Preparing for the California Consumer Privacy Act
Following the enactment of the European Union’s General Data Protection Regulation (GDPR) in May 2018 and numerous global incidents involving the mismanagement of personal data, the California State legislature passed the California Consumer Privacy Act of 2018 (CCPA), which places safeguards on how businesses manage personal data of California residents, and gives individuals more rights and control on how their data is collected, used and sold.
With yet another major jurisdiction passing a sweeping data protection and privacy law, businesses must take steps to prepare. This article provides an overview of the CCPA and suggestions for preparing to comply with this regulation.
The CCPA applies to all commercial businesses that collect, process and control California residents’ personal data, do business in California and meet at least one of the following additional requirements:
- Annual revenue of US$ 25 million or more
- Sales or sharing of personal data for commercial purposes of 50,000 or more consumers, residents or devices
- Earn 50 percent or more of their annual revenues from selling consumer’s personal data (full text here)
The law empowers California residents with the rights to:
- Request deletion of personal information.
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
The new law will also “prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorised”.
Businesses are required to be CCPA-compliant or risk monetary liability or civil action. According to the Legislative Counsel Digest published on the California Legislative Information website, one of the contentious issues surrounding the legislation is the broad definition of “personal information”, which could include; personal identifiers, web browsing history, sleeping habits, biometric data, health information, financial information, exact geolocation information, psychometric data, facial recognition, employment history, social networks and inferences drawn from such information. For instance, a foreign or out-of-state based business with a website accessed by Californians could be required to comply with the CCPA.
Since its passing in June 2018, the CCPA has garnered mixed reactions. While many California residents and privacy advocates welcome the proposed new law, companies of all types contend the new law will undermine their business models and ultimately impact their operations and revenues. Businesses headquartered in and around Silicon Valley or which do business in or with connection to California could stretch their commercial muscles and ensure that some of the provisions of the new legislation are dampened before it goes into effect on 1 January 2020 and becomes enforceable from 1 July 2020.
For instance, companies that collect and sell consumer data will likely oppose consumers’ right to request the deletion of their personal data. Data brokers collect personal data from public records which they turn into “lists” and sell or provide access for a fee. This means that if consumers are granted the right to have their data deleted by brokers, it will adversely affect their business model and revenue sources.
What you can do to prepare
Businesses should consider the following actions to prepare for compliance with the CCPA:
- Reexamine your business model and check how your organisation interacts with California residents. You could be a major international online shopping hub, a social networking site, a search engine or an airline located outside California, but it is likely that your services will be accessed by Californians. You may be earning less than US$ 25 million in annual revenue or have fewer than 50,000 customers, but there is a chance that you will grow at some point, as such, assess these possibilities well in advance and remediate before impact.
- Once you have determined that the CCPA could apply to your organisation, you should bolster your data privacy compliance framework to manage the requirements of this regulation. Key steps include:
- Understand your obligations – The CCPA has several key requirements, and one should not assume that its tenets are the same as the GDPR. For example, the CCPA requires providing California residents with specific information upon request, such as what personal information the business intends to collect from them, where it is sourced, how it will be used and whether it has been sold or disclosed, the ability to opt out of allowing a business to sell personal information to third parties, the right to have information deleted, and to receive equal service even if a consumer exercises his or her rights to privacy under the law.
- Understand data flows – Organisations need to be able to map out how data flows to and through the business. Practically speaking, this means understanding how personal information is gathered, held, and sold and which stakeholders and functions are involved in these activities.
- You need to develop business processes to manage specific requests by California residents. For example, which groups within the organisation will receive and action requests from consumers to access or delete their data? How will the organisation provide notice of and execute on requests to opt out of sales and marketing of personal data to third parties? Businesses need to identify the departments and employees that will manage these actions, provide training, and monitor performance. Digitally your operations must ensure that you have a robust “subscription centre”” allowing people who have opted into your services to manage their preferences by communication type.
- When it comes to third parties and business partners, you should consider how these entities are taking steps to comply with the CCPA. Third parties such as suppliers of certain services, marketing agencies, advertising companies, and data analytics companies should be looked at more closely. For certain relationships, you should consider conducting background checks or due diligence to ensure these organisations have not had data privacy issues or incidents. In addition, you should consider sending a questionnaire to third parties and business partners to gather information on steps they are taking to comply with the CCPA.
The enactment of the CCPA could serve as a benchmark under which other U.S. states will look to pass their own state privacy laws. The scrutiny for managing personal data continues to gain importance as California regulations increase allowing people to dial in what and when they want information. The far-reaching impact of the CCPA and GDPR demonstrate that governments are prioritising the protection of privacy rights and will expect businesses to prepare accordingly.