The California Consumer Privacy Act (CCPA) is a new consumer protection and data privacy act. It enhances the privacy rights for residents of the state of California in the United States. CCPA has become effective on January 1, 2020 and enforcement is expected July 1, 2020. CCPA bears much similarity to the GDPR. It grants rights to Californian residents such as:
- Consumers have the right to be informed of the categories of personal data a business collects about them and to gain access to the personal data a business collects about them, twice a year, free of charge.
- Consumers have the right to sue for a data breach that results in the theft or unapproved disclosure of certain unencrypted or non-redacted personal data (if the company violated its duty to maintain reasonable security practices to protect the personal data).
Thus, organizations must disclose information about the collection, sale, and disclosure of personal information.
The CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and meet at least one of the following thresholds:
- Annual gross revenues larger than $25 million
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
- Make 50 percent or greater annual revenue from selling California residents’ personal information
Non-profits, smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA won’t have to comply.
The CCPA does not cover every business. The law defines a “business” as a legal entity that collects consumers’ personal information, determines the purposes and means of processing consumers’ personal information, conducts business in the State of California, and satisfies one or more enumerated thresholds:
- Earns annual gross revenues in excess of $25,000,000;
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Although the CCPA does not explicitly refer to “controllers” and “processors,” which are the terms used by Europe’s General Data Protection Regulation (GDPR) to distinguish between the decision-making power for personal data processed by different types of entities, the act does define the term “service providers.” The CCPA defines “service provider” as a legal entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”
The CCPA defines “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…, however identified, including by any unique identifier.” According to the referenced state regulations, a California resident is any individual who is (1) “in the state of California for other than a temporary or transitory purpose,” or (2) “domiciled in the state” of California and “outside of the state for a temporary or transitory purpose.”
The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Importantly, because the CCPA defines household data as PI, that data may be protected under the CCPA even if it does not relate to a single individual.
The CCPA defines collection as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Collection includes both active and passive receipt of information from the consumer and observations made about the consumer. This expansive definition of “collect” or “collection” encompasses information a business collects as well as information provided to the business by other parties, including directly from the consumer.
Sale and Disclosure
A “sale” under the CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Different levels of consent are needed for different situations under the CCPA. For example, consumers may opt out of consenting to the sale of their personal information by a business. Additionally, third parties that receive PI through a purchase must provide consumers with notice and an opportunity to opt out of further sales before selling that information.
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consent, and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose, and were the data subjects informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding data any longer than is necessary and we are keeping it up to date?
- Are we keeping personal data safe and secure using a level of security appropriate to the risk? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as sensitive personal data, children’s data, biometric or genetic data, etc.—and if so, are we meeting the standards to collect, process and store it?
- Have we implemented a policy of “data protection by design and default” to ensure we’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals?
- Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do these procedures comply with the rules under the CCPA?
- Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the CCPA in case of a data breach in a timely manner?
- Are our staff trained in all areas of CCPA data privacy to ensure they handle data in a compliant manner?
- Do we review and audit the data we hold on a regular basis?
CCPA Compliance Roadmap
Preparation for CCPA
- Keep Records of Processing Activities (ROPA) as a best practice to help document and categorize data by age, origin, lineage and usage by third parties.
- Understand the value of data to your business by reviewing your business strategy. Discover, map and inventory data and relevant processing activities related to California residents.
- Explore and implement processes to address consumer requests, including requests to delete, access and opt out of the sale of their data under CCPA guidelines.
- Determine the most cost-effective approach for your privacy program by offering the same privacy options to all customers. Share straightforward procedures with consumers, whether standard or personalized to Californians, like providing consumers the ability to opt out of the sale of their data, which is still under legislative review.
- Use risk assessment in your organization so teams know the essential actions they need to take to be ready for the CCPA