201903.06
0

The California Consumer Privacy Act (CCPA or Act) will become operative on January 1, 2020.  In light of recent amendments, regulatory enforcement of the CCPA will not take place until July 1, 2020, or six months after implementing regulations have been published by the California Attorney General (CaAG), whichever is sooner.  Although the potential delay in enforcement will be a welcome reprieve, organizations covered by the CCPA should not wait to start preparing to meet their obligations under this onerous new law.

California has long been a leader in developing and implementing privacy laws.  For example, when California passed the California Online Privacy Protection Act of 2003, it became the first state to require website owners and operators that collect “personally identifiable information” of Californians to conspicuously post a privacy notice on their website.  Similarly, with the passage of the CCPA, California has become the first state to pass a law governing consumer data privacy.  The CCPA grants California “consumers” (i.e., residents of California) certain rights relating to their personal information, including the right to opt out of a business’s sale of their personal information and the right to deletion of their personal information, among others.  It is an especially notable law because it not only governs businesses in the state, but also reaches businesses located outside of California; and because it covers not only the personal data of California customers, but also the personal data of California employees and other California residents whose data is collected.

In this post, we will highlight some of the complexities of the CCPA, as well as some of the more onerous obligations it creates, and provide practical recommendations organizations can (and should) take now to help ensure they are prepared to meet their obligations under the Act by 2020.  These steps take time and should be started well in advance of the CCPA’s operative date.

Step One:  Conduct Applicability Analysis for Organization and All Affiliates

The first, and most critical, step that organizations should take is to determine whether the CCPA applies to their business.  The CCPA’s obligations apply to “businesses,” defined under the Act as a for-profit legal entity that collects consumers’ personal information (PI), determines how and why that PI is processed, does business in California, and meets one or more of the following criteria annually: (1) has gross revenue exceeding $25 million; (2) collects the PI of at least 50,000 consumers, households, or devices; or (3) derives at least half of its annual revenue from selling PI.  PI is broadly defined under the CCPA to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Organizations that do business in California and collect PI from any individuals residing in California should determine whether they meet the CCPA’s primary definition of a “business.”  If the organization does not meet the primary business definition, then the organization should consider whether it falls within the CCPA’s secondary definition of a “business.”  Organizations will fall within the secondary business definition if they control or are controlled by an entity that does meet the primary business definition, and share common branding, such as a shared name, servicemark, or trademark, with such entity.  Organizations meeting the secondary business definition will also fall within the scope of the CCPA.

Step Two:  Create and Maintain Personal Information Data Map

The CCPA provides California consumers with rights relating to their personal data that are broader than any other data subject rights currently provided for under other state and federal laws.  Among the rights granted to California consumers is the right to request information from businesses regarding (1) the categories of PI collected about a specific consumer; (2) the categories of sources from which the PI is collected; (3) the specific pieces of PI the business has collected about that consumer; (4) the business and/or commercial purpose(s) for collecting or selling the PI; (5) the categories of third parties with whom the business shares the PI; (6) for PI that the business sells, the categories of consumers’ PI that was sold and the categories of third parties to whom the PI was sold; and (7) for PI that the business otherwise discloses, the categories of consumers’ PI that was disclosed.

The depth of information that must be provided to consumers will require businesses to create an inventory of the PI that the business collects, stores, and shares with others and data flows covering all transfers of PI to and from the business (i.e., data mapping).  The data mapping process should encompass all data that falls under the CCPA’s broad definition of PI.  Data mapping will allow businesses to track what categories of PI are collected and maintained; where and how PI is collected and stored (e.g., customer service, HR, marketing); all persons or entities to which PI is sold or disclosed; and the purposes of such sales or disclosures.  This process, combined with an evergreening process to ensure the data map is updated as necessary, will help enable businesses to: (1) accurately disclose to consumers all relevant PI that businesses collect, disclose, and sell; (2) timely and accurately address consumer PI requests under the CCPA (see Step Three below); and (3) help ensure that they have the necessary contractual provisions in place with third parties to which they are disclosing PI for business purposes.

To ensure compliance with the CCPA’s 12-month “look back” period, businesses should create, maintain, and update, as needed, data maps of PI that cover the 12-month period before the CCPA goes into effect on January 1, 2020 (i.e., beginning January 1, 2019).  That way, if a business receives an information request from a consumer on January 1, 2020, it can provide the consumer with all relevant information the business has collected, stored, or shared with others pertaining to that specific consumer during the prior 12 months.  Because the data mapping process is challenging for most businesses, this process should be started as soon as possible. 

Step Three:  Develop Internal Processes for Timely Responding to Consumer Requests

The CCPA affords consumers the right to request certain information relating to their PI, as noted above; the right to request that businesses delete their PI, subject to certain exceptions; and the right to direct businesses that sell PI to third parties not to sell their PI (collectively, “PI requests”).  To respond to these PI requests, businesses will need to implement internal processes and incorporate the specific requirements for PI requests outlined by the CCPA. 

