likely want to review or update your written information security program (WISP) and incident response plan (IRP). While there is no strict requirement that these documents be updated, having these documents in place will help businesses avoid the private right of action granted under the CCPA for businesses that suffer a data breach.
- In order to meet the new CCPA vendor management requirements, you will need to review your company’s agreements with service providers. A business must be keenly aware of the additional compliance obligations placed on selling personal information, because a business may be held liable for the actions of its service providers if the business has reason to believe that the service provider intends to commit a violation. For a business to not be considered as selling personal information when it discloses such personal information to a service provider for a specific business purpose, the service provider should be contractually obligated to not use such personal information except as necessary to perform the business purpose.
Additionally, these policies and procedures will need to be reviewed against a backdrop of numerous other state and federal data privacy requirements, such as data breach notification laws, data security laws, and a host of other industry specific data privacy and security laws. These additional U.S. data privacy and security laws may impose further requirements and may also offer key exceptions to the applicability of the CCPA.
With less than twelve months to prepare and become compliant with the new law, businesses must make the CCPA a priority. Start by working with someone knowledgeable about the CCPA to determine how your organization, clients, and vendors are defined under the law, and then focus on the implications for your business.