20 Questions (and Short Answers) on the California Consumer Privacy Act (CCPA)February 7, 2019 – Alerts
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and will go into effect in 2020. Dubbed “GDPR Lite” to denote its similarities to the EU General Data Protection Regulation (GDPR), it is expected to dramatically alter the way U.S.-based companies process data. The law includes detailed disclosure requirements, provides individuals with extensive rights to control how their personal information is used, imposes statutory fines and creates a private right of action —and will require companies to rethink some of their data processing practices.
But what about me, you ask? Will the CCPA apply to me, and if so, is there anything that I should start thinking about or doing now? The short answer? Yes.
CCPA Is Coming: To You or a Company Near You
- Does CCPA apply to all companies? No
CCPA applies to you if you are a for-profit business that collects California consumers’ personal information, determines the purposes and means of processing California consumers’ personal information, does business in the state of California, AND meets or exceeds any one of the following thresholds:
(a) $25,000,000 in annual gross revenues
(b) buy, sell, share, and/or receive the personal information of at least 50,000 California consumers, households or devices, per year
(c) 50 percent of annual revenue comes from selling California consumers’ personal information
CCPA also applies to you if you control or are controlled by an entity that meets or exceeds one of the above criteria and shares common branding.
- I don’t meet these thresholds, does that mean I’m “off the hook”? No
You could be required to comply with CCPA provisions indirectly through an agreement with a customer. In order to comply with CCPA, businesses that are subject to the law will need to ensure that their third party service providers use information in a way that allows the business to be compliant (e.g. delete the information when requested, use the information only as permitted).
- Does CCPA apply to me only if I have “boots on the ground” in California? No
The CCPA applies to companies that “do business in California.” This term is not defined in the CCPA but it has been broadly defined under California law to encompass companies with ties to the state that include sales into the state, involvement in transactions for financial gain in the state, ownership of real property in the state, taxes paid in the state, an ownership stake in a company that owns property in California, etc.
- Can CCPA apply to me if I am not a consumer facing business (“B2C”)? Yes
Despite its “Consumer Privacy Act” title, as currently drafted, CCPA applies to any business that meets the criteria listed in question one above, even if it does not deal directly with consumers. The definition of “consumer” is also very broad and includes any individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California but is outside the state for a temporary purpose.
it is not yet clear whether the CCPA applies to B2B companies with respect to business contacts who meet the criteria listed in question one and/or employees who are California residents. While the current language of the CCPA and definition of “consumer” appear to include employees and business contacts, the California State Assembly recently proposed AB-25, a bill that would exclude employees, contractors and agents from the definition of “consumer.” Specifically, the bill excludes a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of or an agent on behalf of the business, to the extent the person’s personal information is collected and used solely for purposes compatible with the context of that person’s role as a job applicant, employee, contractor or agent of the business. The bill awaits final legislative action.
- …but I’m a “Covered Entity” or “Business Associate” under HIPAA – CCPA still applies.
The CCPA does not apply to you with respect to Protected Health Information (PHI) (as the term is defined under HIPAA) that you create, receive, maintain or transmit. If you process personal information that is not PHI and are otherwise subject to CCPA, the provisions of CCPA will apply to you.
- …but I’m a financial institution subject to GLBA – here, too, CCPA still applies.
Same situation as under HIPAA. The CCPA will not change any of your existing obligations under GLBA with respect to the Non-Public Information (NPI) that you process. If you are subject to CCPA (as explained in question one), all other personal information that you process (e.g. clickstream, cookies, lead generation) will be subject to CCPA.
- …but I’m a startup – keep your eyes open, you may want to start some compliance.
The CCPA isn’t meant to apply to small companies with minimal data collection. However, you should consider the following:
- Are you a growing company that will soon be subject to CCPA? If so, it is better (and cheaper) to make the necessary arrangements and design choices now and not later.
- Do you have unique users or website visitors? The three threshold alternatives are broad. To fall under the “at least 50,000 consumers annually” prong, you only need 137 unique California visitors to your website per day from whom you collect personal data.
- Are you a service provider with customers who do business in California? In order for them to utilize you as a service provider, you will need to show that YOU can process data in a way that allows them to comply with THEIR obligations under the CCPA; and
- The “50,000 annually” prong applies to “consumers, households, or devices.” The definitions of “household” or “devices” are not clear and could put you in the scope for CCPA.
- …but I’m a non-profit corporation - you are likely off the hook.
Non-profits are not required to comply with the CCPA. However, if you are a non-profit organization that controls or is controlled by a for-profit entity that qualifies as a “business” and share common branding, or if you receive personal information from a business via a “sale” – you could be subject to CCPA.
- If I don’t comply – is it just a slap on the wrist? …depends on what you call “slap on the wrist.”
A company found in violation of the CCPA could face a civil penalty of up to $2,500 per violation (e.g. per record shared…). Any person or company that intentionally violates the CCPA could face a civil penalty of up to $7,500 per violation. You can do the math.