Businesses must designate and implement two or more methods for consumers to submit PI requests, including, at a minimum, a toll-free telephone number and a website address, as required by the Act.  Additional methods businesses may consider for collecting PI requests include through a mailing address, an email address, or a web portal.  Once the business determines the methods it will use, an internal process for responding, tracking, and documenting PI requests should be created and implemented.  An individual or team should be designated to receive and manage PI requests for consumers.

The CCPA requires a business to respond within 45 days of receiving a PI request, unless the business provides notice to the consumer that it is extending the time period, in which case it may extend the time period to provide the required information by an additional 45 days.  To help ensure timely and otherwise proper compliance with PI request response obligations, businesses should have a method in place to track PI requests, including the date the request was received; verification of the consumer’s identity; the due date for responding; the date that any notice of an extension of time is provided to the consumer; information pertaining to any additional information needed from the consumer in order to provide an appropriate response; the date a response was provided to the consumer; and information about the response provided to the consumer.  

The implemented tracking method also can be utilized to track the number of times in a year the business has provided PI access to a particular consumer.  This information may be useful because the CCPA only requires businesses to provide access to a consumer’s PI twice in a 12-month period. 

Step Four: Develop CCPA Training Programs for Employees

To help prepare employees for responding to PI requests and complying with other CCPA requirements, businesses should implement CCPA training programs.  Businesses should train all employees who may receive a PI request on how to identify a PI request and how to assist consumers in exercising their rights under the CCPA, including their right to be free from discrimination for exercising their rights under the CCPA.  Additionally, businesses should ensure that employees with responsibility for addressing consumer inquiries about the businesses’ privacy practices or the businesses’ CCPA compliance are adequately informed of the Act’s requirements.

Step Five:  Identify Information from Personal Information Data Map to Include in Privacy Policy

The CCPA requires certain information to be disclosed to consumers via a business’s online privacy policy, or, if the business does not have an online privacy policy, to disclose such information elsewhere on its website.  A business must provide a description of a consumer’s right to request that the business disclose the categories of PI collected, sold, and disclosed about the consumer; the specific pieces of PI that are collected; where such PI is collected from; the purposes for the collection or sale of PI;  the third parties to whom the business discloses or sells PI; a description of a consumer’s right to not be discriminated against for exercising his or her rights under the CCPA; a description of a consumer’s right to direct the business not to sell his or her PI to third parties; a list of the categories of PI that the business has collected, sold, and disclosed about consumers in the preceding 12 months, or if the business has not done so, that fact; a description of the designated methods for consumers to submit PI requests to the business; and, if the business is deemed to sell PI under the CCPA’s broad definition of “sale,” a link to the business’s “Do Not Sell My Personal Information” web page. 

To help ensure that these disclosures are accurate and complete, businesses should utilize their up-to-date data map discussed in Step Two.  Relevant information identified within this tool should be disclosed in the business’s online privacy policy when it is prepared or updated, which leads us to Step Six.

Step Six:  Prepare or Update Online Privacy Policy

Once a business has identified information that must be covered in its online privacy policy, the business should either prepare a new online privacy policy or update its current online privacy policy.  In this step, businesses should consider how many privacy policies they want to provide on their website and the structure of their privacy policy or policies.  Some businesses may choose to provide two privacy policies: one for California consumers only and one that applies to all other consumers.  Others may choose to provide a universal privacy policy with either a California-specific provision addressing the requirements under the CCPA or a policy with the CCPA’s requirements incorporated throughout.  This last choice may be preferable for businesses that do not have the technological capabilities or budget to separate out California consumers’ PI from other consumers’ PI, or businesses that are being proactive in light of the potential for other states to follow in California’s footsteps and legislate similar consumer privacy laws of their own.

Businesses should develop and implement a process for reviewing and, as necessary, updating their privacy policy as their data collection and privacy practices evolve.  At a minimum, businesses should review and update their privacy policy at least once every 12 months as required by the CCPA.

Step Seven:  Prepare Website Link and Information

The CCPA imposes additional requirements on businesses that sell PI.  A “sale” of PI under the CCPA means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s PI to another business or a third party for money or other valuable consideration.  Businesses that are deemed to sell PI under the CCPA must provide a “Do Not Sell My Personal Information” link on their website homepage.  The link should lead to a designated webpage that allows consumers to opt-out of having their PI sold by the business.  This link should also be provided in the business’s online privacy policy, along with an explanation of a consumer’s right to opt-out of the sale of their PI.  Businesses that are required to provide this link should take the necessary steps to ensure that the link is visible by the CCPA’s operative date.

Once a consumer has opted-out of the sale of PI, the business must refrain from selling the consumer’s PI for at least 12 months.  After 12 months have passed, the business may request the consumer to authorize the sale of his or her PI.  To comply with this requirement, the tracking method discussed in Step Three can be utilized to track the dates that consumers opt-out of the sale of their PI, and the dates that businesses may begin requesting that consumers opt back in to the sale of their PI.

