The California Consumer Privacy Act (CCPA), a data privacy regulation set to be enforced in 2020, gives California residents the ability to see and control the personal data companies have, share, and sell. The CCPA started as a ballot initiative in early 2018 and was signed into law just a few months later in June. After first-round amendments were approved, the effective date remains January 1, 2020, while the enforcement date was pushed to July 1, 2020.
The original ballot initiative was first introduced by a California real estate developer by the name of Alistair Mactaggart, who at the time saw privacy as a major concern after overhearing a tech employee conversation at a cocktail party surrounding data collection. Meanwhile, the Facebook and Cambridge Analytica scandals were at the forefront of the public’s mind and the General Data Protection Regulation (GDPR)- a similar regulation to CCPA was looming near. Mactaggart formed his ideas around privacy into the CCPA known today by focusing on three core concepts:
The privacy ballot initiative for CCPA received over 630,000 signatures, almost twice the required signatures required to be included on the California election ballot. Based on this strong indicator that the initiative would pass and the implication that it would be effective immediately and not go through the usual legislative process, politicians made a deal with Mactaggart to pass a regulation based on the original ballot’s three principles of transparency, control, and accountability. The new ballot initiative had a later enforcement date and various other changes such as less in-depth disclosures that still provided consumers with fundamental rights. Thus, the California Consumer Privacy Act was developed and approved.
The act applies to any business that collects personal data on California residents, and either has gross revenues over $25 million, shares the private information with other companies, or derives over 50% or more of its revenue from the sale of personal information. Examples of protected information include name, driver’s license information, address, passport number, social security number and, email address. It’s important to note that the CCPA applies to any business regardless of location as long as it has customers that reside in California.
There are several rights afforded to California residents as defined by the CCPA. Under the act, consumers have the right to know what information is collected about them under the “transparency” principle. They have the right to receive clear information regarding the categories of information a business collects. Furthermore, consumers have the right to know whether their personal information is sold or disclosed to other companies and who those companies are. When consumers make this type of request, organizations must provide information on any third-party to whom the data was sold.
Through compiling a data inventory and completing a data mapping exercise, organizations can easily respond to consumer requests as they have already mapped out where data comes from and where data flows. Businesses that do not yet have a personal data inventory or data map should prioritize mapping any California personal data processed first. The data map must be continuously reviewed to ensure it’s updated.
The consumer also has the right to opt-out of the sale of their personal information, giving the consumer more control over their data. Businesses are required to provide a “clear and conspicuous” link titled “Do Not Sell My Personal Information” on the homepage of their website.
To give consumers the most control, organizations should consider offering a granular opt-down and opt-out option. This can be accomplished through the preference center. Once a consumer does choose to opt-out or opt-down, the organization must honor the request for a minimum of 12 months before seeking additional permissions from the consumer to sell their personal data. The opt-down approach is something that professional associations are seeking clarification on and the California AG will hopefully provide thoughts about this practice and whether it will be allowed under the CCPA.
In addition, consumers also have the right to access their personal information and receive a copy of their personal data that is processed free of charge. The CCPA allows for this information to be provided via email or electronically and gives the option to have the consumer transfer that information to another entity. The customer can also request to have their data deleted from any profiles a business may have on them.
Data inventory and data mapping exercises allow for organizations to easily identify all systems that process the consumer’s personal data, to ensure that their rights are fully honored.
Organizations are prohibited from discriminating against consumers because they have exercised any of the rights listed above. Specifically, organizations cannot deny goods or services to the consumer, charge different prices for goods or services, impose penalties, provide a different level of quality of goods or services, or suggest that the consumers will receive a different price for the goods or services. However, the CCPA does provide the ability to offer different levels of goods/services if they are equitable to the value lost by not being capable of monetizing the consumer’s data.
Businesses have 45 days to respond to consumer rights requests. If reasonably necessary, businesses can extend this timeframe by an additional 45 days but must notify the consumer of the extension within the initial 45-day period. Due to the strict timeframe to review and respond to these rights requests, organizations should have a centralized source for all requests to ﬂow to for review. Records should be retained indicating the day the request was received and the due date for response.
It is recommended that organizations develop templated responses for each type of request to allow for easier and consistent responses. As with most compliance-related issues, it will be up to the business to demonstrate and respond to the request within the allotted time frame. Therefore, records should be retained documenting actions taken such as honoring the request, denying a request due to an exemption, or a request extension.
It’s important to note that the CCPA does provide for certain processing activities that are exempt from the standard CCPA requirements. This means that the CCPA does not restrict the ability to:
- Comply with federal, state, or local laws
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
- Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
- Exercise or defend legal claims
- Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information.
- Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.
Furthermore, the CCPA does allow for exemptions for personal data collection in certain situations. This includes personal information protected under the Health Insurance Portability and Accountability Act (HIPAA), personal information collected by entities governed by the Confidentiality of Medical Information Act, and the sale of personal information to or from a consumer reporting agency if that information is to be used to generate a consumer report and use of that information is limited by the federal Fair Credit Reporting Act. There are also exemptions in the situation of personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, or if personal information is collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.
In a time where the internet is heavily integrated into society and personal information is easily accessible, the CCPA bill is a start to controlling uncharted territory; setting guidelines for both companies and consumers that were once nonexistent.