Since the European Union’s General Data Protection Regulation (GDPR) came into effect, advocates for better consumer data privacy laws have been pushing for regulation of consumer data privacy laws globally. California has addressed this growing concern by enacting the California Consumer Privacy Act (CCPA). To date, the CCPA is the most dramatic U.S. state legislation related to consumer data privacy.
The CCPA went into effect on Jan. 1, 2020. It covers any company that does business in California and collects or stores personal information, and either (a) has at least $25 million in annual revenue; (b) has personal data of more than 50,000 people; or (c) gets more than half its annual revenue from selling consumers’ personal information.
The primary purpose of the CCPA is to provide “consumers” with protections and rights as it relates to the collection, sale, and disclosure of their personal data. A consumer is defined as a natural person who lives in California other than for transitory or visitor purposes, or a person domiciled in California who is temporarily out of the State. Some of the key elements of the CCPA parallel consumer rights and protections under the GDPR, which was the first large scale effort by regulators, anywhere in the world, to enact rules related to consumer data privacy. While the CCPA’s jurisdiction is limited to personal information of California residents, it will have a significant impact because it applies to firms that may not be subject to GDPR.
In other words, almost all large companies will be subject to the CCPA, and so will a vast range of smaller companies that collect, sell, or store personal data. The following are key considerations for compliance officers to review for CCPA compliance.
Understand the Scope of “Personal Data” Under the Law
An important part of CCPA compliance will simply be the ability to inventory all the personal data your business has collected. This implies close oversight of data collection processes and a clear understanding of who collects personal data on the company’s behalf and subsequently where that data is stored.
“Personal information” is defined in Sec. 1798.140(o)(1) as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In order to further specify the types of data that fall under the category of “personal information”, Sec. 1789(o)(1)(A) – (K) of the CCPA lists several groups or categories of data that are considered personal information. It includes a wide range of data that can be used to identify a person. This includes:
- the person’s name
- geolocation data
- biometrics
- IP addresses
- professional or employment data
- education data
- and even inferences about the person based on the data collected to create a profile.
There are limitations to the broad scope of the definition of personal information which depends on the context and type of information.
The term “doing business in California” is not specifically defined in the CCPA, however, according to the California Franchise Tax Board, doing business in California is active engagement “in any transaction for the purpose of financial or pecuniary gain or profit.” This compels entities that are not specifically registered to do business in California but collect, sell, or disclose personal information of California residents to examine if they fall under the scope of the CCPA.
It’s important to note all of the items listed above (inventory of personal data, collection of data, and storage of data,) as well as the USE (sale vs not sale) of the personal data, is important to effective compliance with the CCPA. Compliance departments should consider data mapping as a useful exercise in preparing for and complying with the CCPA.
Carve-outs and Exclusions
From a compliance perspective it is critical to note that Section 1798.145 delineates that complying with the CCPA should not be interpreted to “restrict a business’s ability to:
- Comply with a federal, state, or local laws
- Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
- Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
- Exercise or defend legal claims
- Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
- Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California…”
The above carve-outs are helpful to businesses that have had to struggle with questions about conflicts between various laws when trying to implement compliance programs. For example, when the GDPR came into effect companies had serious concerns about how to collect data used in anti-bribery and money laundering compliance efforts. However, because the language of the CCPA articulates that its provisions should not limit a business’ ability to follow other federal or state laws, businesses can arguably collect data pursuant to compliance with the FCPA, and money laundering laws without violating CCPA, subject to any future legislative changes or updates.
These provisions of the CCPA also provide a basis under which data can be shared with state authorities or be subject to enforcement action without heightened concern about whether taking such steps would violate consumer rights under the CCPA. When businesses rely on Section 1798.145, tracking and documenting the reason and steps for collecting and processing the relevant data becomes important.
Additionally, the CCPA excludes from its scope of application the collection and sharing of specific categories of personal information that are already protected or regulated under specific U.S. law. These include:
- Medical information governed by the Confidentiality of Medical Information Act or protected health information covered by the United States Department of Health and Human Services, the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health
- A provider of health care governed by the Confidentiality of Medical Information Act a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects
- Sale of personal information to or from a consumer reporting agency
- Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations, or the California Financial Information Privacy Act
- Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994
- Publicly available personal information from federal, state or local government records
Understand the Difference Between Third Parties and Service Providers
The CCPA defines service providers as “any person or business that receives personal data from another business as defined in a written contract and for a specific, stated purpose in that contract.”
For example, a law firm or accounting firm that receives personal data from a client is a service provider. Delivery services or market research firms would also be identified as service providers. In all these instances, the service provider obtains personal data for a specific reason (e.g. to write a brief, perform an audit, deliver a package, etc.), and cannot share or disclose that data except as outlined in the contract.
Note a key differentiator between the CCPA and GDPR is that GDPR identifies firms that handle data on behalf of another business as “data processors,” and do have data protection duties under the law. Service providers under the CCPA while subject to some considerations, such as right of access, do not have the same obligations as third parties.
However, a business must have a written contract with its service providers; and those contracts must include language saying the provider won’t share or retain any personal data beyond what’s outlined in the contract.
Third parties, in contrast, are businesses that obtain personal data in any other way, such as by buying it from your business. The distinction is important because the CCPA imposes one set of duties for a company and its service providers, and another set for a company and its third parties.
Understand a Consumer’s Rights Under the CCPA
Since consumers own their personal data under the CCPA, they have certain rights to control how a company collects and uses it. Among them:
- Right of notice, where a company must tell the consumer what types of personal data it will be collecting and for what purpose before the collection actually happens.
- Right of access, where a consumer can demand to see what types of information have been collected about him or her, the reasons why it was collected, and the types of third parties with which the company shares that data.
- Right to opt-out, where a consumer can decline to allow the sale of his or her data to third parties. Minors have a right to opt-in, but the default assumption is to opt-out;
- Right to request deletion, similar to the GDPR’s right to be forgotten, where consumers can ask that their data be deleted. The company typically must comply, unless the request falls within certain exceptions related to law enforcement, security, and a few other cases.
- Right to equal service, which guarantees that the company will offer the same goods and services at the same price even if the consumer opts out of data collection or exercises any other CCPA rights.
Implement Your CCPA Compliance Plan
While enforcement activity under the CCPA has yet to be seen, compliance is crucial. There is a private right of action under the CCPA, and civil penalties of $2,500 for each violation and $7,500 for each intentional violation are provided in the Act. Individuals may bring actions for security measures violations and data breaches, and there is the added cost to reputation and legal fees that should drive companies to take CCPA compliance seriously.
It cannot be overemphasized that the key to successful implementation is detailed documentation and review. As indicated above, relying on exclusions or carve-outs will require a clear understanding of the use of the data.
Additionally, companies seeking to acquire or merge businesses will now have additional considerations. While prior due diligence checklists or questionnaires may have had data privacy compliance programs as a smaller subset of matters to consider, the question is now significant enough to change the dynamics of the deal.
The CCPA provides the first serious US-based legislative effort to provide consumers with specified data privacy rights. As with any legislation, an entity must closely examine the scope of the rights and obligations under the CCPA as well as the exceptions. There are time limitations and procedural requirements as well that pertain to each right which adds complexity to compliance with the CCPA.
