The CCPA went into effect on January 1, 2020, as provided in this legislation. The California attorney general, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. Any developments regarding the CCPA should be monitored carefully. Those organisations who have not began their CCPA compliance program or have commenced but not completed it should use this time to ensure they do not fall foul of the regulation and put their brand and financial position at risk.
CCPA Compliance Checklist
Although the final regulations have yet to be promulgated, the general requirements of the CCPA are sufficiently evident to enable businesses to prepare to comply with the final regulations when the Cal AG issues them, which will likely occur this fall. Accordingly, businesses should take the following steps to achieve compliance.
Confirm That Your Business is Subject to the CCPA. Entities must determine whether they are considered a “business” subject to the CCPA. For-profit companies should keep in mind that their subsidiaries and affiliates might also be considered separate businesses with independent obligations to comply with the CCPA.
Determine Whether Your Business Depends on the Sale, sharing or Purchase of Personal Information. Businesses will need to assess whether, and to what extent their disclosures of personal information to third parties falls under the broad definition of the “sale” of data. As defined to include any disclosure of data to a third party for “valuable consideration,” the concept of selling data under the CCPA may encompass seemingly routine data transfers that do not include direct monetary compensation.
Confirm “Reasonable Security.” Evaluate cybersecurity practices consistent with industry recognized standards (with prudent consideration given to the use of encryption, multi-factor authentication, and the Center for Internet Security’s Critical Security Controls).
Map How Your Business Collects, Shares and Sells Personal Information. Businesses will need to identify and track internal data flows, storage and transfers (including to service providers) in order to meet their CCPA obligations. Many businesses will reconsider their approach to personal data by building processes that foster privacy by design and by default, by anonymizing data sets when possible, and by taking their data retention and destruction policies more seriously.
Revise Privacy Policies. Revise both external and internal policies to properly reflect the personal information processing activities required to be disclosed under the CCPA and to express the new rights and mechanisms available to Californians to exercise those rights.
Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Create a separate web page to enable California residents the ability to exercise their opt-out rights to the extent the business sells their personal information.
Facilitate Receipt of and Response to Consumer Requests. Develop mechanisms for accepting, tracking and verifying consumer requests, and honoring their exercise of access, deletion and opt-out rights. Companies that already comply with the GDPR will be able to leverage many of those processes.
Evaluate Third-Party and Service-Provider Arrangements. Businesses should assess the nature of personal data shared with service providers and other third parties, ensure proper vendor risk management processes are in place, and revise agreements as necessary to take CCPA requirements into account. The age-old saying remains true: a company can outsource a capability, but it cannot outsource a responsibility.
Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely, consistent and proper fashion.
What’s Next? CCPA Developments, Key Dates and Status
If you’ve found it hard to keep up with the current state of play of the CCPA, you’re not alone. The CCPA was signed into law on June 28, 2018 and became operative on January 1, 2020. At that point, businesses were expected to provide information to consumers regarding their data privacy practices going back to January 1, 2019. As a result, businesses needed to ensure that their information retention policies extend back at least a year to ensure their ability to comply. However, the Cal AG will not begin initiating enforcement actions until six months after the final regulations are published, or July 1, 2020, whichever is sooner.
Businesses that are racing to prepare for compliance are not alone in the CCPA ecosystem, as the executive and legislative branches of the California government are also working to finalize the law and implement regulations. Specifics regarding certain obligations and requirements remain in flux, and the Cal AG has been charged with adopting regulations to clarify numerous requirements under the CCPA between now and July 1, 2020.
Prior Amendments: The California legislature continued to amend the CCPA addressing various concerns from industry, clarify ambiguous provisions, and clean up sloppy language that reflects how hastily the CCPA was drafted, introduced and adopted. Since the law was initially passed, the CCPA has been amended once through SB-1121. SB-1121 addressed several areas of the CCPA. Specifically, the key amendments:
Imposed a deadline of July 1, 2020, on the Cal AG to adopt regulations furthering the purpose of the CCPA, and limits enforcement by the Cal AG until six months thereafter or July 1, 2020, whichever is sooner.
Prohibited or limited the application of the CCPA requirements to data covered by GLBA, the California Financial Information Privacy Act, HIPAA and the California Confidentiality of Medical Information Act, and entities covered by HIPAA and the California Confidentiality of Medical Information Act (to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information).
