Just when you thought you were compliant for anything that could be thrown your way with GDPR, California turned up the heat with their own California Consumer Privacy Act (CCPA) that goes into effect January 1, 2020.
Don’t have time to read everything but need to know the highlights?
Here are the three major goals of CCPA:[1]
-
Consumers will have the right to know what information large corporations are collecting about them.
-
Consumers will have the right to tell your business not to share or sell their personal information.
-
Consumers will have the right to protections against businesses which do not uphold the value of their privacy.
Now let’s take a deeper dive.
Does CCPA Apply to You?
The first thing to do is figure out if the CCPA even applies to your business. This can be done by answering a few questions.
-
Do ALL of the following apply to your organization?
-
For-profit business
-
Does business in California
-
Collects or processes consumers' personal information
-
-
Does ONE of the following apply to your organization?
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000)
- Annually buy, sell, receive, or share personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of annual revenues from selling consumers' personal information.
If your company finds both questions to be true, then read on. Otherwise, your anxiety level may needlessly skyrocket.
How Does CCPA Compare to GDPR?
The second question people ask is, “How does this compare to the General Data Protection Regulation (GDPR) and if I’m already compliant with that, do I need to worry about CCPA?”
A lot of this sounds similar to GDPR, but there are more differences than just processing personal data based on geographic location. PwC (PricewaterhouseCoopers) created a comparison chart of key requirements to help you better understand the differences.[2]
Before we move on, let’s clarify the difference between processed vs. collected.
-
Personal Data Processed: refers to any operations performed on specific personal data. Common types of personal data processing include collecting, recording, organizing, structuring, storing, modifying, consulting, using, publishing, erasing, and even destroying data.[3]
-
Personal Data Collected: means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.[4]
As you can see, GDPR’s scope and territorial reach are much broader. CCPA focuses more on the right of the consumer to opt-out, including the sale of their personal information to third parties. In contrast, GDPR focuses only on opting-out of the processing of data for marketing purposes.
How Do I Make Sure My Business Is CCPA Compliant?
Determine What Data Is Being Collected and What It’s Being Used For
“Personal Information” is broad and can mean anything that identifies, describes, relates to, or could reasonably be linked, directly or indirectly to a particular consumer or household (See section 140-o for the 11 categories). These could be traditional identifiers such as name, address and email, but also commercial information, biometric information, or even employee-related information.
Excluded from this definition is “Aggregate Consumer Information.” This is defined as data not linked or reasonably linkable to any consumer or household (including via a device), and information that is publicly available from federal, state, or local government records.
What does this mean for my organization? Organize data you actually process and use and make it easy to export upon request. Then delete data that you don’t process or use. By having a clean database, you’ll have an easier time promptly finding the information you need.
Revise Website and Privacy Policy
Your website is about gaining the interest and trust of your visitors. Businesses must disclose, at or before the point of collection, in their website privacy policy or otherwise, the following:
Right to Know
The categories of personal information to be collected about the consumer and purposes for which the personal information will be used. The categories of consumers’ personal information that was actually collected in the preceding 12 months and sold or disclosed for business purposes in the preceding 12 months.
Right to Be Forgotten
Companies must inform consumers of their right to be forgotten (CCPA does not state how consumers should be informed of this right, but having instructions in the privacy policy would be an easy way to show compliance). You could also have a link on the homepage that links to the section in the privacy policy informing them how to be removed.
Right to Opt-Out of Sale of Personal Information to Third Parties
To comply with the right to opt-out, a business must describe the right and include instructions on how to opt-out in the company’s privacy policy.
If there is a possibility that their personal information may be sold, then businesses must post a “Conspicuous Link” on its website’s home page titled “Do Not Sell My Personal Information,” and describe the right with a link to that page in the privacy policy.
Create a Process
Consumers have a “Right to Access” and the “Right to Portability” of their personal information that is collected within 45 days, free of charge, by mail or electronically. Consumers have a right to make such requests twice in a 12-month period.
Identify an individual that will be responsible for responding to consumer requests for access and portability of their information in a readily useable format (which is a format that is commonly used (ex: excel, .csv, .pdf, or word document) as well as deleting consumer data.
Businesses must make available two or more designated methods for the consumer to request this information, including, at a minimum, a toll-free number and website address.
In response to these requests, the business must disclose:
-
Categories of personal information being collected
- Categories of sources from which personal information is collected
- Business or commercial purpose for collecting or selling personal information
- Categories of third parties with whom personal information is shared
- Specific pieces of personal information the business has collected
-
Categories of consumer's personal information collected in 12 month preceding the verifiable request
Create and maintain a robust incident response plan that documents actions taken in case of legal action taken against your business.
Review Existing Third-Party Agreements
Businesses can share personal information with third parties or service providers for business purpose. But there is a caveat. Businesses can only do this as long as there is a written contract prohibiting the third party or service provider from selling that personal information or “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.”
Review existing agreements and ensure that contracts limit third parties’ and service providers’ use of personal information as strictly as the CCPA prescribes and revise as needed. Without a CCPA-compliant service provider agreement, the disclosure of personal information to a vendor may constitute a sale of personal information that triggers the consumer’s opt-out right.
TL;DR
CCPA focuses on targeting larger companies and holding them accountable for the security of consumers’ personal information with the goal that fewer data breaches will occur in the future. Many B2B companies need to re-evaluate their process and data collecting techniques of their consumers’ personal information anyways. This forces your organization to create good processes and workflows to be more responsible marketers to your potential clients.
To help you further, we created a CCPA compliant checklist that you can print off to remind you of things you need to be thinking through before January 2020 comes.
[1] – About the California Consumer Privacy Act (https://www.caprivacy.org/about)
[2] – Your readiness roadmap for the California Consumer Privacy Act (https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html)
[3] – Processing Definition (https://www.atinternet.com/en/glossary/processing/)
[4] – California Consumer Privacy Act of 2018 – (https://iapp.org/resources/article/california-consumer-privacy-act-of-2018/)
