Ever since the EU-US Privacy Shield was struck down in Schrems 2.o, companies have been scrambling to figure out how to safely transfer data in and out of the EU while remaining compliant with the General Data Protection Regulation (GDPR). At this point, the general consensus is that transfers from the EU should only be…
Should Your Company Be In Compliance With California’s CCPA Law? Here’s How to Find Out.
With new breaches happening every day , businesses need to act quickly to comply with a growing web of strict privacy standards. ADCG has written about GDPR and New York’s SHIELD act , and how to ensure that your business is in compliance with the far-reaching implications of these two standards. Hitting even harder is California’s Consumer Privacy Act (CCPA). With the fifth largest global economy, California has reacted to its elevated role in enterprise, by proposing new data privacy standards which will take effect in January 2020.
Better privacy standards are good. The problem is that most companies simply aren’t ready to comply. IBM’s Data Privacy study, conducted by Forrester Consulting, presents some troubling numbers:
“As few as 28% of respondents have complete confidence in their firms’ ongoing ability to adhere to privacy requirements, even though 77% expect the number of data privacy regulations to grow. And when asked about compliance with the imminent California Consumer Privacy Act (CCPA), set to take effect in January 2020, nearly 80% of those whose companies must comply confirmed this is still a work in progress.”
The Wall Street Journal confirms: “The California law was passed last summer, but many companies delayed preparations during the lengthy amendment process. In a survey PricewaterhouseCoopers conducted last year, only 52% of respondents said they expected their company to be CCPA-compliant by January 2020.”
In broad strokes, CCPA requires all affected companies to be able to tell consumers what personal data they have collected and stored, and consumers must also be allowed to opt out of having their data stored and/or sold by the company. This is easier said than done as most companies currently have no central tracker in place to know what data they have, what they’ve sold, and even where it might be stored.
Which Businesses are Affected?
CCPA was designed to hold Silicon Valley tech giants accountable in the wake of egregious breaches and foreign attacks, but it affects any company that earns at least half its revenue by selling the personal data of California residents, any company which receives or shares the data of more than 50,000 California individuals, and any company which boasts revenue over $25M – which is about 500,000 companies by the WSJ’s estimate.
Larger companies may already be off to a good start in terms of CCPA compliance – especially if they operate in Europe and have been required to comply with GDPR which took effect last year. Likewise, CCPA is expected to become a gold standard for the rest of the U.S., which means that even if a business does not operate in California, the state where it is domiciled is likely to soon follow suit. Still, PricewaterhouseCooper’s analysis states that any Fortune 500 company will spend at least $100 million on compliance in the law’s first year.
The law will not be enforced until the summer of 2020. But procrastination is inadvisable; businesses that do not comply with customer data requests within 45 days will be subject to hefty fines and possible civil litigation. And, in the event of a breach, companies will be liable for up to $7,500 in damages per person affected. If the law had been in place before the breach at Capital One, (which operates in California), where 106 million people were affected, the company could have ended up paying approximately $795 billion–almost one trillion dollars.
What Counts as Personal Information?
The International Risk Management Institute provides an expert unpacking of CCPA, and outlines the types of data consumers are allowed to request under CCPA. Keeping in mind that consumers can request specific pieces of collected data, they can also request:
- Categories of personal information collected
- Where the information was sourced
- The business’s purpose for collecting personal information
- Third parties with which consumer information is shared
If you are a business that sells personal consumer data, you are also expected to expand upon these categories and explain why and to whom you have sold any collected data.
California’s Attorney General, Xavier Becerra, has proposed a set of rules to govern how companies should comply with consumers’ requests for their data, to opt out of their data being sold, and with requests to delete that data.
Under the proposed rules, companies must:
- Notify consumers when their personal data is being collected – at or before the time of collection.
- Businesses are expected to allow consumers to opt out of data collection from the start, with a clearly displayed link on their website or app, or with a browser extension.
- Businesses are not allowed to discriminate against consumers who choose not to have their data collected or sold, with the caveat that businesses can create tiers of service based on data-collection preferences.
- A business cannot collect or sell data belonging to consumers ages 13-16 without the approval of a parent or guardian, and it must provide at least two ways for consumers to request a copy of their data from a company.
- If consumers want their data deleted, they must follow a two-step process to indicate which data they want deleted and then confirm their decision. Companies must also verify the identities of consumers requesting their data. Deletion can be in the form of de-identifying data (separating it from personal identifiers).
- Companies that serve at least 4 million California residents will need to publish an annual report detailing how many requests they receive for data transparency, deletion, and abstention.
CCPA does not apply where it conflicts with a business’s ability to comply with a federal, state or local law. It also does not apply to de-identified data, which is data that’s been scrubbed of identifiers linking it to a specific person. And, CCPA cannot conflict with HIPAA and several other healthcare laws, as well as the California Financial Information Privacy Act. More details can be found here.
As with many new laws, CCPA requires input from the public. The deadline for residents of California to submit written comments for CCPA is December 6, 2019 at 5 p.m. PST. To submit comments, email [email protected] Tips for formulating comments can be found here. Oral comments will be entertained at four public hearings held December 2-5 in San Francisco, Fresno, Sacramento, and Los Angeles. The full schedule and CCPA fact sheet is here.