California Consumer Privacy Act: A Preliminary Guide to Compliance

Even though the California Consumer Privacy Act (CCPA) is expected to be amended, the primary requirements and consumer rights will likely stay predominantly unchanged. As was the case with the European Union’s General Data Protection Regulation (GDPR), waiting for the last minute to think about how to implement the CCPA, is not an effective strategy. Significant work may well be required to achieve and maintain compliance, both from a technology and operations standpoint. This article will cover a few preliminary steps, but it’s highly recommended organizations work with legal and technical experts to fully comply with the CCPA.

Summary of the Regulation

The SB 1121 California Consumer Privacy Act of 2018 is a first-of-its-kind regulation that gives California consumers greater control over how companies may use their personal information. Passed in June 2018 and subsequently amended in August 2018, SB 1121 gives California consumers the right to

• data access,
• data deletion,
• know from where data is collected and to whom it is sold,
• opt out and
• nondiscrimination.

The law also imposes new requirements on businesses regarding the collection of children’s and teens’ data.

While the law goes into effect January 1, 2020, SB 1121 has delayed implementation of the law until six months after the California Attorney General, who has enforcement powers, publishes final implementation regulations, or July 1, 2020, whichever is sooner. Civil penalties for violations range from $2,500 to $7,500 per violation. Additionally, the law gives consumers private right of action to recover statutory damages for a business’ failure to implement and maintain reasonable security procedures and practices that result in a data breach. Such private suits against violators may carry statutory penalties in the range of $100 - $750 per breached record.

Does the CCPA Apply to Your Business?

Companies should first assess whether the CCPA is applicable to them and their business partners based on annual revenues, size and business processes involving personal information of California residents. A company will fall under the purview of the CCPA if it meets at least one of the following thresholds: 

• annual gross revenues in excess of $25 million; 
• annually buys, receives, shares or sells the personal information of 50,000 or more California consumers, households or devices; or 
• derives 50% or more of its annual revenues from selling consumers’ personal information. 

Additionally, businesses must also analyze whether any exceptions apply to them, such as for medical information governed by the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) and Confidentiality of Medical Information Act (CMIA), and personal information governed by the Fair Credit Reporting Act (FCRA) or the Gramm-Leach-Bliley Act (GLBA).

Building an Information Security Framework for Defensible Compliance 

Companies are required to take specific steps to comply with the CCPA, such as providing consumers with notice regarding their rights, offering at least two methods to consumers to exercise their access rights and having appropriate processes in place to comply with consumers’ rights requests. Many businesses will accordingly need to update their policies and processes related to disclosures, including those related to website usage. Organizations will likely also need to hire and train personnel who will be charged with understanding and responding to consumers’ requests.
Since the final form of the law is currently unknown, companies should have qualified legal counsel review their CCPA plans and compliance processes before the law goes into effect. Additionally, companies will want to prepare for how their compliance function can effectively monitor privacy processes and procedures in action.

Information security professionals are responsible for implementing reasonable security policies and procedures to ensure that the personal information of California consumers is protected. Notwithstanding mandates that result from the anticipated amendments, information security professionals should address the following: 

• Data Mapping and Data Inventory

Having precise knowledge of the data it collects, stores and sells is the foundation that will enable a company to comply with the CCPA’s requirements to keep records of:

1. Categories of sources from which personal information is collected
2. Categories of third parties with whom the company shares this data
3. Business purposes for selling the data

Information security professionals must also implement steps to identify and differentiate data that is for continuous use versus one-time use. The CCPA applies to data that is held for continuous use (including sale of the data) but does not cover data that is used once and not sold. 

• Personal Information Deidentification

The CCPA excludes from the definition of “personal information” any information collected from the consumer that is subsequently deidentified. Deidentified information is done in such a manner that the information cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer. 

Information security professionals can assist senior management in determining whether implementing deidentification steps will be feasible for the business. For example, management should be apprised of the fact that deidentification is a process that must be done in accordance with recognized methods and standards. Simply removing a name or other identifier might not be considered sufficient under the law. 

• Access Request Processes

As noted earlier, the CCPA gives consumers rights related to data access, data deletion and knowing about sources of data. The information security and information technology teams should work with other business units, such as compliance, legal and operations, to establish processes that can efficiently and effectively address these requests. 

Importantly, companies should note that the right to delete is not absolute. For example, under the law, consumers with a loan cannot demand that all records of who owes the money (i.e. them) be erased. That being said, best practices call for organizations to minimize the consumer-related data they collect and hold and to be prepared to justify (operationally) every element of data that is stored.

• Practically Speaking, Will CCPA Become a De Facto National Standard?  

While the CCPA directly affects only California consumers, many companies – perhaps most – might find it onerous to maintain separate processes for California residents, especially given that people move to and from the state constantly. CCPA’s privacy-related rights and protections may very well become standards afforded to all consumers nationwide. If the CCPA applies to your business and you haven’t started planning for compliance, it is imperative that you do so right away to mitigate the risk of hefty fines. However, even if you believe your organization is exempt from the law, now is a good time to consider implementing best practices that can put you ahead of the curve as privacy protections shift to the national stage.  

A version of this article was originally published by Bloomberg Law.