Clarified that the definition of “personal information” only applies to information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
Removed the requirement that a consumer give the Cal AG notice within 30 days that an action has been filed prior to continuing to pursue the action. The Cal AG’s right to prohibit the private action was also removed.
Approved Amendments: In addition, six amendments were approved by the California legislature and the governor’s approval was obtained on October 11, 2019. The amendments clarify critical ambiguities in the statute (but leave many others unresolved) as follows:
Data Brokers. AB 1202 would require “data brokers”—defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship ─ to register with the Cal AG for publication on the Cal AG’s website. Entities regulated by the GLBA, FCRA or the California Insurance Information and Privacy Act are excluded from this provision.
Employee Coverage Limitation and Training. Notably, AB 25 provides that, until January 1, 2021, personal information that is collected by a business in the course of a person “acting as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of that business,” will not be subject to the CCPA requirements, except the CCPA’s provisions requiring notice prior to collection and providing a right to bring a private right of action based on a data breach. Among other things, AB 25 also expands the scope of information and rights that personnel responsible for handling privacy inquiries need to be trained on, and provides that businesses may require consumers to submit requests through an online account the consumer maintains with the business.
Vehicle Information Exemption and Deletion Exception. AB 1146 provides for an exemption from the “right to opt out, for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.” AB 1146 also provides for an additional exception to a consumer deletion request for “personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
Definition Amendments (Personal Information and Publicly Available Information). AB 874 amends the definition of “publicly available information” to remove a condition related to government use, further clarifying that it is not personal information. AB 874 also amends the definition of “personal information” to insert “reasonably” in front of “capable of being associated with” to provide additional contours around the broad definition of “personal information.”
Personal Information and Discrimination. AB 1355 provides for a host of amendments and revisions to the CCPA. Among other things, AB 1355 clarifies that:
the standard for determining if a business may discriminate against a consumer for exercising their rights under the CCPA is if the differential treatment is reasonably related to value provided to the business by the consumer’s data.
de-identified data is excluded from the definition of personal information.
Disclosure Methods. AB 1564 provides that “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed” rather than a toll-free phone number. In addition, if the business maintains an internet website, the business is only required to make the internet website address available to consumers to submit requests for information required to be disclosed.
With the holiday season now behind us , and the act now in force from January 1, 2020 . Businesses that have not already begun compliance would do well to begin preparations immediately before enforcement begins.
To the extent a business already has implemented certain processes under the GDPR, it should leverage those procedures (and the accompanying lessons learned) as tailored to the specific requirements for, and demands of, California residents. For example, data mapping exercises and records of processing completed under the GDPR can provide a business with a head start in identifying the categories of information it collects, the purposes for which that data may be disclosed, the security and retention relating to that data, and the third parties to which such personal information is disclosed. In addition, mechanisms implemented to receive and process data subject requests could be used for the same activity under the CCPA. Obviously, there will be some tweaking necessary to ensure that the consumer rights being identified are consistent with the rights provided to consumers under the CCPA (and not the GDPR), but GDPR-compliant businesses will not need to create a compliance program from the ground up. In contrast, companies that have not suffered through GDPR growing pains will find the CCPA to be more of a challenge.
Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.
The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), took effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.
While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.
Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.
Does the CCPA apply to my business?
Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.
The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:
Has annual gross revenues in excess of $25 million; or
Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
Derives 50 percent or more of its annual revenues from selling consumers’ personal information
While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.
“personal information” explained under the CCPA?
The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.
As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.
When does a business “collect” personal information under the CCPA?
To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.
To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.
If a business collects personal information, but never sells any of it, does the CCPA still apply?
Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.
What new rights does the CCPA give to California consumers?
The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.
What new obligations does a business have regarding these new consumer rights?
Businesses that fall under the purview of the CCPA have a number of new obligations under the law:
A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.
Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
Categories of personal information that the business has collected about the consumer;
Specific pieces of personal information that the business possesses about the consumer;
Categories of sources from which the business received personal information about the consumer;
A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
The categories of third parties with whom the business has shared the consumer’s personal information.
Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
Categories of personal information that the business has collected about the consumer;
Categories of personal information that the business has sold about the consumer;
Categories of third parties to whom the business has sold the consumer’s personal information; and
The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
Identify all new rights afforded consumers by the CCPA;
Identify the categories of personal information that the business has collected in the preceding 12 months;
Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.
