AS CALIFORNIA LEADS THE US IN IMPLEMENTING ITS OWN VERSION OF THE GDPR, WE EXPLAIN HOW THE TWO ACTS DIFFER AND WHAT INTERNATIONAL COMPANIES SHOULD KNOW.
Over a year has passed since the General Data Protection Regulation (GDPR) saw the EU hand back control of personal data to consumers. For International businesses during this period, the initial scramble of frantic preparation has gradually given way to greater clarity around the day-to-day implications and implementation of the new rules, how to maintain and provide evidence of processes implemented into everyday operations.
Long before our 2018 deadline, California had already announced its own version of the regulation, known as the California Consumer Privacy Act (CCPA). Its own implementation date of 1 January 2020 now looms, and with less than 3 months to go, it’s crucial to understand how this new state law will impact businesses on both sides of the Atlantic.
Not only is it considered the strictest data protection law in US history, it is expected to set a precedent for similar acts across other states in coming years.
WILL MY COMPANY BE AFFECTED BY THE CCPA?
Regardless of where in the world you are based, if you have a profit-making business with customers or employees in California – and you hold their personal data – then the answer is yes, as long as you meet one of the following criteria:
- Have a gross annual revenue totalling over $25 million.
- Hold the data of more than 50,000 California residents.
- Derive more than half of annual revenues from selling California residents’ personal data.
EXEMPTIONS FROM THE CCPA?
Although the CCPA contains a number of broad requirements, there are certain exceptions to its application that should be noted. Specifically, the obligations imposed by the CCPA do not restrict a Business’ ability to:
- comply with federal, state or local laws;
- comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities;
- cooperate with law enforcement agencies concerning conduct or activity
that the business, service provider or third party reasonably and in good faith
- believes may violate federal, state or local law;
- exercise or defend legal claims;
- collect, use, retain, sell or disclose consumer information that is deidentified
or aggregate consumer information (see above for how “deidentified” and
“aggregate consumer information” are defined); or collect or sell a consumer’s Personal Information if every aspect of that commercial conduct takes place wholly outside of California.
A Business also does not need to honour a request to disclose information collected or sold where it would violate an evidentiary privilege under California law. A Business can also provide the Personal Information of a Consumer to
a person covered by an evidentiary privilege under California law, as part of a privileged communication.
Additionally, the CCPA does not apply to:
- medical information governed by the California Confidentiality of Medical
Information Act (CMIA), or protected health information collected by a
covered entity or business associate governed by the privacy, security and
breach notification rules established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology
- for Economic and Clinical Health Act (HITECH);
- a provider of health care governed by the CMIA or a covered entity governed
by HIPAA, to the extent the provider or covered entity maintains patient
information in the same manner as it protects medical information or
protected health information under HIPAA and HITECH;
WHAT DOES ‘SELLING’ PERSONAL DATA MEAN?
Selling is defined as disclosing, disseminating, making available or transferring personal data. In its broadest terms, personal data as defined under the GDPR is any information via which a living individual could be identified.
What are the differences between the GDPR and the CCPA?
The CCPA is far from a direct copy of the GDPR – the two differ fundamentally in a number of ways:
OPTING IN VS. OPTING OUT
The GDPR operates on an opt-in basis, where companies must actively request permission from consumers to retain and use their data. Under the CCPA, not only can any of California’s 40 million residents expressly forbid the sale of their personal data, but they can ask a particular company to disclose how their data is being used. That company then has 45 days to produce a report detailing usage of the person’s data over the last twelve months.
PENALTIES FOR BREACHING THE CCPA
Fines differ from the GDPR in not just size but structure. The highest tier of GDPR fine sees companies pay €20 million or 4% of global annual turnover, whichever is greater. Businesses in breach of the CCPA will pay a civil penalty of up to $2500 per violation, or $7500 per intentional violation. Individual consumers may also bring a civil action of $100 to $750 or actual damages, whichever is greater.
COMPANIES IMPACTED BY THE CCPA
As outlined above, only for-profit companies doing business in California and satisfying certain criteria are regulated under the CCPA. The GDPR, on the other hand, applies to organisations of any size, profit-making or not, that process personal data of EU citizens.
THE NEED FOR ONGOING REVIEW
While the GDPR continues to shape new and existing company policies, much of last year’s flurry of activity centred on a single deadline. The CCPA demands immediate action, but also continuous monitoring long after New Year’s Day 2020. Companies will need to track personal data usage on a year-round basis so that the twelve-month record can be provided on request – effectively meaning that data from 1 January 2019 should now be readily available.