CCPA Gives Individuals New Rights:
- This is the USA, if it’s not a Social Security Number or a credit card number, I don’t need to worry, right? Wrong
CCPA defines “personal information” much more broadly than it is defined under most U.S. privacy laws. It is defined as any information that could reasonably be linked to a particular person or household, whether directly or indirectly. That includes things like:
- real name or alias, physical address, biometric information,
- IP address, email address, unique personal identifier, online identifier
- account name, driver’s license number, passport number
- characteristics of protected classes
- records of purchasing history or tendencies
- internet browsing or search history, information related to web site interactions, geolocation data
- audio or visual data, olfactory data
- employment or education data
… as well as inferences drawn from the above
Because household data — which the law does not describe in detail — is included in the CCPA definition of “personal information,” the practical result is that data may be protected under the CCPA even if it does not relate to a single individual.
- But I only collect non-identifiable information such as IP addresses or advertising IDs through cookies - CCPA still applies.
Even though you see this in many online privacy notices, IP addresses and advertising IDs are not considered non-identifiable information anymore and are specifically included in the definition of personal information. Only information that is truly de-identified in accordance with the requirements of CCPA (and does not contain inferences drawn from identifiable information) falls out of scope.
- I share information with third parties for advertising purposes – do I need to stop?
You don’t need to necessarily stop outright, but you do need to:
- know all the third parties with whom you share information
- provide information about this sharing to the consumer
- stop sharing with third parties when an individual asks you to do so.
You will have additional obligations if you deal with the personal information of children under 16.
- What information do I need to give people access to?
You need to provide access to the categories of information as well as pieces of actual information itself (or a copy of it).
- Do I really need to delete information if people ask me? In many cases, Yes.
If you get a verifiable request from a person, you will need to delete the information and direct your service providers to do the same, unless an exception applies. A “verifiable request” is one in which you are able to verify that the requester is indeed the individual whose information is sought. The California Attorney General is expected to issue guidelines on this.
- …but I need the information the individual wants me to delete – You may be able to keep it.
There are some exceptions to the right to erasure. You are not required to delete a person’s information if you need it to/for:
- complete a transaction for or provide a good or service to, that consumer or perform a contract with them
- detect security incidents or protect against deceptive, fraudulent or illegal activity
- identify and fix errors in any functionality
- exercise free speech or aid another in the same
- comply with a legal obligation
- engage in scientific research
- internal uses that are reasonably aligned with the expectations of the consumer
- Will I need to amend my online privacy notice? Very likely, Yes.
The CCPA imposes broader requirements regarding what you need to disclose. You will need to describe, clearly: what type of personal information you collect, the purpose for which those types of information will be used, how long you will retain the information, with whom will you share it, consumer rights with respect to the information, etc. Depending on how detailed your current privacy notice is, some information is likely missing.
In addition, you will be required to add a “Don’t sell my information” button on your website.
CCPA Requires Preparation, But Has Upsides
- …but I heard the law will change a ton – is it worth doing anything now? Yes, it is.
Even though it will not take effect until 2020, requests for access or deletion filed under the law can go up to 12 months back…well into 2019. Therefore, you need to have your systems set up to enable compliance with those rights. You also need to make sure your agreements with service providers allow you to request the service provider delete or provide access in accordance with CCPA.
In an interview, a representative of the California AG has said that when assessing complaints about CCPA in 2020, the AG will take into consideration, as part of its assessment of a company’s efforts to comply, whether or not the company took steps toward compliance before the law took effect. So it is better to start now.
- If I decide to “wait and see” – what could happen?
There are some things that can be done very close to the date CCPA takes effect. For example, you can wait to update your website privacy notice and add the “do not sell my information” button on your website.
However, other things require a fair amount of work and company buy-in. If you don’t start now, you may not be done by the time the law goes into effect.
If you wait too long, you might also be subject to an enforcement action. Violations of the law are subject to an injunction and/or a civil penalty of $2,500 for each violation or $7,500 for each intentional violation.
- So, what should I be doing to prepare?
- Map out what personal information you collect (yes, including all those cookies and trackers on your website). Ask:
- What information do you collect?
- Where do you collect if from?
- Where and how is it stored?
- What do you do with it?
- How long do you keep it? Why?
- Who do you share it with? And for what purpose?
- Collect and review all third-party agreements and start to revise them
- Formulate a process for responding to access and deletion requests
- Formulate a process for providing and honoring individuals’ opt outs
- Train your employees
- Start amending your privacy notice
- Is there any silver lining for my company? Yes, maybe a few.
As with other California privacy laws, the CCPA will likely serve as a benchmark for other states or even for a federal privacy law. So any work that you do to comply with the California law now will not go to waste. In fact, compliance will likely be a competitive advantage that you can present over your peers, especially as a service provider.
In addition, a little-discussed provision in the CCPA allows companies to provide a financial incentive to individuals in consideration for their data. That might allow you to monetize the data in ways you have not done before, but in a thoughtful way, which honors the individuals’ rights to their data.
Alanna Elinoff is an attorney in the firm’s Intellectual Property Department. Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. Odia leverages her experience counseling companies on GDPR compliance issues to assist companies on the road to CCPA compliance. For assistance, contact Odia at [email protected] or 215.444.7313.