Will there be any changes to the CCPA before it goes into effect on Jan 1, 2020?
Potentially — the CCPA has already been amended since it was passed, and the Office of the California Attorney General is expected to issue implementing regulations this fall. Additionally, a dozen bills that would amend the CCPA recently passed through the California State Assembly. Next, these bills will be reviewed by the California State Senate. So, odds are good that more changes are to come.
Any amendments the Senate reviews and passes will go to the California Governor’s office where they’ll either be signed into law or vetoed.
Who does CCPA apply to?
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
- Annual gross revenues over $25 million.
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
- Derives at least 50% of annual revenue from selling California consumers’ personal information.
What are the consumer rights conferred by the CCPA?
The CCPA provides the following rights to consumers:
- The right to know what personal information has been collected.
- The right to know whether that information has been disclosed or sold.
- The right to say “no” to the sale of their information (also called “opt out”).
- The right to request deletion of their personal information.
- The right to access their personal information.
- The right to equal service/price when people exercise their privacy rights.
Are there any exceptions or exemptions to the CCPA?
The CCPA could be preempted by a federal law. It does not apply to the following information:
- Protected or health-related information collected by a covered entity governed by California’s Confidentiality of Medical Information Act, as well as information governed by HIPAA. (Although this exemption is not as broad as it seems, since any “personal information” that isn’t PHI is still subject to CCPA).
- Sale of personal information from consumer reporting agencies used to generate consumer reports if the use of that information is limited by the federal Fair Credit Reporting Act (FCRA).
- Information that is collected, processed, sold, or disclosed that is pursuant to the federal Gramm-Leach-Bliley Act (GLBA), if it is in conflict with that act.
- Information that is collected, processed, sold, or disclosed that is pursuant to the federal Driver’s Privacy Protection Act (DPPA), if it is in conflict with that act.
Some of the proposed amendments, if passed, would also create additional exceptions and exemptions for businesses. Some of these include:
- Exempting employees from the definition of a “consumer”
- Providing personal information to a government agency solely for the purposes of carrying out a government program
- Selling personal information of consumers who have opted out of sale to prevent fraudulent or illegal activity
- Excluding “publicly available information” from the definition of personal information
- Removing de-identified or aggregated data from the definition of personal information
Does GDPR compliance cover CCPA compliance?
No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s data protection regulation. There are differences between the two pieces of legislation and compliance with one does not equate compliance with the other.
How do I achieve compliance?
While we await additional clarification from the Office of the California Attorney General, we recommend focusing efforts around the following proactive measures:
- Audit, analysis, and assessment – map existing processes and data against CCPA requirements to scope the impact of changes and identify stakeholders.
- Awareness – drive alignment around the resources and technology, such as a consent management platform, needed to address required changes.
- Designed future state – create a detailed blueprint for compliance.
- Operationalization model – transform the blueprint into actionable workstreams, to remediate gaps and implement new processes, policies, and tools.
- Ongoing governance – ensure compliance is monitored and enforced by reviewing all data sources and performing privacy impact assessments, as well as amending contracts as needed.
What if my site or app does not comply with the CCPA?
If a company intentionally violates the CCPA, they will be subject to the maximum civil penalty: $7,500 per violation, per individual. Otherwise, the max penalty is $2,500 per violation, per individual. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.
My company aggregates data from other sources and we have no control over the policies/sites of our data providers; what are our options?
You will need to review your service agreements with data providers and ensure that they are CCPA compliant. You should ask for evidence (such as screenshots and URLs) from your source providers during the privacy review process to ensure that they collect, process, and share personal data in a compliant manner.
What other privacy regulations are being considered inside the United States?
While the CCPA will be one of the most comprehensive state privacy laws, approximately ten other states, including Hawaii, Maryland, New York, and Washington, among others, are currently proposing laws similar to the CCPA with one recently passing in Maine. Even so, many are similar to the CCPA, and brands and publishers should consider prioritizing compliance with the original due to its outsize footprint with regard to population size.
If each state law passes, marketers will need to maintain compliance in every jurisdiction in which they operate. The fact remains that as additional states create their own privacy laws, compliance becomes increasingly difficult, reiterating the need for federally preemptive legislation.
What are some of the outstanding questions for the Attorney General regarding CCPA?
Does this include household-level information in addition to individual information?
Does this include probabilistic identifiers?
How should consumers make a request for access or opt-out?
Should companies use a recognizable and uniform opt-out logo or button to promote consumer awareness of the opportunity to opt-out of the sale of personal information?
How should notices be written and presented on a company website or app?
How will a business determine that a request for information received by a consumer is verifiable? How will this consumer request be governed?
Reference attorney general updates here.