Companies will also have to engage in data mapping in order to be able to delete consumer data on request, and continuously evolve their privacy policies according to what personal data they are selling.
What rights do consumers have under the CCPA?
California residents can, once verified, request that a business:
- Discloses what categories and specific pieces of their personal data it has.
- Discloses the categories of sources from which their data was collected.
- Discloses the purpose for which it has collected or sold their data.
- Discloses the categories of third parties with whom it has shared their data.
- Deletes their personal data in its entirety (subject to certain exceptions).
- Does not sell their data (by clicking a “do not sell” opt-out).
The legal requirement to act within 45 days applies to all of these requests.
HOW CAN MY COMPANY COMPLY WITH THE CCPA?
The main ways to comply with the CCPA are, as outlined above, the disclosure and deletion of data upon request. Companies must also obtain the express authorisation of consumers under 16 before selling their data (for consumers under 13, consent must be obtained from their parents).
In addition to this, however, companies must update their privacy policies to include:
- A full description of California consumers’ rights under the CCPA.
- The categories of all personal data collected and sold by the business in the last twelve months.
- The business purposes for which all data is collected.
- The categories of third parties with whom all data is shared.
- A clear link to the “do not sell” opt-out tool.
- Any financial incentives, such as discounts, offered to consumers for permitting the collection or sale of their data.
- At least two methods for submitting disclosure or deletion requests, including a phone number and email address.
What are the consequences of failing to comply with the CCPA?
As with the GDPR, it’s well worth making sure your business is fully compliant, as the consequences of breaching the CCPA go far beyond the strictly enforced financial penalties. Companies may face further legal action, significant reputational damage and erosion of trust in their business as a direct result of non-compliance.
Interested in learning more? Contact us today and we will be very happy to discuss your options.
Find Out More
In September 2018 , California became the first state to pass a law addressing the security of connected devices. The law will go into effect in 2020 and requires that manufacturers of any internet-connected devices equip them with “reasonable” security features. It is a good first step toward addressing the risks inherent in the world’s increasing connectivity.
The legislation predates federal legislation securing IoT devices, which is not the first time that California has led the way on data privacy and security policy; the new law may serve as a template for future legislation. The new legislation has faced both praise and criticism, but as with any policy addressing new technology, it brings up many new — and sometimes difficult to answer – questions, such as the following:
What is IoT security and what are the potential consequences of insufficiently secured internet-of-things devices?
IoT security refers to steps that are taken to secure or enhance the safety of internet-connected devices – everything from Amazon Echo, Google Home and Ring doorbell to internet-connected devices like stoves, refrigerators and thermostats. It can mean anything from requiring a unique password on devices to ensuring that devices use only password-protected internet connections.
There are many consequences to insufficient or nonexistent IoT device security, chief among them being that the devices can be taken over by cyber criminals and used against their owners. For example, internet-connected devices that have cameras or microphones could be used to record or listen to their owners without permission. Additionally, internet-connected devices like webcams, digital video recorders and home routers can be strung together and used in botnets for distributed denial-of-service attacks launched by cyber criminals.
What is the government doing about this?
While several IoT security bills have been submitted in Congress, none has made it to a vote. However, some states like California are implementing bills that include security requirements for IoT devices.
The main provision of the California IoT security law is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” What does “reasonable” security features mean?
The California’s IoT law leaves “reasonable security features” intentionally vague, as what “reasonable” looks like will vary by device. Generally speaking, “reasonable” security measures would include the ability to change the default username and set up a unique password for the devices. For some devices, it could mean the ability to set the device to only allow certain voices or faces to give commands.
Will this law make the IoT secure?
It is difficult to say whether this law, or any law, will make the internet of things secure, because each device has different security vulnerabilities. That said, this bill’s vagueness, especially the password requirements, does not address different authentication methods like PIN’s or facial recognition that are not considered passwords.
What are the benefits and consequences of California passing legislation ahead of the federal government?
Because California’s IoT bill requires manufacturers include specific features when producing these devices, it will likely set off a trend that is followed nationwide. It will be less expensive for manufacturers to produce all of their devices to meet California’s requirements regardless of where they will be distributed than would be for them to produce products exclusively for California. Should this happen, it could negate the need for any type of federal legislation. However, other states or federal lawmakers may enact laws that go further than the California bill. Stronger requirements for passwords and security would require manufacturers to pivot again and would make the California laws obsolete.
What next steps should state and federal legislators take when it comes to data security and privacy?
Lawmakers should continue looking for gaps in security practices and data protections and create legislation that protects users from these built-in vulnerabilities. However, it is important for users and tech companies not to wait for legislation that mandates security measures, but rather begin implementing data protections and security measures proactively.
