Today is Data Privacy Day, an international holiday recognizing and promoting the importance of privacy and security for our personal and other sensitive information.
Last Data Privacy Day, I wrote about Colorado’s privacy law and its requirements related to security and data breach notification. To learn more about the Colorado privacy law, see the previous articles titled Colorado Data Privacy Law (2018 Update) and Colorado Data Breach Notification (2018 Update).
This year the business world is abuzz with news about a different data privacy law – the California Consumer Privacy Act (CCPA).FN1
Although first enacted in 2018, the law did not go into effect until the first of this month. As a result, businesses only now are having to figure out how to comply with this new law.
The CCPA is an important legal development deserving of the attention it has received. It has been described, for example, as ushering in a "new era of consumer privacy rights" in the United States.FN2
The rights granted to California residents are both new and important in the U.S., and at least fifteen other states have already proposed similar laws.
Given the importance of California in the U.S. economy and around the globe, the impact of the CCPA will be felt by many consumers and businesses alike. Indeed, it is fair to suggest that "we as a society are evolving from looking at data as a company asset and moving toward 'a consumer rights mentality.'"FN3
So what do businesses, both large and small, need to know about the CCPA? This article discusses the top 10 things you should know about the CCPA. Let’s get started.
#1. Is Your Business Subject to the Requirements of the CCPA?
The first threshold issue is whether the CCPA applies to your business. To answer this question, you should determine whether your business collects, maintains, or shares information about California residents.
As a California law, it is designed to protect the residents of that state. Residents of other states are not directly covered by the law. It does not matter whether you are or your business is located in California; what matters is whether your business has information on California residents.
If your business has information on at least one California resident, it must also fit into one of the following three categories in order to be subject to the CCPA...
If your business doesn’t have any information on California residents, you won't have to worry about compliance with the CCPA. If you do, then you need to determine whether you are a covered business - even if you are not located in California.
If your business has information on at least one California resident, it must also fit into one of the following three categories in order to be subject to the CCPA:
Your business has gross annual revenues greater than $25 million;
Your business receives or exchanges the personal information of 50 thousand or more consumers, households, or devices; or
Your business derives 50% or more of its annual revenue from selling personal information.
The first condition requires any large business to comply with the requirements of the CCPA. The next two conditions require businesses that either have a large amount of consumer information or derive a significant percentage (half or more) of their revenue from the sale of such information.
Additionally, a business can be covered by association. That is, if a business (a) controls or is controlled by another business that fits into one of the above categories or (b) shares trademarks or branding with such a business, then it will also be covered by the CCPA.
If your business neither fits into one of these categories nor is associated (in the way just noted) with any such business, it is not subject to the CCPA. Even so, you may wish to read on as your business may still be subject to similar requirements from other privacy laws.
#2. Do You Understand the Customer Information Your Business Collects?
If you have a covered business under the CCPA, the next step is to assess the customer information you are collecting, maintaining, or sharing.
Why are certain kinds of information collected and is there a compelling business reason to collect it? How is that information stored, secured, and deleted?
Have you sold, shared, or disclosed this information to any other businesses or third parties? (Keep in mind that “sale” under the CCPA is defined rather broadly to include generally any exchange for value.)
The CCPA does not cover all customer information only "personal information." But the CCPA's definition of personal information is much broader than other U.S. privacy laws and it includes any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
As a result, "personal information" under the CCPA does not have to identify or relate to an individual person; the information can instead be associated or reasonably linked with a household.
"Not all customer information is covered by the CCPA, only 'personal information.' But the CCPA's definition of personal information is much broader than other U.S. privacy laws..."
Moreover, the information does not have to be collected from the individual consumer, but can include specific conclusions, inferences, categorizations, or descriptions about a California resident or household -- for example, conclusions regarding personal preferences, behavior, religious or political affiliations, health, employment, finances, intelligence or abilities could all be considered personal information under the CCPA.
As a result, the information covered by the CCPA includes not only the typical name, email address, telephone number, government-issued IDs, banking, and biometric information, but also includes IP addresses, cookie and pixel tag information, geolocation data, Internet of Things information, as well as any conclusion or categorization reasonably related to an individual or household. However, publicly available information does not count as personal information under the CCPA.
If your business is covered by the CCPA, it will be required to disclose to its customers (i) the sorts of personal information collected, (ii) the business reason for collecting this information, and (iii) to whom any such information is sold, shared, or otherwise disclosed.
