Handling California’s ambitious data-privacy law
It may seem like the days are long, but the weeks fly by when it comes to preparing for a major new regulatory compliance regime. And that is how many businesses are likely to feel as what seemed like a generous 18-month ramp-up from passage of the California Consumer Privacy Act of 2018 (CCPA) to its January 1, 2020 effective date sped past.
Not only is the CCPA the broadest – and the most comprehensive – data privacy law ever enacted in the US, but last-minute statutory amendments and proposed implementing regulations have also made it something of a moving target as its go-live date approached. Now that the law is effective and will start to be enforced by the California attorney general on July 1, 2020, businesses subject to the CCPA should prepare to soon be held accountable for complying with it.
At the same time, companies that might not currently be subject to the law’s provisions should be planning for how to comply with it if – or potentially when – that time does arrive.
Understanding the CCPA
Even those not closely tracking cyber-security and data privacy developments are likely aware that in June 2018 California enacted a far-reaching data privacy law beyond anything currently in effect in the US.
The CCPA provides certain protections to California natural-person residents (consumers), including the right to know the nature of the personal information a business has collected about them and how that information is being used, and the right to have that personal information deleted.
If any personal information is being sold, consumers must be given an opportunity to ‘opt out’, such as a prominent ‘Do not sell my personal information’ link on a business’ website at the point of data collection. When it applies, the CCPA requires businesses to draft privacy policies that duly notify consumers of these rights and to comply with consumer requests about their personal information and how it has been shared with third parties. The CCPA also prohibits businesses from discriminating against customers who exercise any or all of their rights under the law.
The statute defines ‘personal information’ as ‘information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.’ This includes the type of data one would expect from a cyber-security and data protection law, such as name, address, social security number and bank account information. It also includes a resident’s internet protocol address, biometric identifiers, geolocation data and employment or educational information.
Businesses subject to the CCPA include corporations and other for-profit legal entities doing business in California with annual gross revenues in excess of $25 million (adjusted for inflation) that buy, receive, sell or share the personal information of 50,000 or more California consumers and that derive 50 percent or more of their annual revenue from selling those consumers’ personal information.
It is not required that a business have employees or even a physical presence in California – even a website that is visited by California consumers will make it subject to the CCPA if the other criteria are met. And although there is a limited carve-out for businesses outside California that collect or sell the personal information of a California consumer, it applies only if ‘every aspect of that commercial conduct takes places wholly outside of California.’
GDPR compliance is not enough
Since it became effective in May 2018, US companies that handle the personal data of EU residents (data subjects) in connection with sales or marketing activities overseas have implemented corporate policies and procedures to comply with the EU’s General Data Protection Regulation (GDPR).
The good news for those companies is that many of the same systems and processes used for GDPR compliance will also help to build a CCPA program. The bad news is that the two regimes are different in numerous respects, and compliance with the GDPR does not mean one is necessarily ready for the CCPA.
Although the CCPA is generally not as comprehensive as the GDPR, each regime defines personal information in a number of ways. The CCPA’s broader concept captures data both relating to an identifiable data subject and linked at the household or device level.
Each of the regimes provides a carve-out for personal data that is rendered anonymous, but the CCPA’s standard for personal information that is duly ‘de-identified’ can be a high one to meet. Conversely, the CCPA excludes information that is publicly available from government records but the GDPR lacks a similar exception.
As a result, even though there is significant overlap between the two standards, there are enough differences between them to require businesses with a GDPR program already in place to undergo a similar process to develop and implement policies and procedures specific to the CCPA.
Steps to prepare for CCPA compliance
There are a number of things US businesses can do to help ensure readiness for CCPA compliance now that the law has gone into effect. In the best-case scenario, companies have already undertaken some or all of these efforts during the law’s ramp-up period. If not, they should run through them to figure out, at a minimum, whether the CCPA applies to them and their data-handling activities and what they can do to get into compliance as expeditiously as possible.
