Compliance can’t be done in a vacuum. It requires cross-team coordination and collaboration, according to Lubna Shirazi, former privacy counsel at LiveRamp. And while her advice can be considered evergreen, it’s particularly timely now given the impending California Consumer Privacy Act (CCPA), which goes into effect on Jan. 1, 2020.
Watch her RampUp NYC presentation covering the basics of the law, how it applies to different businesses, and a framework for compliance here:
If you don’t have 20 minutes to watch the video, here are a handful of key takeaways:
CCPA’s definition of PI is vast
CCPA’s definition of personal information (PI) spans anything that could be considered traditional personally identifiable information. This includes, but is not limited to, name, IP address, email address, social security number, driver’s license, browser history, and more.
Data subject rights are a key provision of CCPA
A key provision of CCPA is that it gives consumers more control over how information is processed, sold, etc. In essence, a consumer in California has the right to ask a business what information they have on them, and what has been done with that information. Further, companies must comply with access to information requests in 45 days.
The CCPA definition of “sale” is broad
Consumers have the right to opt out of the “sale” of their information. Keep in mind that “sale” doesn’t just mean monetary transactions, but rather an exchange of a consumer’s data for valuable consideration.
In the case of the CCPA, “sell,” “selling,” “sale,” or “sold” means selling, renting, disclosing, disseminating, making available, transferring, or communicating orally, in writing or otherwise. Counter to that, hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party that could sell or exchange their data.
The law as it stands now isn’t final
Because the initial draft of the CCPA was written and passed quickly, there is room for clarification, which we now have as California Governor Gavin Newsom signed all five of the California Legislature’s September 2019 amendments to the CCPA into law on Oct. 11, 2019. This news came just a day after California Attorney General Xavier Becerra released proposed regulations implementing the CCPA, so there’s certainly more to come.
A framework for CCPA compliance
The complexities around CCPA go far beyond what we can capture here. Even so, Lubna summarizes what every business’s call-to-action should be in preparation of CCPA:
- Look at the types of information you collect. Know what information is coming in, why it’s coming in, what you do with it, who you are sending it to, and what is the purpose of sending it out.
- Design a system that gives consumers a way to easily communicate with you, and a way for you to respond back. This system should authenticate and honor data subject rights. Designate a toll-free number and a web address for this reason. If you’re an online-only company with direct consumer relationships, an email address instead of a toll-free number will suffice.
- Train employees who handle your access solution to ensure they’re providing the highest quality of oversight and customer service.
- If you’re a business providing information to a service provider, you’ll want a contract addendum in place that requires compliance across all parties.
- You’ll need an opt out button clearly displayed on your home page and anywhere else PI is collected. Consumers should be able to click on this button to navigate to their user preferences and control which data is or isn’t being shared. The opt out button should be titled, “Do Not Sell My Personal Information,” or “Do Not Sell My Info.”
- Review your security policies and make revisions for private right of action. Confirm you have a process to respond to AG notifications.
And finally, a bonus pro-tip: don’t forget to be kind to your legal counsel. Chances are, you’ll be working together very closely for the foreseeable future with more state-level regulation in the works. Collaboration will be key.
The information provided in this posting does not constitute legal advice. Please consult your legal counsel to obtain legal advice.