Relentless CCPA and Data Privacy Services has You Covered
Find Out More
The CCPA went into effect on January 1, 2020, as provided in this legislation. The California attorney general, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. Any developments regarding the CCPA should be monitored carefully. Those organisations who have not began their CCPA compliance program or have commenced but not completed it should use this time to ensure they do not fall foul of the regulation and put their brand and financial position at risk.
CCPA Compliance Checklist
Although the final regulations have yet to be promulgated, the general requirements of the CCPA are sufficiently evident to enable businesses to prepare to comply with the final regulations when the Cal AG issues them, which will likely occur this fall. Accordingly, businesses should take the following steps to achieve compliance.
- Confirm That Your Business is Subject to the CCPA. Entities must determine whether they are considered a “business” subject to the CCPA. For-profit companies should keep in mind that their subsidiaries and affiliates might also be considered separate businesses with independent obligations to comply with the CCPA.
- Determine Whether Your Business Depends on the Sale, sharing or Purchase of Personal Information. Businesses will need to assess whether, and to what extent their disclosures of personal information to third parties falls under the broad definition of the “sale” of data. As defined to include any disclosure of data to a third party for “valuable consideration,” the concept of selling data under the CCPA may encompass seemingly routine data transfers that do not include direct monetary compensation.
- Confirm “Reasonable Security.” Evaluate cybersecurity practices consistent with industry recognized standards (with prudent consideration given to the use of encryption, multi-factor authentication, and the Center for Internet Security’s Critical Security Controls).
- Map How Your Business Collects, Shares and Sells Personal Information. Businesses will need to identify and track internal data flows, storage and transfers (including to service providers) in order to meet their CCPA obligations. Many businesses will reconsider their approach to personal data by building processes that foster privacy by design and by default, by anonymizing data sets when possible, and by taking their data retention and destruction policies more seriously.
- Revise Privacy Policies. Revise both external and internal policies to properly reflect the personal information processing activities required to be disclosed under the CCPA and to express the new rights and mechanisms available to Californians to exercise those rights.
- Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Create a separate web page to enable California residents the ability to exercise their opt-out rights to the extent the business sells their personal information.
- Facilitate Receipt of and Response to Consumer Requests. Develop mechanisms for accepting, tracking and verifying consumer requests, and honoring their exercise of access, deletion and opt-out rights. Companies that already comply with the GDPR will be able to leverage many of those processes.
- Evaluate Third-Party and Service-Provider Arrangements. Businesses should assess the nature of personal data shared with service providers and other third parties, ensure proper vendor risk management processes are in place, and revise agreements as necessary to take CCPA requirements into account. The age-old saying remains true: a company can outsource a capability, but it cannot outsource a responsibility.
- Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely, consistent and proper fashion.
What’s Next? CCPA Developments, Key Dates and Status
If you’ve found it hard to keep up with the current state of play of the CCPA, you’re not alone. The CCPA was signed into law on June 28, 2018 and became operative on January 1, 2020. At that point, businesses were expected to provide information to consumers regarding their data privacy practices going back to January 1, 2019. As a result, businesses needed to ensure that their information retention policies extend back at least a year to ensure their ability to comply. However, the Cal AG will not begin initiating enforcement actions until six months after the final regulations are published, or July 1, 2020, whichever is sooner.
Businesses that are racing to prepare for compliance are not alone in the CCPA ecosystem, as the executive and legislative branches of the California government are also working to finalize the law and implement regulations. Specifics regarding certain obligations and requirements remain in flux, and the Cal AG has been charged with adopting regulations to clarify numerous requirements under the CCPA between now and July 1, 2020.
Prior Amendments: The California legislature continued to amend the CCPA addressing various concerns from industry, clarify ambiguous provisions, and clean up sloppy language that reflects how hastily the CCPA was drafted, introduced and adopted. Since the law was initially passed, the CCPA has been amended once through SB-1121. SB-1121 addressed several areas of the CCPA. Specifically, the key amendments:
- Imposed a deadline of July 1, 2020, on the Cal AG to adopt regulations furthering the purpose of the CCPA, and limits enforcement by the Cal AG until six months thereafter or July 1, 2020, whichever is sooner.
- Prohibited or limited the application of the CCPA requirements to data covered by GLBA, the California Financial Information Privacy Act, HIPAA and the California Confidentiality of Medical Information Act, and entities covered by HIPAA and the California Confidentiality of Medical Information Act (to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information).
