On January 1, 2020, all eyes will be on California. For most of us, the primary focus will be on the Rose Bowl game, but for businesses in the state, this is the day that CCPA goes into effect. However, studies show that only 55 percent of companies will be ready by that date, and another 25 percent hope to be compliant by July 1, when enforcement begins.
For businesses and consumers, there remains a lot of confusion around CCPA, particularly in how it compares to GDPR, what’s covered under CCPA and who must comply. To help you better understand the CCPA basics, we asked data privacy experts Peter McClelland, Esq. In-House Counsel for Threat Sketch, Tom Kelly, president and CEO of ID Experts, Salvatore Stolfo, Columbia University professor, and Thomas Jackson, litigation partner and Chair of the Technology Practice Group at Phillips Nizer, to answer some of the most common questions about the new law. Please note that these responses are for informational purposes and not meant to act as authoritative legal advice for CCPA and privacy laws.
Does the CCPA apply to everyone?
The CCPA has an extraterritorial reach. It applies to businesses that collect personal information from California consumers and do business in California for profit or for the financial benefit of shareholders in California and meet one of three minimum thresholds, regardless of whether they have an office or any other physical presence in the state or not.
Who is a “California consumer”? Who can request data?
A California consumer is a natural person (not a company) who is a California resident – an individual who is in the state other than temporarily, or a person who is out of state who lives in California. In other words, this includes California residents while they are traveling in other states or worldwide.
Does it apply to businesses outside of California?
Yes. You don’t have to have an office, employees, or other presence in California. The CCPA applies to any business that is doing business with Californians, such as from a website. You don’t even have to be in the United States.
Does the CCPA apply to B2B? (in addition to B2C)
There is a one-year exemption in place for personal information obtained in business-to-business communications and transactions. Information obtained by a business through a communication or transaction with a California resident who is acting for another business occurring “solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” the other business is exempt until January 1, 2021.
What are the thresholds/requirements of CCPA?
The CCPA has three thresholds businesses must meet in order to fall under the statute. To be within the scope of the statute they must fall under one of the following situations:
- Have in excess of $25 million in annual gross revenue or
- Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or households or
- Derive 50 percent or more of their annual revenue from selling consumers’ personal information.
As a result, small businesses in large part are exempt from compliance, and businesses do not need to collect information directly from California consumers to be covered. If consumer data is collected on their behalf by a service provider or other third party and the other criteria are satisfied, businesses could fall under the statute.
If the company doesn’t meet those thresholds, does it still need to comply?
It may still need to comply. For example, if a company has a contract with a business covered by the CCPA, that business may have terms requiring the contracted company to be in compliance.
What does a small business need to know about CCPA?
There are four main points that small businesses need to be familiar with. They are:
Selling consumer data: The CCPA focuses on consumer data and what a business can do with it – particularly if a business sells this data to others. In such a case, businesses must allow consumers to choose not to have their data shared. That means that businesses may need to be able to identify what data can be shared, and what cannot, according to consumers’ privacy choices. Businesses that share consumer data must prominently post a “Do Not Sell My Personal Information” link on their homepage that will direct users to a web page enabling them to opt out.
Consumer Data Requests: Businesses are required to identify and provide upon request all collected information about a California consumer, along with all parties the data has been shared with. Businesses are required to give at least two methods for submitting requests, including a phone number and website address if applicable. Consumers also have the right to request the deletion of their data. You have 45 days to comply with data requests.
Privacy Policies: Businesses must update their privacy policies (or include a California-specific section) to identify the new rights afforded by the CCPA, identify the categories of personal information that the business has collected, identify commercial reasons for collecting this data, and identify the categories of data sold to others, if any.
Minors: Businesses must obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years prior to selling data.
Does the CCPA apply to Financial Institutions?
No, not generally. CCPA does not apply to health providers and insurers already under HIPAA, banks and financial companies covered by the Gramm-Leach-Bliley Act, and credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act.
What about non-profit organizations? Must they comply with CCPA?
A business that is not for profit, such as a governmental or 501(c)(3) charitable organization, is exempt from the CCPA.
What happens if I don’t comply? Are there fines and penalties?
The California Attorney General’s office can issue fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. They are required to provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine. They also have the right to seek an injunction against offending businesses, which could significantly impact an active enterprise.
If data is compromised, CCPA includes a private right of action for consumers with penalties up to $750 per consumer per violation, but only where the business failed to use “reasonable practices and procedures” to avoid the breach.
If the data isn’t “sensitive” or PII, is it still subject to the law?
The CCPA governs consumer’s rights with regard to various aspects of their “personal information.” Under the law “personal information” is not necessarily restricted to traditional notions of “sensitive information” or “personally identifiable information.”
If the data is anonymized or non-identifiable, does the regulation still apply?
Probably not. The statute says expressly that it does not restrict the use of deidentified data. However, the definition of deidentified data in the statute hinges on—among other things—technical safeguards to prohibit reidentification. As technology capable of reidentifying consumers advances, such safeguards may become elusive.
Do I need to stop sharing/selling/transferring data with other companies?
It depends on a lot of factors. The statute is built upon consumers’ rights, not blanket bans. Companies subject to the CCPA need to be able to comply with the requests that the statute empowers consumers to make.
Do I need to permanently delete data from everywhere if asked by a consumer?
With some narrow exceptions, companies subject to the CCPA that receive a verifiable request from a consumer to delete the information that the consumer is entitled to have deleted must comply with the request and delete the consumer’s personal information from the company’s records.
What steps must I take to make it easy for consumers to request data deletion?
A company subject to CCPA must make available two or more designated methods of submitting such requests, including—at minimum—a toll-free number and a website address (for those businesses that maintain a website).
How do I verify a consumer request?
The California Attorney General is tasked with developing regulations to articulate this no later than July 2020.
I’m compliant with GDPR, do I need to do anything new for CCPA?
The CCPA and GDPR are similar in many ways, but there are several areas where the CCPA is more specific than those of the GDPR and where the GDPR goes beyond the CCPA. Of course, the CCPA applies to California consumers (individuals and households), where the GDPR applies to European citizens (individuals).
If I complied with the GDPR, then have I complied with the CCPA?
How can companies prepare now?
It’s late in the game to start preparing now, with less than a month to go. If your business is small, outsourcing a bulk of the work to come into compliance may make the most sense. Also consider hiring a Data Privacy Officer to oversee compliance.
For most businesses, the greatest fear is the third-party problem. The responsibility for whatever privacy efforts are done by your third-party partners and supply chain – even your customers – are now all on your head. You now have the problem of whether they are in compliance.
Are there any upsides for companies in compliance – besides avoiding fines?
Yes. Companies who make a commitment to compliance are proactively protecting their brand’s reputation and strengthening customer trust.
“GDPR and CCPA are only the beginning,” said Stolfo. “We’re going to see more privacy regulations as a response to the ubiquity of data breaches. Privacy is top of mind for many consumers. They’re tired of excuses.”