On June 28, 2018, California adopted what is considered the strictest general privacy and data security law (also known as AB 375) in the country. Called the California Consumer Privacy Act (CCPA), it will become effective on January 1, 2020. There will likely be changes to the final version prior to actual implementation.
What is CCPA, and why should I care?
The CCPA is the most comprehensive general data privacy bill of its kind to pass in the United States. There is significant focus in the bill about data that is sold, and it also highlights the increasing amounts of data that are collected and used in the digital economy. The bill covers all data, not just digital data.
Businesses are subject to civil action by the California Attorney General’s (AG) Office and could face up to $7,500 penalty per intentional violation or $2,500 per unintentional violation. There is also a private right of action if a California resident’s personal information is subject to unauthorized access, theft, or disclosure. If the AG’s office declines to bring an action, residents can bring their own action. In that situation, businesses could face paying between $100 to $750 per resident or incident and regardless if actual damages are actually shown. If there were 10,000 records at $750 per incident, that is $7.5M in fines! It will add up quickly.
Aside from the financial penalties, California residents are going to expect the companies they do business with to adhere to these laws. The bar for privacy and security will be raised higher, and it is important for companies to comply.
Who does CCPA apply to?
CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:
- exceed $25 million in gross revenue;
- buy or receive the personal information of 50,000 or more consumers, devices, or households;
- or derive 50% or more of their annual revenue from selling consumers’ personal information.
How it’s similar to (and different from) GDPR
CCPA in several sections resembles the General Data Protection Regulation (GDPR), which began enforcement on May 25, 2018. Some are calling CCPA a “mini-GDPR,” but it is different from the GDPR.
Let’s review a few of the differences. Data processing is defined comparably as “any operations performed on personal data, automated or otherwise.” Under GDPR, data can be processed when there is a specific lawful basis. Under CCPA, companies will need to understand their specific data processing uses/bases. In addition, the sale of data is prohibited unless consent is obtained.
Both GDPR and CCPA cover individual rights and vary somewhat in the fine details. Under CCPA, the right to portability is wider. Each response to a consumer access request for collected data, if given electronically, must contain the data in a portable format, without the consumer having to specifically request this. CCPA is more broad when it comes to the right to object (such as the right to object to sale of personal information, or the right to opt in for sale of minors’ personal information).
Under CCPA, prior to any sale of information to a third party, opt-in consent is required from consumers under age 16. Consumers between 13-16 years old can opt in for themselves. Businesses must obtain a parent or guardian’s affirmative authorization for consumers under the age of 13. Under GDPR, consent is required under the age of 16 by the parent; some states can lower it to 13.
What you need to know
Under CCPA, the definition of personal information is expanded and broadly defined. Personal information includes but is not limited to: geolocation data and inferences extracted from data, unique personal identifiers, browsing and search history, biometric data, professional or employment related information, psychometric data, audio data, visual data, and IP addresses.
To comply with CCPA, it will be critical for companies to know what data they collect and where they store it. This ensures that privacy notices can be updated, contracts are appropriately written, and individual rights can be granted.
CCPA requires businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers can opt out of the data being sold. CCPA requires companies to keep a record of all data sales for 12 months and to provide a “clear and conspicuous” link on its website with a “Do Not Sell My Personal Information” call to action, so an individual may easily opt out. To be able to allow a customer to opt out of data sold, IT teams must be able to know exactly where the data is being held.
Other processes and systems may be impacted. For example, if your business collects data on individuals and sells that data, then you’ll need to review how old these individuals are, as well as which parties the data is being sold to. Marketing activities may be impacted if they rely on third parties that have purchased data. If any of this data moves through the organization via APIs or through a cloud vendor, it will be important to know what that is. The customer support teams will also need to be familiar with these new privacy rules and be able to direct any inbound individual rights requests to the appropriate teams.
If a customer opts out of the sale of data, companies cannot discriminate against them by charging a different price or servicing them differently unless the difference is reasonably related to the value provided by the data. A company can still offer financial incentives to consumers to collect their personal data.
What this means for IT
Organizations can no longer have siloed data (or lack data management altogether). It is not only the IT team’s role to know what data is in what system. Any group using personal data will need to understand the flow of data in, through, and out of a company. The marketing team, for example, will need to take ownership and know how the data moves into its email service provider, its CRM, its CMP, or any other tools that it uses.
If departments share personal data through Slack or use collaboration tools like Dropbox or Google Drive, IT should ensure there is a strong policy on what types of data can be stored in those tools (and for how long — don’t forget about retention policies).
This is not a one-time exercise. It needs to become ingrained into the corporate culture and maintained on an ongoing basis. Being able to limit access to systems with personal data will be important for businesses. With more at risk, businesses will need to shore up their security activities.
Having a proactive dynamic security program will be important as CCPA provides a limited private right of action for violations and statutory damages, including for data breaches resulting from lack of reasonable security.
5 steps IT can take to prepare now
- Conduct a privacy assessment and document data processing activities for the data collected, used, disclosed and/or sold.
- Review your security tools and plans to minimize risk of a data breach and impending fines.
- Identify all the impacted stakeholders including marketing (this will impact ad tech activity), IT, business development, and product development teams.
- Review if you need to make any changes to databases, systems, or even vendors to comply with the law.
- Evaluate your current processes to see if any changes are needed to meet the strict access request requirements. This includes an online portal or building opt-out webpages.