CCPA

What you need to know about CCPA Enforcement, now in effect

Kyle Schryver June 30, 2020
  • The final draft of the CCPA was submitted to the Office of Administrative Law (OAL), enforcement began on July 1st as scheduled by the Attorney General
  • Big name companies are at higher risk for early fines, particularly on issues easily understood by the public
  • Enforcement is likely to be focused on areas where there are clear violations, such as failure to update privacy policies, required CCPA disclosures, and direct complaints from consumers over Data Subject Requests (DSRs)

CCPA Enforcement Began July 1st

With the final draft regulations submitted for approval, enforcement of the CCPA has begun on July 1st. Whether you’re scrambling to comply, are curious about what will happen, or want to know how enforcement will take place, we’ve got you covered in this article.

Attorney General Becerra announced June 1st that the final proposed regulation of the CCPA was submitted to the California Office of Administrative Law (OAL). Consequently, the CCPA will become enforceable in the next 30-90 days – the complete process requires approval by the OAL and submission to the Secretary of State. AG Becerra has previously stated that he plans to begin enforcement promptly on July 1st, indicating a quick turnaround from the OAL. Companies should prepare for enforcement to begin as early as July 1st, as even if the date is extended, violations of the CCPA dating back to January 1st of 2020 will be liable to enforcement at a later date. The CCPA also has a 12 month lookback period corresponding to Data Subject Access Requests (DSARs), meaning businesses are required to provide data dating back a full year to the user who requested it.

Who is enforcing?

The California Attorney General’s office will be the primary source of enforcement. The AG is also in charge of providing guidance to businesses on their path to compliance. 

  • (a) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

With enforcement in place, the Attorney General and his office have the ability to require payments for violations of the CCPA. Those not in compliance are liable for fines from $2,500 to $7,500 per violation.

Who should be the most concerned? Which companies?

The CCPA covers a wide variety of businesses. But will there be fines left and right starting in July? A recent study showed nearly one-third of those in charge of compliance at businesses (29%) say they have just started planning for CCPA.

Unchanged from the early drafts of the bill, the CCPA applies to businesses that meet any of the following thresholds:

  1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
  2. Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

However when enforcement from the Attorney General begins, there won’t immediately be ample resources to audit and inspect every company that is covered by the law. The AG will have to select companies beginning in July to investigate and advise on compliance. Mike Hintze, Partner of Hintze Law PLLC – a leader in privacy and data protection law, policy, and strategy shared the following insights with us:

“Because the AG is an elected official, there is an obvious incentive to bring cases that will be politically advantageous, which makes it more likely the AG will go after big name companies on issues that are easily understood by the public. This too makes it less likely that the first cases will involve complex or nuanced issues under the new law.”

What do they care about enforcing the most?

“It seems likely that the AG will focus enforcement on areas where there are clear violations rather than areas where there is great ambiguity and ongoing debates about interpretation.  Likewise, the AG is more likely to focus initial enforcement on violations that are easy to discover and prove, such as failures to update privacy policies with the required CCPA disclosures.” – Mike Hintze

Key points from Mike are on privacy policies and required disclosures. In April, we provided 8 elite examples of privacy policies, what they do well, and how they’ve changed after the CCPA went into effect. Required disclosures cover a variety of data and metadata points including the following:

  • Categories of personal information of the consumer that have been collected.
  • Categories of sources used in collection.
  • The business or commercial purposes for collecting.
  • The categories of third parties with whom the personal information is “shared”.
  • The specific pieces of personal information that has been collected about that consumer.

Aside from checking privacy policies and CCPA disclosures, the Attorney General’s attention may be directed towards where consumers are loudest. When the GDPR went into effect in 2018, thousands of consumers submitted complaints to the ICO via mail, email, and twitter. For specific violations of the CCPA consumers have the ability to recover damages and also will be able to file complaints when companies fail to respond to Data Subject Requests (DSRs). If there is a data breach or any personal data is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices”, consumers will have the ability to recover damages between $100-$750. These recovered amounts may prompt consumers to be more conscious of businesses that have their data, and lead them to track and report breaches of the CCPA.

In terms of consumer rights and greater control over personal data, consumers are granted the right to submit a data subject request (DSR), and businesses are required to respond if the consumer is a California resident. There are three main ways consumers can make a request about their privacy to a business:

  • Right to know
  • Right to delete
  • Right to opt-out (right to say no)

Right to know, or an “access request,” requires that companies provide an accessible way for users to access all of the categories of data a company collects, and the specific information the company collects, uses, or sells on them.

