California Consumer Privacy Act Part I
August 5 2019
California’s new privacy law, the California Consumer Privacy Act (CCPA) which will launch in January 2020, is causing considerable grief among Risk Managers and Privacy Officers. The law’s 24 pages are filled with directives, proscriptions, exceptions, warnings, and, of course definitions (25 of them, in fact). The law won’t be in its final form until the end of the State’s legislative term in September, but preparation needs to start as soon as practicable for businesses that operate in California. I’ve put together a three part summary to help make sense of its various subsections. Part 1 discusses the actual obligations set forth by the law. Part two discusses penalties, damages and the specter of litigation arising from it. Part three provides some commentary on its idiosyncrasies and remaining questions.
PART 1 – CCPA OBLIGATIONS
The law applies to businesses that do business in the State of California with certain exceptions. A business is excluded from the law if it satisfies one or more of the following thresholds:
a) Its annual gross revenues do not exceed $25M;
b) It buys, receives for its business commercial purpose, sells or shares for commercial purpose, alone or in combination, the personal information of less than 50,000 California residents, households or devices;
c) It derives less than 50% of its annual revenues from selling the personal information of California residents.
If the bill does apply, it sets forth numerous obligations. The obligations require notice, disclosure and actions by a business, and allows for some conditions and exceptions to those obligations. The law also imposes some prohibitions on the handling of data by businesses. Because of its breadth and the specificity of its directives, it can be hard to work through to put together a framework for compliance. But the first step to compliance is comprehension, so let’s break it down. The law directs businesses to 1) disclose what data they hold (1798.100) 2) delete the consumer’s personal data upon request by the consumer (1798.105), 3) disclose details about the collection and dissemination of data, by sharing or selling the data (1798.110 and 1798.115), 3) respect a consumer’s decision to “opt-out” of the sales of their data (1798.120) 4) not discriminate against a consumer that exercises its rights (1798.125), and 5) provide clear notice to consumers on a publically facing privacy notice (1798.130). I’ve broken down each of the seven individual directives into digestible bits. To understand my methodology, we’ll use Section 1798.100 as an example.
That section expresses that a consumer has a right to know what kind of personal information a business has collected. As stated above, it provides guidance on the business’s obligations regarding Notice, Disclosure and Actions, and adds some Conditions and Exceptions. Under Section 1798.100, a business must:
1) Provide Notice on its website of its practices,
2) Disclose to a consumer the PI that it has collected on the consumer,
3) Act promptly, and free of charge, by sending a response to a disclosure request by mail or electronically in a format that a consumer can use to transmit to any other entity,
4) On the condition that the consumer make a verifiable request, and
5) With the exception that no such obligation exists for a one time transaction if the information is not sold or retained by the business.
The same analysis works for each section that describes compliance obligations. Click here if you’d like to see all the charging subsections broken down like my summary of 1798.100, above. Similarly, I’ve put together this spreadsheet that provides a visual approach.
While describing the obligations is a methodical exercise, implementation of the law will be difficult. Implementation will not only consume time and effort, but likely quite a bit of tinkering once the law is in effect. So how do you begin implementation efforts knowing that discrete parts of the law may very well change after September?
The first step is to understand how the law affects your particular business. That depends entirely on what “Personal Information” you possess. That sounds pretty simple, but the definition of personal information is, unfortunately, a doozey (and, perhaps fortunately, subject to amendment before the end of Spetember). See how many problems you can find with the definition of Personal Information (hint – I’ve italicized a few):
“Personal Information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes but is not limited to the following:
(A) Identifiers such as real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric Information.
(F) Inernet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with and Internet Web site, application or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment related information.
(J) Education information, defined at information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
The definition of Personal information excludes publicly available information, but I’ll spare you the complete definition of “publicly available”. It’s enough to know that it is public if the information is generally available from government records and if it is being used “for a purpose that is compatible with the purpose for which it is maintained and made available from the government records”.
Got that? According to subsection (A) above, if you hold someone’s real name or alias in your records, you are obligated to comply with the CPPA. Chances are if you have someone’s name, you have a great deal of their other data as well. So how do you begin to tackle this behemoth? Start with data mapping.
Data Mapping is just what it sounds like – make a list of all the data that you collect, where it is held, and how it’s handled. Data can be collected in many forms – on applications, web forms, purchase orders, and from vendors and partners. Once you have a handle on what kind of data you hold, you can focus your efforts on protecting it and putting compliance to work.
If you’ve been through a data mapping exercise in response to the GDPR, then you likely can piggy-back on that effort for CCPA purposes. But, if this is your first exposure to the exercise of data mapping, you’ll likely need a vendor that can help you inventory your data and track its flow through your organization. After that, make sure you revisit the exercise on a regular basis to take into account changes to network systems and business practices, either yours or your vendors and partners. Compliance with the CCPA will be a difficult slog for many businesses, but working toward compliance makes far more sense than dealing with the ramifications for non-compliance. Those ramifications are addressed in Part 2 of our three part summary.