June 21, 2019
Introduction
Have you already completed an assessment and determined that your company needs to comply with the CCPA? (If not, click here for a free CCPA Applicability Quiz.) Still unsure what that means you actually need to do? The CCPA requires organizations to take specific steps to handle and protect the Personal Information (PI) of California residents. There are also ancillary steps companies should take that are not explicitly required by the CCPA but will be necessary to effectuate the processes needed to establish CCPA compliance.
The CCPA comes to us in the wake of Europe’s landmark General Data Protection Regulation (GDPR), which implemented the Privacy by Design (PbD) approach. Privacy by design (PbD) is the idea that organizations should proactively embed privacy into the design and operation during every stage of creation of products, services, and business practice systems. While the CCPA does not specifically adopt PbD, it does follow some PbD principles, including: (1) proactive, not reactive (requiring companies to create privacy notices and build security protocols); privacy as the default setting (not for all but for children); full lifecycle, end-to-end security; visibility and transparency (informing consumers upfront what is being collected and allowing them to ask why); and respect for user privacy. Complying with the CCPA may be burdensome, but it does gives companies an opportunity to think about how their approach to data, whether they use PbD or another method, impacts their efficiency, consumer relationships, and regulatory compliance.
Know Your DATA
Your organization should begin mapping where and how the Personal Information of California residents is collected, stored, transmitted, and sold. The CCPA requires that organizations be able to find, and in some cases delete, specific pieces of Personal Information. To do that, organizations need to know where they’ve stored the PI of California residents. The CCPA also requires them to know who they’ve shared the PI with and for what purpose.
Data mapping is not an explicit requirement of the CCPA. However, in order to create a robust request management system for responding to consumers’ CCPA data requests, data mapping is one of the unwritten requirements that the CCPA imposes.
In addition to being a necessary step for achieving CCPA compliance, data maps will also enable your company to get a true vision of what data you have and how you are, or are not, using it. Many companies are finding that they have Personal Information they do not need or use, thus exposing themselves to unnecessary security risks, which are heightened by the fines the CCPA imposes for security breaches.
Bringing multiple stakeholders in your organization together, from IT to marketing to legal, to learn your data and evaluate its uses may provide unanticipated value and build new opportunities for efficiencies.
Know Your VENDORS
Knowing your data is closely linked to knowing your vendors, who may or may not qualify as service providers under the CCPA. Service Providers and Third Parties are defined differently and, more importantly, sharing consumer Personal Information with them is treated differently under the CCPA.
Your organization should start reviewing contracts with organizations and individuals with whom your organization shares Personal Information to ensure they contain CCPA-required terms. In some cases, your organization may need to renegotiate your existing contracts.
Moving forward, your organization should plan to include CCPA-required terms in any new contracts that involve PI. Companies must know who all of their service providers are in order to implement those new contract terms and to be able to identify which entities are third parties as opposed to service providers under the CCPA.
If you do not have the proper contracts with your Service Providers, they may be treated as Third Parties under the CCPA. In those situations, information you share with them would be treated as a sale and come under additional regulations, including the requirement that you allow consumers to opt out of your sharing of information with those vendors. For that reason, it is in your company’s interest to ensure that your contracts with service providers qualify them as such under the CCPA’s definitions.
To learn more about what SixFifty has done to help companies automate contracts and other CCPA-required documents, click here.
Know Your CONSUMERS
Your organization should have a system to collect. track, and respond to requests from California residents to access or delete their Personal Information. It should also be able to track the names of customers who do not want your organization to sell their Personal Information. The CCPA allows California residents to request that organizations (1) grant them access to their data and the purposes for which it is collected, (2) delete their data, and (3) not sell their data.
Companies must provide at least two ways for consumers to make these requests: over the phone and via their websites. Companies have 45 days to respond to each request under the law. This deadline, however, can be extended up to 90 days in some circumstances. The law requires companies to be able to provide data going back to the prior 12 months. After a consumer opts out, a business cannot sell the consumer’s information without the consumer’s express written consent. Companies cannot ask for that consent for 12 months after the consumer opts out.
Businesses are obligated to honor these requests with some exceptions. Knowing your Consumers and your Data will enable you to set in place controls for when requests should and need not be fulfilled. For example, if you collect information that is required to fulfill a contract with a consumer, and that consumer requests that you delete her data, you are not required to delete that required information since you are engaged in an ongoing contract/transaction.
Request management is therefore an ongoing requirement that must be tracked in order to ensure compliance. To learn more about what SixFifty has done to help companies manage their consumer requests, click here.
Know Your POLICIES
The CCPA requires that a business must disclose the following information to California residents before the company collects their personal information:
- What personal information your company collects;
- Who your company collects the personal information from;
- Why your company collects the personal information;
- Who your company shares the personal information with;
- What categories of personal information your company sells;
- What categories of personal information your company otherwise shares with others;
- What rights consumers have under the CCPA; and
- Who consumers should contact about their rights under the CCPA.
To meet this obligation, your organization should have a privacy notice on its website. The notice must explain (1) what personal Information the organization collects, (2) who the organizations collects that data from, (3) the purpose for collecting that data, and (4) who the organization shares that data with or sells data to. The notice must also disclose the rights of California consumers under CCPA, including the right to opt out of the sale of personal information. The CCPA requires that organizations disclose this information online. The privacy notice must be accessible from your organization’s homepage.
Your organization should also have internal policies and procedures for your employees regarding CCPA requirements. If your organization is investigated, your policies and procedures may help demonstrate your efforts to meet CCPA requirements.
To learn more about how SixFifty can help your business draft a privacy policy disclosure and other CCPA- under the CCPA policies, click here.
Know your EMPLOYEES
Your organization should inform its employees about CCPA requirements and provide privacy training. Training should take place before the CCPA becomes effective and be updated at least annually. More updating will likely be needed at the beginning of the implementation process since we have received clear indicators from the California Attorney General’s office that rulemaking may continue after the CCPA effective date of January 1, 2020.
Under the CCPA, companies should have a policy of training anyone in their organization who is involved in (1) compliance with the CCPA, (2) the privacy practices of the company, and (3) handling consumer requests. CCPA training should teach employees how to handle consumers’ Personal Information according to the requirements of the law, particularly regarding responding to consumer requests under the CCPA.
To learn more about what SixFifty has done to help companies train their employees, click here.
What Are the Penalties for Noncompliance
Penalties under the CCPA be divided into two categories: (1) regulatory violations and (2) data breaches. Lawsuits for violations of the CCPA can be brought by the Attorney General or consumers in civil actions.
A company can be penalized up to $2,500 for each violation of the CCPA, with that amount increasing to $7,500 for each’ intentional’ violation. An intentional violation includes any action that a company knows that it should take under the law, but chooses not to. Some experts have speculated that violations will be determined on a per-capita basis the way California’s Supreme Court has counted violations in other cases. Under this theory, if a business ignores the disclosure requirements under the CCPA, the California Attorney General could impose a $7,500 fine for each consumer that visited the company’s website–a potentially staggering amount. Facebook has approximately 24.6 million California users; if it were found to have violated the CCPA, it could face a rough maximum penalty of $61.6 billion for an unintentional CCPA violation and $184.7 billion for an intentional one. The Attorney General is expected to give further clarification on this point.
Under the CCPA, if a company did not employ “reasonable” security measures to protect personal information, a company can be penalized $750 per record lost or actual damages (whichever is greater) in a data breach.
*** Multiple amendments are being considered by the California legislature, so be sure to check our blog regularly for legislative updates.***
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