By now, every business with a web presence should be providing notice to its users or customers regarding (1) the types of information collected, (2) with whom that information is shared, and (3) the rights that users or customers have under applicable privacy laws.
The CCPA and other privacy laws (like the California Online Privacy Protection Act (CalOPPA) or Nevada’s “Notice Regarding Privacy of Information Collected on Internet from Consumers”) require businesses to display notices regarding what information is collected, how that information is collected, and why collection serves a legitimate business purpose.
1. The kinds of personal information your business collects, tracks or processes;
2. Why your business is collecting this information;
3. How your business collects, tracks, or processes this information (e.g. what are your sources of information);
4. Whether your business shares or discloses any of this information with other businesses or third parties;
5. Whether any information shared is sold or exchanged for non-monetary compensation;
6. How your customers can request copies, changes, or removal of this information;
7. How your customers can opt out of the sale of their information;
8. How your business will verify any consumer requests related to their information; and
9. How your business will obtain prior consent from minors ages 13 to 16, and how consent will be obtained from parents for minors younger than 13.
Many of these pieces are discussed in greater detail below.
#4. Your Business Should Also Have a Data (or Information) Security Policy (and a Documented Breach Notification Process).
Unlike outward facing privacy policies, information security policies are internal company policies that document how your business will handle and secure customer information as well as how you’ll respond to information security incidents, including data breaches.
Many laws now require businesses to develop and implement reasonable security measures. What measures are reasonable depend upon the size of a particular business and its available resources.
"Encryption of information is important since breach notification requirements (under, for example, Colorado’s data privacy law) and the ability of consumers to bring claims under the CCPA both exempt encrypted information..."
For Colorado businesses, the most important of these laws is not the CCPA but Colorado's data privacy law. As discussed in a previous entry, Colorado’s law requires any business, regardless of its size, that collects certain sorts of information on Coloradans to have reasonable information security and disposal policies and practices.
The CCPA also requires reasonable security measures to protect consumer information and authorizes California customers to bring lawsuits against businesses that experience a data breach due to a failure to maintain reasonable security measures.
In light of this new legal landscape, businesses should be careful to document their information security controls and practices and adhere to them in day-to-day operations. Developing and following a reasonable data security policy can limit a business’s liability in the event of an unfortunate security incident.
While the reasonableness of the measures a business must implement depends on its size and resources, it is (nevertheless) prudent for any business to encrypt the data that it maintains or transmits. Encryption of information is important since breach notification requirements (under, for example, Colorado’s data privacy law) and the ability of consumers to bring claims under the CCPA both exempt encrypted information.
The private right of action under the CCPA also allows individual consumers to bring claims against a business that has an unauthorized disclosure of their information. But if that information is encrypted, a business will not be liable to that consumer.
As a result, encrypting information is a way that any business can limit its potential liability for the data it stores or communicates.
It is also important to determine whether the procedures and other practices necessary for compliance with the CCPA will be extended to only to California residents or to other individuals as well.
Practical business considerations may favor extending protections to the residents of other states or countries for various reasons, e.g. the simplicity of handling information uniformly, the expectations and preferences of your business’s customers, or wanting to get ahead of other similar laws that are likely to be adopted in the future.
As suggested above, in addition to requiring disclosures related to information collected, maintained, or shared, the CCPA and other laws protecting consumer privacy require businesses to provide notice to consumers regarding their rights over this information.
Thus, it is not enough to simply provide consumers information about how their information is collected, shared, or sold. A covered business must also permit consumers to exercise significant control over their information. This includes the ability to request copies of information maintained, to amend the information on file, to opt out of certain practices, and to request the deletion or removal of certain information (at least in many circumstances).
Businesses can increasingly expect individuals to contact them to exercise these rights and they should develop policies and procedures related to how they will handle these requests. Your business has a duty to provide a cost-free way for consumers to exercise these rights and it should make it convenient for them to do so.
Opt-out requests are perhaps some of the most important particularly when it comes to the sale of a particular consumer’s information. Under the CCPA, a consumer must be able to opt out of the sale of their information and covered businesses should be able to properly respond to any such request.
Accordingly, your business should document how consumer information is sold and how they can opt out of those sales. Moreover, your consumers must be adequately informed about your policies.
"Your business has a duty to provide a cost-free way for consumers to exercise these rights and it should make it convenient for them to do so..."
In general, a business must provide two or more methods by which a consumer can submit requests related to the exercise of their rights under the CCPA. These methods must include a toll-free telephone number and, if the business has a website, a website address.
