Blog

CCPA: Chapter 1 – Introduction

Effective January 1, 2020, California’s Consumer Privacy Act (“CCPA”) represents a significant change in data privacy rights for California consumers. CCPA also spells out several legal obligations for specific businesses that collect, store, sell, or share personal information about California consumers.

The following summarizes key points business leaders need to understand the law and help their organizations take preparatory steps for CCPA compliance. CCPA High-Level Overview – California Consumers Rights CCPA provides California consumers several rights related to their data privacy beginning January 1, 2020:

The right to … know what personal information about them is being collected

The right to … know whether their personal information is sold or disclosed and to whom

The right to … “Say No” (opt-out) to the sale or sharing of their personal information

The right to … access and disclosure of personal information stored about them

The right to … request deletion of personal data stored about them

The right to … equal service and price, even if they exercise their privacy rights

CCPA also provides California consumers a Private Right of Action: ‘If a consumer’s personal information is subject to a breach of unauthorized access, theft, or disclosure because a business failed to meet its obligation to implement and maintain ‘reasonable security procedures & practices.’

How does CCPA define California Consumers? California consumers are defined broadly as any California resident, including those persons temporarily located outside of California (e.g., those away for military service or college).

How does CCPA define personal information? Data covered by the new privacy law is focused heavily on personal information. CCPA broadly describes personal information as anything thatincludes, identifies, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) with a specific California consumer or household. Drilling in a little further, we find CCPA describes the following categories explicitly as examples of personal information:

There are some exclusions from the definition of personal information. One such exclusion pertains to aggregate or de-identified consumer information, which is not in-scope for CCPA compliance. Additionally, any publicly available information defined as information made

available lawfully by local, state, or federal government records, is not in-scope for CCPA. Another key and significant exclusion pertain to information that is subject to pre-existing regulations (e.g., HIPAA, FCRA, GLBA).

Is your business impacted? At a high level, CCPA applies to any business, that collects, obtains, or stores information about California consumers and meets one of the following conditions:

Has gross annual revenues in excess of $25 million (USD $25,000,000.00) or …

CCPA: Chapter 2 – Business Challenges, Obligations, & Penalties

Conservative estimates indicate that California’s new data privacy law, CCPA, impacts as many as 500,000 or more businesses across the United States. While many consumer-privacy advocates herald CCPA as another good step toward maturing organization use and protection of personally identifiable information, most impacted companies are not prepared to comply with specific obligations set forth by CCPA.

Related, several business surveys conducted in 2019 indicate that many businesses are still not prepared for CCPA compliance. Perhaps most surprising, some companies reported they were not aware of California’s new Data Privacy Law, nor did they understand how or if CCPA obligations apply to their business.

That stated, many organizations are very aware of cybersecurity risks associated with managing business systems, networks, and data-center(s) with consumer information. To mitigate the cybersecurity risk, many organizations either staff internal IT and Information Security teams, contract with outside firms for these special skills and services, or some combination of each.

Even so, most organizations do not include staff employees with skills-sets and capabilities heavily focused on tracking data use, management, and privacy or compliance related to information governance regulations. The CCPA presents challenges for organizations in this latter category that businesses need to face head-on or run the risk of failing to meet CCPA compliance and face fines and penalties.

BUSINESS OBLIGATIONS: CONSUMER PRIVACY COMPLIANCE & LEGAL RISK REDUCTION

Chapter 1 provided an overview of the rights CCPA provides California consumers and conditions that determine if CCPA applies to a particular business. In the brief below, we shift focus to key obligations business leaders need to understand to help their organizations prepare to comply with CCPA. Please note, the outline below is not a complete list of CCPA obligations, but is a good high-level list to help leadership teams think about the wide-ranging touch points and data systems in-scope across their business landscape. Key business obligations and accountability related to CCPA include:

Obligation to … Post a “Do not sell my personal information” link on the business website homepage. Link should be easy to see, access, and allow a consumer to opt-out of the sale for their personal information. Note: (Cal. Civ. Code § 1798.135)

Obligation to … Make two or more designated methods available for a consumer to submit requests for information required to be disclosed. Specific examples cited include business

website homepage (if the business maintains an internet website), and including, at a minimum, a toll-free telephone number a consumer can call. Note: (Cal. Civ. Code § 1798.130(a)(1))

Obligation to … Implement procedures to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes. Note: (Cal. Civ. Code § 1798.120(d))

Obligation to … Update privacy policies with newly required information, including a description of California residents’ rights. Note: (Cal. Civ. Code § 1798.135(a)(2))

Obligation to … Avoid requesting opt-in consent for 12 months after a California resident opts out. Note: (Cal. Civ. Code § 1798.135(a)(5))

Obligation to … Implement and maintain reasonable security procedures and practices appropriate to protect personal information. Note: (Cal. Civ. Code § 1798.150(a))

Worth noting, any consumer’s personal information subject to unauthorized access, theft or disclosure as a result of a business’ violation to implement and maintain ‘reasonable security procedures & practices’, may pursue civil actions and penalties.

For CCPA purposes, “business” is defined to include numerous business entities such as: a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners.

Nonprofits will generally not fall into this definition, except in situations where a non-profit is owned or controlled by a for-profit business that is subject-to CCPA. In which case, if the business itself is required to comply with the CCPA, then the nonprofit would also need to comply.

BUSINESS PENALTIES: FINES FOR NON-COMPLIANCE

Organizations undecided about whether or not they should take steps to prepare or comply with CCPA should review their business insurance coverage and consider the ramifications of noncompliance but are later-determined to be subject to the law.

Of concern to all businesses facing CCPA compliance – any company that violates CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General.

Worth noting, aspects of CCPA describe violations at the individual consumer level. Said specifically, each consumer record failing CCPA compliance, equals a violation. Businesses discovered to have violated a CCPA obligation are provided 30 days after receiving written notice of noncompliance to cure the infraction, before facing liability.

Different from GDPR, CCPA provides consumers a private right of action for individual citizens. This entitlement becomes applicable when a covered business does not meet its duty to implement and maintain reasonable safeguards. This defect includes failing to protect nonencrypted or nonredacted personal information from:

Unauthorized access

Exfiltration

Theft

Disclosure 

That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer, per incident or actual damages, whichever is greater.

Article source: GS Strategic Partner