What about employee data gathered by employers for internal workplace purposes?
As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The governor signed the bill on October 15.
Take our free online assessment and we will send you an overview of your position.
A complex gathering issue under the California Consumer Privacy Act is how to interpret the definition of “sale” and how to know if exceptions – like that for a “service provider” – apply.
When asked, most companies state honestly they do not “sell” customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (“consideration”) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.
In general, the CCPA imposes strict requirements on the “sale” of personal information (e.g., “Do Not Sell My Personal Information” button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of “sale” under the CCPA for disclosures to a “service provider.” The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.
What qualifies as a ‘service provider’?
The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a “service provider” is:
(1) A legal entity organized for profit.
(2) That processes personal information on behalf of a business.
(3) To which the business discloses a consumer’s personal information for a business purpose.
(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.
Businesses must also:
(5) Provide proper notice to consumers about personal information sharing practices.
(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.
In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that
(7) Prohibits the recipient from:
(a) Selling the personal information.
(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.
(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.
The business would also need to:
(8) Obtain a certification that the recipient understands these restrictions and will comply with them.
In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.
How does the service-provider exception play out in practice?
A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?
These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.
Customer relationship management provider
A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?
Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the “business purpose” as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of “service provider.”
Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information “on behalf of” the company when it analyses data, including personal information, as an independent assessor of the company’s financial statements. As such, an independent auditor likely does not meet element (2) where it does not act “on behalf of” the business.
What are the other options?
If the vendor is not a “service provider,” does that mean the disclosure is always a “sale”? No.
The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the “on behalf of” requirement that applies to service providers, so it might fit for an independent auditor.
Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.
Relentless Privacy and Compliance Services offer a complete CCPA service to ensure your compliance.
Like any new project, the question of “where do I start?” is frequently one of the biggest hurdles and can delay the initiation of the project. Therefore, to help with this first step, we’ve set out below our top tips for tackling the CCPA compliance.
(1) Leverage your GDPR or other privacy programs. Although there are significant differences between the CCPA and the European Union General Data Protection Regulation (“GDPR”), many of the obligations imposed by the CCPA (e.g., notice, information gathering, obligations for data sharing, access rights, deletion rights, and opt-out rights) are similar enough that companies can and should try to leverage the work they undertook to address the similar obligations for GDPR as the starting point for building out a CCPA compliance program.
(2) Identify a cross-functional CCPA team. To address the requirements of the CCPA in a meaningful way, companies will need to tap into the expertise of a variety of different stakeholders and departments across the organization and develop a coordinated approach. In addition to needing strong legal and privacy support to help shape different elements of the CCPA program, it is critical to obtain the support and buy-in of the IT teams to implement the technical obligations of the CCPA, such as mechanisms that allow consumers to opt-out of the sale of their personal information and manners to delete personal information. Similarly, stakeholders from marketing or other functions that are key users of personal information with the company are critical for helping companies understand how personal information is gathered from consumers and how it is used across the company. Without this 360 degree view of information collection, use and sharing practices, it will be very difficult to develop the multi-layered solutions that are critical for CCPA compliance.
(3) Develop a strategy for information gathering and categorization. As with all privacy compliance programs, the foundation for a strong CCPA compliance program is understanding and documenting what personal information your organization collects as well as how such information is used and disclosed (both internally and externally). This is a deceptively complicated task and may be the most labor and time-intensive element of the building your CCPA compliance program. Obtaining this information from across the company in sufficient detail to meet the requirements of the CCPA often requires additional resources in the form of staffing or specialized service providers is needed.
(4) Determine where you “sell” personal information. One of the most formidable elements of the CCPA is its broad definition of what constitutes the “sale” of personal information, for which the company must provide notice and a right for consumers to opt-out. This definition sweeps in a broad array of disclosures that do not meet the traditional notions of sale (e.g., intra-affiliate sharing of personal information in certain circumstances). Therefore, companies need to really understand their disclosures of personal information – including in the online environment (e.g., online behavioral advertising) – and develop a strategy for determining which disclosures qualify as sales and for addressing opt-outs related to these disclosures (or opt-ins for minors). In addition, it will be important to develop template contract language for the various types of disclosures and to begin to build out the mechanisms for honoring consumer choice requirements under the CCPA.
(5) Be ready to update company privacy statements and similar disclosures. The CCPA sets out specific content requirements for online privacy policies and also requires that consumers are notified about personal information collections at or before the information is collected. Companies need to understand what specifically must be included in their consumer facing notices and be prepared to update them to meet these content requirements.