Additionally, covered businesses that sell consumer information must conspicuously display on their websites or mobile apps a “Do Not Sell My Personal Information” hyperlink that links to a webpage where consumers can effectively opt out of these sales.
Furthermore, consumers are protected under the CCPA if they choose to opt out of the sale of their information. Accordingly, businesses are prohibited from retaliating or discriminating against those who opt out. This includes changing the price or quality of services, but businesses can provide some financial incentives to consumers who permit the collection of their information.
The deletion of consumer information is another important issue that businesses should develop policies and procedures to handle. However, it is important to understand that this is much more of a legal compliance issue than it is a technical one since the CCPA explicitly exempts businesses from having to delete or otherwise remove particular kinds of information or information that is subject to certain other laws.
As a result, understanding how to respond to requests for the deletion of consumer information requires understanding more than the numerous requirements of the CCPA, but also other laws and regulations applicable to your business and how their requirements modify your obligations under the CCPA.
Finally, it is important to consider, given the resources of your business, how you will respond to requests for information and thereby provide a particular verified consumer with the information you have on them.
The copies of consumer information that businesses must provide includes not only the categories of information collected, but also the particular facts or pieces of personal information collected.
Businesses subject to the CCPA should be able to respond to these consumer requests within 10 days and have 45 days to comply with valid requests. These timelines will be difficult to meet if your business has not considered in advance how it will respond to consumer requests.
#6. Your Businesses Should be Able to Verify Any Consumer Request.
Businesses can no longer simply treat consumer information as a proprietary asset, but must permit consumers to exercise certain rights over their information.
These rights are a significant and reasonable development. But they are a potential trap to an unprepared business that collects or maintains this information.
Consumers will increasing be communicating with businesses to exercise their rights, but improperly disclosed information has the potential to become a data breach. As a result, businesses should be able not only to respond but to verify requests related to the exercise of these rights.
The CCPA requires your business to have a method of verifying the identity of consumers who make requests and it is your business's obligation to ensure that any person making a request is who they claim to be. These controls should be documented and shared with anyone who may be responding to consumer requests for your business.
Thus, reasonable policies and procedures should be implemented in order to ensure that neither private consumer actions nor regulatory enforcements are pursued against your business. And what is reasonable will depend not only on the size and resources of a business, but also the sorts of information it maintains on its customers – since this is the information set available to that business that it can use to verify the identity of anyone who has submitted a request.
"Improperly disclosed information may constitute a data breach. As a result, businesses should be able not only to respond but to verify requests related to the exercise of these rights...."
Government issued IDs, like driver’s licenses, are often mentioned as a method of verification. But keep in mind that these IDs will be less useful for identification if your business maintains little of this information and is unable to compare the ID’s information to information on file with your business.
Moreover, some consumer requests may come from minors who do not have or may be unable to acquire a government-issued ID. Depending on the information you collect, your verification process should nevertheless be able to verify the identity of these minors.
You should carefully consider the information that your business maintains and develop a verification process that works with your business's resources and its available information.
#7. Your Business Will Need to be Able to Respond to Notices Permitting a “Cure” of Violations.
When an individual consumer believes that they have had their personal information improperly disclosed to an unauthorized third party, that person must notify that business about the alleged disclosure and the basis for which the business is liable to that person for the disclosure.
If a consumer properly notifies such a business, that business will have 30 days to “cure” the violation. Under the CCPA, a business that “actually cures” a violation of a consumer’s private rights is no longer liable for statutory damages and that individual will not be able to bring a class action against that business to enforce their rights as well as those they could represent.
The CCPA suggests that cure may not always be possible, but when it is, it is a significant opportunity to limit damages. Not only is the consumer who notified you limited to their provable actual damages, but they will also be unable to represent a class of potentially numerous other individuals.
As a result, your business will want to have already developed policies and procedures related to curing any potential violations of an individual’s rights under the CCPA.
Thirty days is not a lot of time to remedy the harm of a cyberattack or data breach. If your business does not know how it will handle an opportunity to cure, it may be unable to benefit from this chance for safe harbor.
#8. Your Business Should Make Sure Employees and Other Service Providers are Properly Trained.
Given the importance of responding to, verifying, and curing consumer requests, it is critical that your employees or anyone else who might process these requests for you are properly trained.
"Your business will generally be liable where employees or others you hire fail to properly handle personal information or improperly respond to consumer requests..."
