The California Consumer Privacy Act (CCPA) officially went into effect on January 1, 2020. The CCPA is a broad law enacted in the State of California that applies to businesses inside and outside of the state, as well as internationally. In discussing the CCPA with many business owners in and out of California, I consistently get the sense that many feel the law is quite onerous, expensive and not many know where to begin. In this article, I will address some practical tips on how to think through complying with the CCPA.
What is CCPA?
CCPA creates new data privacy rights for California consumers, requiring businesses to tell them what personal information has been collected and how the business (or any third party) is using the information. Consumers can force businesses to delete their data or prohibit the business from sharing personal information with third parties.
Does CCPA apply to my business?
Much has been written about the CCPA and how to determine if it applies to your business so we will not spend too time on it here. That said, it is important to understand the basics. The CCPA essentially applies to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data, and:
- Has annual gross revenues in excess of $25 million; or
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
If a business, therefore, leverages personal data from California residents and meets any of the three criteria above CCPA likely applies to it. CCPA also applies to any entity that owns, is owned by, or shares common branding with a covered business — so it is even broader reaching.
The doing business in California criteria is also likely an easy threshold to meet and does not require a business to have a physical location or employees within the State of California.
While the CCPA has various exemptions (i.e. other data privacy laws like the HIPAA or the Gramm-Leach-Bliley Act (GLBA)), these exceptions do not enable a business to avoid complying with the CCPA entirely—i.e. some data may be covered by HIPAA as an example and other data collected by the same business may still be subject to the CCPA.
The point being that the CCPA is broad-reaching and that, even if there is an exemption available to your business, it is not a safe harbor and businesses should have a plan to become compliant.
Practical Steps To Take Towards CCPA Compliance
Compliance Week estimates CCPA compliance costs will reach $55 billion, with small companies with fewer than 20 employees incurring initial costs around $50,000, midsize companies of 20-100 employees incurring initial costs of $100,000 and for those with 100-500 employees, the business will incur an estimated initial cost of $450,000. Given the potential expense and time involved in compliance, it is important to focus when creating an effective and practical approach to data privacy and CCPA compliance.
1. Do not try to boil the ocean—focus as a team!
It is important to establish a committee or working group with your business across major company functions from legal and finance to IT and R&D. In an initial set of meetings, it is vital that all functions understand each other’s roles in safeguarding data and ensuring CCPA compliance.
A base-level awareness of (i) what data is collected, (ii) who the data was collected from, (iii) by whom (i.e. third party vendors?), and (iv) where is the data located, etc, can be critical in the early stages of designing an effective and compliant data privacy program. In many instances, it may be necessary to involve a third party to assist with data mapping exercises to answer many of these questions. This initial meeting (or meetings) does not have to solve every issue but should serve as a good road map toward compliance.
Once the type of data, location of the data and purpose of the data retention are understood, then the group can turn its attention toward developing a policy to ensure compliance with the CCPA. Note here that the business may have other legal jurisdictions that are important to consider (i.e. GDPR for Europe) and the business should consult legal counsel, to assist in this part of the analysis.
2. Look at your business’s third party contracts.
Businesses need to know how third parties are collecting and sharing consumer personal data as a result of their relationship with the third party. To do this a business needs to know what is in its agreements. This is not an easy task. By simply reviewing contracts or a third party’s policies, a business will not necessarily have the answers it is looking for.
A practical approach here is to identify all third parties that the business works with or that has access to data in some way through your business (this could be as simple as access to the businesses website and therefore cookies). Once a list is assembled, it is helpful to have a technical team identify what it believes the third party may have access to and ultimately to ask the third party exactly what data they have and what they are doing with it.
If it is determined that the third party has access to data and is using it in a way that the business is not comfortable with, it may be necessary to renegotiate the third party contracts and prohibit the objectionable use. If nothing else, by understanding what third parties are applicable and what they are doing with the data, your business can respond to consumer’s requests as they come up now that CCPA is in effect.