Don’t have the required Resources?
Let Relentless Privacy and Compliance Services take the strain and help you deliver CCPA efficiently and seamlessly
One last tip: Don’t forget to monitor other state and federal law developments. The CCPA is not the only US privacy law on the horizon. Nevada recently enacted a similar but more limited consumer privacy law, and a number of other states are expected to follow suit this year or next. At some point, federal privacy legislation may also come into play. Companies should be looking down the road at these rules and trying to anticipate and leverage the steps for CCPA compliance.
As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act. While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.
To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice.
In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.1 Based upon that sample, and as of December 20, 2019, only 4% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage.2
The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA. Within that sub-sample, 18% of companies have included a “Do Not Sell My Personal Information” link.
Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request. One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold.
It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).
With 4 days until the CCPA enters into law on 01/01/2020 see how Relentless Data Privacy can achieve your base line compliance in time for the 1st January
For more information and resources about the CCPA see our
Using a computer random number generator, BCLP selected 10% of the companies listed among the Fortune 500 in 2019. Revenues for the selected companies ranged from $85 billion to $5 billion. While BCLP did not conduct statistical analysis to determine whether the sample selected accurately represented the range of businesses in the United States, the sample contained companies focused on retail, financials, food, agriculture, manufacturing, entertainment, and energy.
In the event that a business sells personal information (as those terms are defined within the CCPA), the Act requires the business to include a link on their homepage and in their online privacy notice titled “Do Not Sell My Personal Information.” Cal. Civil Code § 1798.135(a)(1), (2)(A).Note that the percentage of businesses that include the Do Not Sell link decreases from our last weekly report. The decrease was due to the broadening of the sample frame from 6% of the Fortune 500 to 10% of the Fortune 500 in order to increase statistical confidence.
Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.
The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but act. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.
Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?
Is it time to stop reading this article and go about your day?
Not exactly. Here’s the truth:
The Consumer Privacy Act Could Impact Your Business
In fact, according to the International Association of Privacy Professionals (IAPP), the legislation will apply to more than 500,000 companies in the United States. That’s not to mention the impact it’s likely to have internationally.
But what exactly is this impact?
How will the new Consumer Privacy Act affect your business?
At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.
Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world and offer our expert insights on what you might need to do to ensure long-term compliance.
However, before we get to that, let’s first answer the one question that’s most on your mind:
What is the California Consumer Protection Act 2018?
Signed into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:
“California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
“It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
“The categories and specific types of personally identifiable information that it has collected about them.
The types of sources it has used to collect that information.
The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
The categories of third parties that the information will be shared with.
What else does the CCPA say?
Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:
Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.
Provide the same levels of service and pricing to individuals who exercise their privacy rights.
Being sure not to sell on personal information if an individual has said no to this.
Does CCPA Apply to My Business?
Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:
The business has annual gross revenues which total at least £25 million
For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
This includes those businesses who are based in other US states, or even in other countries.
The immediate and long-term impact of CCPA
So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:
If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.
Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.
So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.
CCPA doesn’t come into effect until January 1st, 2020.
At time of writing, that gives affected businesses under one month to get ready. But what about those businesses not immediately impacted by CCPA? What happens if you don’t have customers in California?
Does that mean you can forget all about data protection and carry on as normal? Not quite.
Here’s the thing:
The California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.
In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.
So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.
How GDPR Compliance Can Help You Prepare for CCPA
Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?
In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way to CCPA compliance
If not, don’t worry: Help is at hand.
At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.
From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.
See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance
If you are not a California business, you might be wondering what it means to “do business in California.” The CCPA does not provide any explanation, and the attorney general’s proposed regulations that were issued on October 10, 2019 do not address this issue either. In the absence of any legislative or regulatory guidance, this is best viewed in terms of what is sufficient to establish personal jurisdiction to haul a non-California business into state court in California. For purposes of CCPA coverage of employee data, if a non-California business that fits the revenue threshold or one of the other criteria has one employee in the state, that business must comply with the CCPA with respect to that employee’s personal information. If a non-California business is actively and directly recruiting candidates for employment in California, the business would likely be subject to the CCPA with respect to personal information it collects from California candidates.