You should make sure your personnel understand your implemented controls and reasonably respond on a day-to-day basis to consumer communications. Ultimately, this is a matter of adequately training those who handle personal information for your business.
This training should cover several important areas, including security procedures, verification procedures, responding to valid requests, and how to proceed in the event of a data breach or security incident. Employees and others who handle personal information should also receive copies of relevant policies and sign acknowledgements that they have reviewed, understand, and will abide by those policies.
Your business will generally be liable where employees or others you hire fail to properly handle personal information or improperly respond to consumer requests.
Moreover, if your business is selling, sharing, or disclosing information to vendors or other third parties, the contracts related to those arrangements should be reviewed in order to ensure compliance with the CCPA. And your business should pay careful attention to how your vendors and other contractors are using any consumer information you've shared with them.
Legal obligations, whether under the CCPA, Colorado’s Privacy Law, or otherwise, generally cannot be delegated and, as a result, the obligation to comply with the requirements of the CCPA will remain with your business even if others perform services on its behalf.
Accordingly, any relevant agreements should include provisions and language that protect your business in the event that a vendor fails to adequately protection the information you’ve shared with them.
#9. CCPA Compliance Does Not Replace the Requirements of Other Privacy Laws.
The CCPA was enacted separately from any other privacy law and does not replace any such law. There are now many privacy laws across the U.S. and abroad that may apply to your business. The CCPA, while new and significant, is just one such law.
Therefore, your business may have to meet data privacy or security requirements that are distinct from those under the CCPA. As already mentioned, Colorado has its own data privacy law. However, this law has important differences from the CCPA.
Furthermore, Colorado residents are not allowed to pursue private causes of action against a business that breaches their information; that power is reserved to the Colorado Attorney General. For fuller discussion of the Colorado privacy law, see the previous articles titled Colorado Data Privacy Law (2018 Update) and Colorado Data Breach Notification (2018 Update).
Finally, the General Data Protection Regulation (GDPR) is another important privacy law that affects international businesses that process the personal information of European Union (EU) and European Economic Area (EEA) subjects. The rights granted to consumers under the CCPA are fairly similar to those afforded to E.U. citizens under the GDPR. As a result, a business subject to both laws may be able to use policies and procedures developed for one in order to comply with the other.
In navigating this evolving legal landscape, it is important to consult with an experienced attorney.
#10. Non-Compliance Can Involve Significant Fines and Penalties.
Non-compliance with the CCPA is potentially very costly. Depending on the situation, a California consumer, the state of California, or both may bring claims related to CCPA violations.
The California Attorney General has a general enforcement power and can impose fines and other penalties for any violations of the CCPA. These fines can be as much as $7,500 dollars per violation where the violation is knowing or intentional. For more innocent violations, the civil penalty is limited to $2,500 dollars per violation.
Depending on the number of violations and the amount of personal information maintained, these fines can quickly add up. But the Attorney General can also pursue legal actions designed to ensure your business's compliance, such as requiring your business to cease operations related to your collection or sharing of personal information until adequate security measures are implemented.
California consumers can also bring private actions in cases where their personal information has been improperly disclosed to other businesses or third parties, including cyber criminals. These consumers are required to provide notice of the violation, which permits a business an opportunity to cure the noticed violation (as described above).
"The California Attorney General has a general enforcement power and can impose fines and other penalties for any violations of the CCPA. These fines can be as much as $7,500 dollars per violation..."
Noticed violations that aren't or cannot be cured permit the consumer to seek either actual or statutory damages. While actual damages will depend on the individual harm to the consumer, statutory damages may be as much as $750 dollars per violation and that consumer may be allowed to seek relief on behalf of a class of other individuals.
Where an individual can pursue class action, your business's liability may be considerable - and will depend on the amount of personal information your business has and how much was improperly disclosed. Where a noticed violation is cured, the consumer may recover only their actual damages and cannot represent any class.
However, violations of the CCPA will not be actionable until the six month grace period expires, so it is not too late to take the steps necessary to ensure compliance and avoid costly penalties. While implementing proper data security and protection is an important part of complying with the CCPA – as is proper deletion and tracking of personal information – there are also important legal requirements that businesses must meet. For this reason, technological expertise is not enough.
The CCPA is a complex new piece of legislation that will not be well understood until certain issues are resolved by the courts or administrative guidance. If you need assistance developing a privacy or information security policy, please Reach out, Today!