3. Revise the business’s privacy policies and notices.
By now we are starting to see more and more websites with updated privacy policies and CCPA related wrappers. The CCPA requires companies to update their privacy policies annually.
In order to effectively update a business’s website to comply with the CCPA, the following must be incorporated into the updated policy (updated annually).
a. Identify the new rights available to California consumers by the CCPA. The CCPA creates the following new consumer-rights, all of which must be addressed in the updated policies. Businesses, therefore, need to inform consumers of their rights to the following:
(1) The business’ data collection and sales practices in connection with the requesting consumer. This needs to drill down to the categories of personal information collected, the source of the information, use of the information and, if third parties are involved, the categories of personal information disclosed or sold to third parties and the actual categories of third parties that the information was disclosed or sold to;
(2) The specific personal information collected about the requesting consumer, 12 months before their request;
(3) To have such the information identified in #2 deleted (see exceptions in the CCPA);
(4) To prohibit the sale of such personal information to third parties; and
(5) To not be discriminated against due to any of the new rights.
As a practical note, the policy should make it clear that consumers may make such requests up to two times per 12-month period and clarify the business will need to collect information from the consumer to verify their identity. Finally, clearly articulate the time frame to respond to such requests—45 days from receipt of a request, upon the aforementioned verification.
b. Identify at least 2 ways that a consumer can submit a request to the business. Personal requests must be able to be made via a web page and a toll-free telephone number. We recommend including a link to the web page here to make such requests. It is best to clearly describe the process to make the request, the process that the business will undertake it verify the request and the timeline for responding.
c. Provide a mechanism to opt-out from data collection on the website. Provide a link entitled Do Not Sell My Personal Information that should enable the consumer to opt-out of having her information sold. This link must appear in the footer of the website home page (and many feel it should appear on all pages on the website).
d. Identify all of the categories of personal information that have been collected by the business or its third-party providers for any consumer in the past 12 months (this can be updated annually—so if the business reduces the categories of data collected as an example, a year from the policy update the categories can be adjusted).
e. For each category identified in #4, identify the sources of such information. Also, include a list of the categories of personal information sold in the past 12 months.
f. Identify the purpose for the use of each category of collected information.
g. A list of the categories of personal information disclosed for a business purpose in the past 12 months.
4. Reconvene as a group regularly to ensure accountability and review the Regs where there is any confusion with the CCPA.
Have the working group meet with regularity and document the meetings (this can be a secretary for the meeting taking basic notes and filing the results as an example). The group should continue to make updates to the policies and procedures for the company as the law and regulations evolve and work toward compliance with the CCPA and other data privacy and security laws. The California Attorney General publishes regulations interpreting the CCPA and to provide businesses with guidance on how to comply with the CCPA. It is a good idea to monitor these regulations and any updates to the regulations or consult with legal counsel to understand the regulations.
On February 10, 2020, the California Attorney General’s office published a draft set of regulations that may help resolve some issues. The AG’s office will not begin enforcement of CCPA until July 1, 2020, and is legally required to publish the final regulations by such time.
James D. Snyder represents clients in business transactions, M&A, and data privacy issues. He provides legal and compliance counsel to emerging startups and established companies in areas involving licensing, finance and investments, data privacy and security, corporate structuring, contracts, patent, trademark, copyright, and domain portfolios. He is an accomplished speaker in the fast-evolving data security landscape, and has built a national reputation as a go-to for outside General Counsel advice.
Klinedinst is the go-to firm for clients looking for litigation, trial experience, transactional representation, and legal counsel. The firm’s offices in Irvine, Los Angeles, Sacramento, San Diego, and Seattle service the entire West Coast. What sets Klinedinst apart is the relationship our attorneys foster with each and every client. Klinedinst lawyers are indispensable strategic partners to business leaders, helping to achieve business objectives and create proactive solutions to resolve the many legal challenges that businesses are confronted with every day. Whether vigorously advocating for business clients in court, or guiding business transactions and negotiations, Klinedinst is the trusted legal advisor to have by your side.