Employers doing business in California that do not meet the $25 million revenue threshold may still be covered by the CCPA if they have received from any source or shared the personal information of 50,000 or more California-based employees, job applicants, or other residents in the last 12 months. This includes not just your employees and job applicants, but also information about the family members and dependents of your employees that you may be collecting as part of insurance enrollment paperwork or even in an emergency contact form.
Another way of potentially satisfying the 50,000 threshold is if you collected and tracked through your website information about 50,000 or more devices that were used to access the website. For example, a small business that has a website with 137 unique visits per day and collects data about the devices or consumers who are accessing the site is likely going to meet the threshold.
Are Any Industries Exempt?
There are some exceptions, but they are more nuanced than a full exemption from the CCPA. For example, a HIPAA-covered entity is exempt from the CCPA with respect to patient information that is maintained in accordance with HIPAA regulations, but it is NOT exempt with respect to the data of its California-based employees and job applicants. Similarly, a consumer credit reporting agency or background check company is exempt from the CCPA with respect to information in consumer reports that it compiles and provides to its clients, but it is NOT exempt with respect to the data of its own California-based employees and job applicants.
What Employee Information is Covered by the CCPA?
The CCPA as enacted makes no distinction between employees and consumers. “Personal information” is defined so broadly that it potentially covers all information you collect, maintain, or share about job applicants, employees, and their family members or dependents that could identify the individual or be used in conjunction with other information to identity the individual.
This would include, for example, the name of an employee in conjunction with the state or federal protected category they are in (such as age, race, gender, sexual orientation, religion, disability, etc.). It also potentially would include network or internet activity logs on company computers assigned to employees that show user activity such as search and browser history. The definition of “personal information” also lists the broad category of “professional or employment-related information” without any definition or parameters of what that entails.
Covered employee information potentially could include, for example, personnel files, payroll records (pay stubs, timesheets, direct deposit information, tax withholding information, etc.), health insurance records, workers’ compensation files, and training records. If you provide your employees any company computers or devices and collect information about their internet usage on those devices or geolocation information (to track where they go with the company-issued devices), this information could also be subject to the CCPA.
How Does AB 1355 Amend the CCPA?
AB 1355, which passed the legislature unanimously, makes a number of changes to the CCPA. First, it clarifies that personal information does not include information that has been “deidentified.” Information is deidentified when all identifiers that would like the information to the individual have been removed, such as through redaction of information that could be used to identify the individual.
In addition, AB 1355 clarifies that personal information does not include “aggregate consumer information,” which is defined as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.” In the employment context, aggregate information may be reports or spreadsheets with information about groups of employees where the names or other employee identifiers have been removed (for example, EEO-1 reports, demographic reports, or pay equity reports that address aggregate information for groups of employees without identifying them).
Finally, AB 1355 specifies that, until January 1, 2021, certain CCPA obligations do not apply to personal information reflecting specified “business-to-business” communications or transactions. Specifically, the bill excludes a communication or transaction between a business and a consumer (including another business) where the communication occurs solely within the context of the business conducting due diligence or providing or receiving a product or service from that business.
What Does the CCPA Require a Covered Employer to Do?
Employers have their work cut out for them, but the governor’s signing of AB 25 gives you a one-year reprieve from having to comply with most of the CCPA’s requirements. Covered businesses now have until January 1, 2021 to meet all the CCPA’s requirements except for two.
First, covered businesses must still ensure they have implemented reasonable security measures, both physical and electronic, to safeguard the personal information of employees and job applicants. In the event of a data breach resulting from failure to implement reasonable security measures, an affected employee can file an individual lawsuit or a class action and potentially recover between $100 and $750 per consumer per data breach incident or their actual damages, whichever is greater. Accordingly, all covered businesses should reassess their electronic and physical security measures to ensure they are all up to date. It is a best practice to undergo an external security audit by an independent security consulting firm, not by your internal or outsourced IT vendor.
Prior to a security audit, however, and in order for such audit to be comprehensive enough, you should engage in “data mapping,” which involves mapping out in a living document that is continually updated (1) all of the items of personal information the business collects, retains or shares; (2) where the information is physically and electronically stored; (3) who at the company has access to the information; (4) with whom the information is shared outside the company; and (5) the business purposes for which the information is used or shared. A data map will help facilitate a guide the security auditor to ensure that reasonable security measures are in place at all access points and for all items of information maintained by the business.