Right to delete, or a “deletion request,” requires that businesses provide a way for users to request that their data be deleted on record by the company and the company’s service providers. 

Both right to know and right to delete requests must be fulfilled within a 45-day time period. 

In terms of intake, the CCPA differentiates methods for Requests to Know and Requests to Delete based on the way a business interacts with its consumers:

  1. Requests to Know 
    • Businesses operating exclusively online are only required to provide an email address for data subjects to submit a Request to Know. 
    • Businesses with both an online presence and a storefront, should offer at least a toll-free number alongside another method of submission. 
  2. Requests to Delete
    • Requests to Delete are not differentiated per se by the nature of the business and should be available through at least two formats, such as a webform. 
  3. Requests to Opt Out
    • Methods to intake for Requests to Opt Out need to include at minimum an interactive form alongside with at least another medium of submission.

Additionally, businesses must implement a method to correctly verify a user making a request either through a password protected form if available, or a different method of verification. Learn how DataGrail handles this without passwords or additional information with Smart Verification.

Right to opt-out, or a “do not sell (DNS) request,” requires that businesses provide an accessible way for users to direct the company not to sell their personal data. This must be made available to users prior to the collection and sale of their data. 

What to expect when it comes to Data Subject Requests (DSRs)

“A month after GDPR went into effect, a Gartner survey showed that nearly a third of European consumers had exercised their new privacy rights, a much higher portion than expected.” – Vogue. If a similar trend is found for the CCPA, 13 million Californians will have already submitted requests, and once enforcement and litigation are available July 1st, more will come. 

Breakdown of Types of CCPA Requests in Q1 2020

DataGrail’s Early CCPA Trends Report revealed that deletion requests were the most popular requests (40%) in Q1 2020, followed by DNS (33%), and access requests (27%). 

In terms of the volume companies will be expected to handle, B2C companies should prepare for approximately 100 to 194 requests per million consumer records each year.

What is the official deadline?

July 1st is when enforcement can officially begin from the Attorney General’s Office. The CCPA officially went into effect on January 1st, 2020, making it legally required for businesses to comply with the regulation. There is also a 12-month look-back period that requires organizations to modify their data collection and inventory practices to be able to provide consumers with data and metadata dating back 12 months from requests.

Thus, businesses need to: 

  • Locate personal data collected from as early as January 1st, 2019
  • Be prepared to respond to consumer requests with historical data within 45 days
  • Create a sustainable process for inventorying and tracking personal data that will keep the data organized and ready to delete or extract for DSARs

What types of fines can companies expect? How will they be calculated?

The Proposed Regs’ final text provides the 8 different methods for calculating the value of personal data (999.337. Calculating the Value of Consumer Data). These include calculating marginal, average, or aggregate value to the business for the data sale, collection, or deletion, and other metrics such as revenue or expenses related to the data. Eric Goldman, Professor of Law at Santa Clara University and co-director of the High Tech Law Institute had an excellent post recently outlining these calculations and a details the positives, negatives, and implications of Data Value Calculation (DVC) Provisions.

Companies can expect fines to be rolled out based on the number of violations (per requirement or consumer) multiplied by the fine amount ($2,500 to $7,500 per violation and $100 to $750 if a consumer is recovering damages). Additional fines may be calculated by using the aforementioned methods of calculating the value of personal data. 

Conclusion

The CCPA may feel overwhelming. It has had many revisions and the timeline has been unclear. But we now know when enforcement begins – July 1st – and have a good idea as to what needs to be done to be in compliance. Remember that privacy and compliance are opportunities to win trust with consumers and present your brand as transparent.

Expect enforcement to be focused in the following ways:

  • On big name companies that have a high profile, or are in the news for privacy complaints
  • On clear violations of the CCPA, likely in the form of failure to update privacy policies, required CCPA disclosures, or consumer complaints over lacking response to or execution of Data Subject Requests

Trying to keep up with privacy regulation and industry news? Subscribe to the Weekly Grail to get insights on the latest in data privacy. 

Preparing for CCPA enforcement and handling complex privacy requests while in the office together is one thing. Tackling these challenges quickly and efficiently while WFH is another. Hear real stories of how privacy leaders rely on technology to keep their privacy program customer-focused and streamlined even during the global shift to WFH in our latest webinar: Privacy Management for Remote Teams.