Last year California passed the California Consumer Privacy Act (CCPA). This act protects the privacy rights of consumers in the state of California. The CCPA is similar to the European General Data Protection Regulation (GDPR) but has some notable differences that need to be considered by all organizations conducting business in California. The CCPA also provides a regulatory requirement for firms outside the state of California, providing products and services to California’s 40 million residents.  For example, any business—no matter the base of operation—that collects personal information from Californian residents may need to comply with the CCPA.

With the increased number of data breaches in the last two years, policymakers in many other states are paying close attention to private sector data security and privacy. Other states are already looking to use the CCPA as a model, and have started passing similar legislation. Unfortunately, even with less than four months before the CCPA takes effect, many businesses are completely unaware, and therefore unprepared, to meet the requirements. According to a recent ESET poll of 625 companies, 45% had never heard of the CCPA, and only 11% know if it applies to their business.

So, what can you do to prepare for CCPA?  Here are a few things you should know to get started.

What is the CCPA?

The CCPA takes effect on January 1, 2020. According to the California Consumer Protection Act website and information compiled by Kayleigh Shuler and David Jacobson, attorneys at Gleaves & Swearingen LLP, here are the general consumer rights that the act protects:

  • Consumers have the right to know all data collected on them, including what and why they are collected. The disclosure must be provided to consumers before these data are collected.
  • Consumers have a right to decline or refuse the sale of their information.
  • Consumers can request the deletion of their data.
  • Consumers have the right to opt-in before the sale of information of children under age 16.
  • Consumers have the right to know whom data are shared with as well as who has provided additional personal data to the business.

The CCPA enforcement will be primarily lead by the Attorney General of the State of California, and a company has 45 days to respond to a consumer’s request. The Attorney General can sue a company for any CCPA violation, and an individual can only sue a company if their data is breached because the company failed to implement appropriate security procedures. There are three ways a business can be held accountable to the CCPA:

  • A company has gross revenues over $25M/year; or
  • A company has 50% or more of gross revenue come from selling the personal info of California residents; or
  • A company receives personal info from 50K or more California residents, households or devices per year.

It is important to note that the CCPA may apply to company meeting any of these thresholds, regardless of where the company has its base of operation. 

CCPA vs. GDPR

Similarities:

  • Both have a broad extraterritorial scope. In other words, if you do business with someone from California you may have to comply with CCPA. If you do business with someone in the European Union, you may need to comply with the GDPR. Even if you are a Toledo, Ohio based company.  
  • Both CCPA and GDPR provide consumers with the right to access and delete private information.  

Differences:

  • CCPA has a potentially broader definition of “private information.” Much of the rule-making process is still in the motion, and there will be further information available in the months to come.
  • The requirements for providing Privacy Notices are different. If you have worked to comply with GDPR, you should address this difference in your privacy policies posted on your site.
  • There are different rectification, restrictions, and objections rights. There are notable differences in enforcement actions and the process by which consumers can seek remedy.

We are a small business, why should we care?

Small businesses will likely overlook the law because it only applies to companies with revenue of over $25 million. This short-sighted approach may hinder the ability of small companies to provide services and products to larger organizations. For example, a small business may be under the revenue cap, but receive a large portion of annual revenue by providing services to larger companies who must comply with CCPA. These larger companies meet the size requirement for CCPA and serve California consumers so they will be looking for small third-party vendors who can provide services and prove compliance with CCPA. By taking steps to understand and comply with CCPA, a small business will have a competitive advantage over other third-party service providers when providing services to larger organizations in the California market. 

Let me use our company as an example. Trifoia provides e-learning development, hosting, and support services to large multi-national organizations. By bringing Trifoia into compliance with CCPA, we have a significant advantage over other service providers. Why, because we have made a substantial investment in auditing our data policies and procedures, updating our privacy policies, and putting systems in place to comply with the reporting and data management procedures for our clients. By doing this we can assure our clients that the work we are hired to do will support compliance and not introduce risk to our clients’ business and compliance procedures — a value-added win-win. 

What should a small business do to prepare for CCPA?

  1. Immediately review how personal data is processed and stored, including documenting and organizing what data is stored, where it is stored, and who has access.
  2. Evaluate how to handle requests from customers concerning data and access. What is the process for a customer to request data or deletion? What will your internal support team do when a request is received?
  3. Information security policies and procedures should be reviewed and updated. Mark this one down as a “no brainer.” This step should already be part of your internal security audit procedures. A security and privacy audit should happen every six months, and your process should now include a “crosswalk” of how your security policies meet CCPA requirements.
  4. Monitor the California Attorney General’s office’s rule-making process and stay abreast of how revisions and clarifications in the CCPA impact your industry. You can subscribe to the California Attorney Generals CCPA mailing list at https://oag.ca.gov/privacy/ccpa/subscribe.

Disclaimer:  Heads up folks, I am not a lawyer, and this is not legal advice.  The content of this post is for general informational purposes only. 

References:

https://cdn1.esetstatic.com/ESET/US/download/ESET_CCPA_Survey_Results.pdf

https://www.wlf.org/2019/05/02/publishing/golden-state-opportunity-what-businesses-need-to-know-about-rulemaking-for-californias-privacy-act/