Determine whether the CCPA applies now or may apply in the future: First and foremost, US businesses operating within and outside of California should immediately determine whether the CCPA applies to them. The criteria – the ‘collection’ of personal information of California consumers, with certain revenue amounts derived from the ‘sale’ of such personal information – capture a broader range of activity than may be assumed at first glance.
Collection under the CCPA captures a broad range of activity, both active and passive, that includes ‘buying, renting, gathering, obtaining, receiving or accessing any personal information pertaining to a [c]onsumer by any means.’ A sale is a similarly broad concept that captures a wide collection of transferring data to a third party and does not strictly require monetary payment in exchange.
And, of course, even if a business does not engage in these types of activities or does not meet the designated revenue and customer levels now, it does not mean it will not do so in the future as the business grows and evolves. The best way to ensure eventual data privacy compliance may be to implement a CCPA program now if required compliance is anticipated at some time in the future.
Know where data is stored and what is done with it: It may sound simplistic, but with the constant evolution of how data is handled and stored it can be a monumental task just to assess exactly what data from natural persons, households or devices has been obtained, how it was collected and how it is being used.
If they have not already done so, businesses should methodically inventory their customer and employee data to identify what – if any – CCPA-defined personal information it has and how much revenue is generated from it, if any. If personal information is being transferred between vendors or other third parties, business should know how that transfer is taking place and for what reasons. Once this is firmly established, looking into whether and what CCPA obligations exist will be a much more manageable endeavor.
Lock that data down: Unlike the GDPR, which contains both data-breach notification obligations and cyber-security requirements, the CCPA does not impose new obligations on how personal information must be protected. The law does, however, grant the California attorney general enhanced powers to bring civil enforcement actions in the event of a breach, as well as a private right of action for plaintiffs to argue that a business did not comply with its duty to maintain reasonable security practices.
Regardless of whether the CCPA applies, businesses would be well advised to implement data-protection measures such as encryption and/or redaction now for personal information stored on their systems. In addition to being a best practice as a matter of general cybersecurity hygiene, it is another way to prepare for eventual CCPA and other regulatory compliance down the road.
Start screening for minors: As part of its provisions regarding consent and the sale of personal information, the CCPA distinguishes between various age categories. For consumers aged 17 and older, the CCPA provides the right to opt out of permitting the sale of their personal information to third parties.
For consumers aged 13 to 16, a business must obtain their affirmative ‘opt-in’ consent to sell their personal information, and for consumers under the age of 13 affirmative opt-in consent must be obtained from a parent or guardian.
Although the standard for whether a business is aware of a consumer’s age is ‘actual knowledge’, such knowledge is imputed if a business willfully disregards a consumer’s age. As a result, businesses should have a process for distinguishing between age categories and for obtaining the appropriate level of opt-out and opt-in accordingly.
Be ready to respond: A significant portion of the CCPA relates to collecting and responding to requests by consumers relating to their personal information. This includes consumers’ right to the categories and specific pieces of their personal information that have been collected and sold, the right to request that their personal information be deleted and the right to request information on the business’ data policies in general.
In each case, the business must provide proper means for consumers to submit the request, such as a web portal or telephone line, and must respond to a legitimate request within a set period of time (typically 45 days). These processes could be entirely new to businesses and require substantial set-up, record-keeping and response mechanisms to be put into place.
There is still time to catch up
As of late 2019, California had still not issued final regulations for implementing the CCPA. At the same time, Congress has not moved forward with a national standard akin to the GDPR that would supplement or displace the CCPA. As a result, companies may have used this as a reason to delay developing and implementing a comprehensive CCPA compliance program.
This is, however, a risky strategy due to the potentially extensive data mapping, securing, record-keeping and reporting mechanisms to be put into place in order to get it right. Those US businesses that began the process some time ago should hopefully be in a good position now that the law has gone live. Those that have not are strongly advised to get on board sooner rather than later.
Joseph Moreno is a partner in the white collar defense and investigations group at Cadwalader Wickersham & Taft. Cadwalader partners Douglas Gansler and Jason Halper contributed to this article
This article originally appeared in the latest Corporate Secretary special report.