Second, the deadline will remain January 1, 2020 for the requirement of disclosing to employees and job applicants the categories of personal information you collect about them and the purposes for which the information will be used. This disclosure must be made before or at the time you receive personal information of any employee or job applicant.
The disclosure need not list every piece of information you collect about the employee, but rather only the categories of information. For clarity, you should consider listing examples of information within each category (for example, “Employee Pre-Hire Documents, such as job applications, resumes, background check forms and results, drug test forms and results, job interview notes, and candidate evaluation records.”).
The CCPA provides several examples of business purposes for which information may be maintained and that covered employers can list in the disclosure. Starting January 1, 2020, covered employers will be prohibited from using any employee personal information for any purpose that is not listed in the disclosure provided to employees. Therefore, the disclosure should be as comprehensive as possible in terms of identifying all business purposes for which the information is used. Examples of business purposes that are common in the employment context include the following:
to comply with state and federal law requiring employers to maintain certain records;
to effectively process payroll;
to administer and maintain group health insurance benefits, 401K and/or retirement plans; and
to manage employee performance of their job duties.
While the CCPA simply requires the disclosure notice to identify the categories of personal information and business purposes (which many practitioners have interpreted to mean two separate lists of all the categories followed by all the business purposes for which all the information may be used), the attorney general’s proposed regulations if adopted would require the notice to list for each category of personal information all the business purposes that the particular category of information will be used for. The proposed regulations are not expected to become final rules until the spring of 2020.
For current employees, the disclosure can be made to them as a group in the employee handbook or through a memo to all employees. Technically, there is no requirement that employees sign an acknowledgment of receipt of the disclosure, but practically having their signature will be the only sure way to prove that they received it. We often encounter employees who later deny receipt of policy documents in order to leverage an advantage in litigation, and it’s easy to avoid this situation by obtaining a simple signature.
As for job applicants, since the CCPA requires that the disclosure be made at or before the transaction in which the personal information is collected, the best approach is to include the disclosure with the job application.
Without Further Action, What Will a Covered Employer Have to Do by January 1, 2021?
AB 25 does not exempt employers from any of the CCPA’s requirements, but rather employers will have an additional year to comply with all but the two requirements discussed above. Unless the exemption is further extended by the legislature next year, the CCPA will require covered employers to do the following, among other steps, by January 1, 2021:
Expand the disclosure provided to employees and job applicants in 2020. In addition to describing the categories of information the employer collects and the business purposes for which it uses the information, the disclosure must provide them with notice of their rights under the CCPA (including the right of access, deletion, and receiving a copy of the information), state whether the information is being shared with any third parties, and name the third parties with whom the employer will share the information. The CCPA prohibits using the information for any purpose that is not listed in the disclosure and from sharing the information with any third party that is not named as well. The disclosure can be amended.
Implement at least two methods by which employees and job applicants can submit verifiable “consumer requests.”
Track and respond within 45 days to verified consumer requests from employees and job applicants. This can be extended an additional 45 days.
Again, unless the legislature extends the exemption further, there are three types of consumer requests that your employees and job applicants will be entitled to submit under the CCPA starting on January 1, 2021:
(a) request for disclosure of what personal information you have about the individual or what information you have shared;
(b) request for deletion of the information; and
(c) request for access to or a copy of some or all of the information, which must be provided free of charge.
The third type of request is the most sweeping change that could potentially impose significant burdens on employers. Such requests include a request for a copy of all the employee’s personal information the employer has obtained, compiled, or shared in the last 12 months. Since the definition of “personal information” is so broad, the CCPA (without amendment) may allow employees and their attorneys to request and obtain from you free of charge a lot more than what the law otherwise permits – a significant amount more than just an employee’s personnel file and payroll records. To say that this permits potentially abusive and burdensome pre-litigation discovery would be an understatement.
The exemption created under AB 25 was limited to one year at the request of organized labor and privacy advocates, who indicated that they want to engage in a discussion in 2020 regarding concerns over “workplace privacy” and “workplace surveillance.” If agreement is reached next year on these broad issues, there is hope within the business community that the exemption to the CCPA for employment data could be extended further. So employers will have to stay tuned next year to see if further relief is provided or whether the other requirements of the CCPA will apply to employers beginning in 2021.