Step Eight:  Identify Third Parties and Implement Contract Updating Process

Another important step in CCPA compliance is identifying and, as necessary, entering into updated contracts with all third parties with which businesses share PI.  This is often a challenging and time-consuming process and is another step that we recommend businesses subject to the CCPA start soon. 

It is important to understand the differences between a service provider, a third party, and an exempt third party.  Under the Act, a “service provider” is a for-profit entity that possesses PI on behalf of a business and receives such PI for a business purpose pursuant to a contract that prohibits the retention, use, or disclosure of PI received from the business for any purpose except to carry out the services specified in the contract or as otherwise permitted under the CCPA.  The CCPA defines a “third party” as any person or entity other than a covered business or a third party with which a business has entered into contractual provisions specified by the CCPA (an “exempt third party”).  Specifically, exempt third parties receive PI from a business for a business purpose pursuant to a contract that, in addition to the provisions required for service provider contracts, prohibits the exempt third party from selling PI received from the business; prohibits the retention, use, or disclosure of the PI outside of the relationship with the business; and includes a certification that the exempt third party understands the restrictions and will comply with them.

Although the Act does not mandate entering into specific contractual provisions with third parties, there are benefits to entering into the contractual provisions specified by the CCPA for service providers and exempt third parties.  First, businesses that enter into the specified contractual terms for service providers or exempt third parties will not be liable for the service providers’ or exempt third parties’ violations of the CCPA unless the businesses have actual knowledge or reason to believe such service providers or exempt third parties intended to commit such violations.  Second, businesses do not have to provide explicit notice that they sell PI and an explanation of the right to opt out of sales of PI in their online privacy policy if such businesses enter into the specified contractual terms for service providers under the CCPA.  So long as the contracts between businesses and service providers include the specified contractual terms, and the service providers do not further collect, sell, or use consumers’ PI except as necessary to perform the terms of the contracts, then the businesses’ disclosures of PI to service providers should not be deemed a “sale” of PI under the Act.

Businesses with up-to-date data maps can utilize their data maps to identify all third parties with which they share PI.  Once all such parties have been identified, businesses should determine whether written contracts are in place with all third parties with which the businesses are sharing PI for any business purposes.  If not, businesses should take steps to enter into written agreements with such third parties that, as appropriate, incorporate provisions specified by the CCPA for contracts with service providers and exempt third parties, and do not contain any provisions waiving or limiting consumers’ rights under the CCPA.  If written contracts are already in place, businesses should determine whether any amendments to such contracts are necessary under the CCPA. 

Step Nine:  Review and, as Necessary, Update Security Procedures and Practices

The CCPA places a duty on businesses to implement and maintain reasonable security procedures and to adopt practices to protect PI.  If a consumer’s nonencrypted or nonredacted PI is subject to a breach as a result of a business’s violation of such duty, the consumer may bring a civil action against the business to recover damages.  When determining the appropriate amount of damages to award consumers, courts overseeing such cases may consider factors such as the nature and seriousness of, the persistence of, and the willfulness of the misconduct; the number of violations; and the length of time over which the misconduct occurred. 

To minimize the possibility of such a case being brought, and to mitigate any resulting pecuniary punishment, businesses should carefully review their information security and privacy policies and procedures.  If necessary, these policies and procedures should be updated to align with the business’s actual privacy and security practices, or alternatively, the business should change its practices and actively enforce its existing policies and procedures.  Additionally, businesses should take steps to confirm that their physical and technical security practices are reasonable in light of the types and amount of PI they receive. 

Step Ten: Monitor Legislative and Regulatory Developments in California

The California Legislature passed the CCPA roughly one week after it was proposed, rushing the bill through in order to prevent a more stringent version of the Act from being finalized as a ballot initiative on the November 2018 ballot.  Because of the rushed process, the CCPA contains confusing and contradictory provisions, and its requirements are often unclear.  Many privacy professionals and organizations have voiced concern over the Act’s ambiguities at public forums for comments and concerns about the CCPA held by the CaAG.  Hopefully, the CaAG’s final regulations will clarify many of the remaining uncertainties.  

It is also possible that the California Legislature will pass additional clarifying amendments this legislative session.  Senate Bill 561 was recently introduced in the California Legislature, seeking to amend the CCPA by, among other things, expanding a consumer’s right to bring a civil action against a business to include any consumer whose rights were violated under the CCPA, not simply consumers whose PI was breached.  Businesses should keep an eye out for any regulations or amendments to the CCPA in 2019. 

In the coming months, Fey LLC will be closely monitoring any legislative and regulatory developments.  To help ensure you don’t miss out on any articles and alerts we prepare on the CCPA or other significant data protection laws and developments, you can follow our LinkedIn page here.

Laura Fey

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.

Hannah Zimmerman

Hannah Zimmerman is an associate attorney with Fey LLC.