Next Steps for Employers
As the CCPA’s compliance deadline is fast approaching, you would be wise to stay ahead of the curve on privacy practices, whether or not you are presently subject to the CCPA. But if you are subject to the CCPA, then you have three tasks to complete by December 31, 2019 that practically require getting started as soon as possible:
(1) “data map” all your employee data;
(2) undergo a security audit to ensure that you have implemented reasonable physical and electronic security measures to protect private information; and
(3) draft the disclosure to employees and job applicants as described above.
It is best to work with a privacy consultant on these steps. This provides certainty for your organisations compliance whilst concentrating on your operational strategy.
See how Relentless provides certainty for our clients
In July 2018, California passed a law called the California Consumer Privacy Act, or CCPA. The CCPA regulates how companies handle personal information that belongs to California consumers, but it is not restricted to California companies. The CCPA grants California consumers new rights to access and delete their data while placing restrictions on entities that collect, store, and sell Californians’ personal information.
The CCPA goes into effect on January 1, 2020, and many U.S. businesses that were not susceptible to Europe’s General Data Protection Regulation (GDPR) will have to comply with the CCPA. The International Association of Privacy Professionals (IAPP) estimates that over 500,000 businesses in the United States, including over 100,000 businesses in California alone, will need to comply with the new law.
With the deadline fast approaching, it is important that companies understand what the CCPA requires in terms of them and their employees. We will briefly outline what the law requires for employee training.
Who Needs Training?
Once you have concluded that your business needs to comply with the CCPA, you can divide the steps you need to take into four main parts:
(2) Consumer requests,
(3) Opt outs, and
There are other smaller obligations under the law that apply in specific circumstances, but these four sections cover the majority of the new law.
We are going to focus here on employee training. Under the CCPA 1798.130(a)(6), regulated businesses have an obligation to provide CCPA training to
(1) those employees who handle consumer inquiries regarding company privacy practices as well as
(2) anyone responsible for the business’s CCPA compliance.
An organization’s first step will be determining who needs to be trained in order to correctly fulfill consumer requests governed by the CCPA. Generally speaking, any employee that may have to handle inquiries not just about the CCPA but about the company’s privacy practices need this training.
For many organizations, this means training customer service representatives who handle calls to their toll free lines as well as those who handle responding to digital requests that come in via email or another online process. Because the CCPA is only relevant for California consumers, employees who only deal with consumers in other states would not need to be trained. Some businesses may plan to funnel all requests directly to specific employees and only train that group on the CCPA while training employees outside that group not to answer privacy or CCPA-related questions.
There may be other individuals within your organization who will not be answering actual consumer inquiries but who need to be trained. Any individual responsible for your organization’s CCPA compliance will need training.
Marketing, for example, cannot start an ad campaign with a new outside vendor without putting the correct CCPA contract rules in place for sharing personal data, so Marketing will need to inform IT and the Legal or Compliance Officer in charge of the company’s policies of the new method of data collection. The IT team is likely to be tasked with the actual deletion of data pursuant to CCPA consumer inquiries or creating reports when consumers’ request access to their personal information. Activities from marketing, to sales, to customer service, implicate the collection, use, and storage of data at your organization. Determining which individuals will need to be educated is an important part of establishing a robust compliance program.
What Training Does the CCPA Require?
The CCPA makes business responsible for training their employees on key sections of the CCPA and on how to direct consumers to exercise their rights under those sections. Specifically, employees need to be informed regarding:
(1) the consumer’s right to ask the business to disclose what is being collected and for what purpose (Section 1798.110) ;
(2) the consumer’s right to ask what personal information is being sold or shared (Section 1798.115);
(3) the injunction against businesses discriminating against consumers who exercise their privacy rights under the CCPA (Section 1798.125);
(4) the business’s policy disclosure responsibilities and the rules regulating how it responds to consumer requests (Section 1798.130).
One of the easiest ways to ensure employees can correctly direct consumers is to put into place your CCPA-mandate privacy notice for your website and create an internal compliance policy that is disseminated to all relevant employees.
Relentless Global Privacy Training platform goes live on 1st December 2019 providing a secure online portal ( which can be branded ) delivering your compliance training needs. The platform records all training records, in-course exams and certificate printing. register your interest now https://online.relentlessprivacytraining.com
Relentless CCPA consultancy offers a full service to achieve CCPA compliance for your organisation
Founder of Relentless Privacy and Compliance Services one of the fastest growing global privacy consultancy companies of 2019. Currently serving clients in 6 global regions
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.