- Clarified that the definition of “personal information” only applies to information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
- Removed the requirement that a consumer give the Cal AG notice within 30 days that an action has been filed prior to continuing to pursue the action. The Cal AG’s right to prohibit the private action was also removed.
Approved Amendments: In addition, six amendments were approved by the California legislature and the governor’s approval was obtained on October 11, 2019. The amendments clarify critical ambiguities in the statute (but leave many others unresolved) as follows:
- Data Brokers. AB 1202 would require “data brokers”—defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship ─ to register with the Cal AG for publication on the Cal AG’s website. Entities regulated by the GLBA, FCRA or the California Insurance Information and Privacy Act are excluded from this provision.
- Employee Coverage Limitation and Training. Notably, AB 25 provides that, until January 1, 2021, personal information that is collected by a business in the course of a person “acting as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of that business,” will not be subject to the CCPA requirements, except the CCPA’s provisions requiring notice prior to collection and providing a right to bring a private right of action based on a data breach. Among other things, AB 25 also expands the scope of information and rights that personnel responsible for handling privacy inquiries need to be trained on, and provides that businesses may require consumers to submit requests through an online account the consumer maintains with the business.
- Vehicle Information Exemption and Deletion Exception. AB 1146 provides for an exemption from the “right to opt out, for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.” AB 1146 also provides for an additional exception to a consumer deletion request for “personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
- Definition Amendments (Personal Information and Publicly Available Information). AB 874 amends the definition of “publicly available information” to remove a condition related to government use, further clarifying that it is not personal information. AB 874 also amends the definition of “personal information” to insert “reasonably” in front of “capable of being associated with” to provide additional contours around the broad definition of “personal information.”
- Personal Information and Discrimination. AB 1355 provides for a host of amendments and revisions to the CCPA. Among other things, AB 1355 clarifies that:
- the standard for determining if a business may discriminate against a consumer for exercising their rights under the CCPA is if the differential treatment is reasonably related to value provided to the business by the consumer’s data.
- de-identified data is excluded from the definition of personal information.
- Disclosure Methods. AB 1564 provides that “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed” rather than a toll-free phone number. In addition, if the business maintains an internet website, the business is only required to make the internet website address available to consumers to submit requests for information required to be disclosed.
With the holiday season now behind us , and the act now in force from January 1, 2020 . Businesses that have not already begun compliance would do well to begin preparations immediately before enforcement begins.
To the extent a business already has implemented certain processes under the GDPR, it should leverage those procedures (and the accompanying lessons learned) as tailored to the specific requirements for, and demands of, California residents. For example, data mapping exercises and records of processing completed under the GDPR can provide a business with a head start in identifying the categories of information it collects, the purposes for which that data may be disclosed, the security and retention relating to that data, and the third parties to which such personal information is disclosed. In addition, mechanisms implemented to receive and process data subject requests could be used for the same activity under the CCPA. Obviously, there will be some tweaking necessary to ensure that the consumer rights being identified are consistent with the rights provided to consumers under the CCPA (and not the GDPR), but GDPR-compliant businesses will not need to create a compliance program from the ground up. In contrast, companies that have not suffered through GDPR growing pains will find the CCPA to be more of a challenge.
Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.
CCPA Free Assessment
The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), took effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.
While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.
Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.
Does the CCPA apply to my business?
Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.
The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:
- Has annual gross revenues in excess of $25 million; or
- Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.
“personal information” explained under the CCPA?
The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.
As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.
When does a business “collect” personal information under the CCPA?
To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.
To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.
If a business collects personal information, but never sells any of it, does the CCPA still apply?
Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.
What new rights does the CCPA give to California consumers?
The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.
What new obligations does a business have regarding these new consumer rights?
Businesses that fall under the purview of the CCPA have a number of new obligations under the law:
A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.
- Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
- Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
- Categories of personal information that the business has collected about the consumer;
- Specific pieces of personal information that the business possesses about the consumer;
- Categories of sources from which the business received personal information about the consumer;
- A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
- The categories of third parties with whom the business has shared the consumer’s personal information.
- Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
- Categories of personal information that the business has collected about the consumer;
- Categories of personal information that the business has sold about the consumer;
- Categories of third parties to whom the business has sold the consumer’s personal information; and
- The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
- Identify all new rights afforded consumers by the CCPA;
- Identify the categories of personal information that the business has collected in the preceding 12 months;
- Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
- Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
- Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.
What about employee data gathered by employers for internal workplace purposes?
As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The governor signed the bill on October 15.
Take our free online assessment and we will send you an overview of your position.
A complex gathering issue under the California Consumer Privacy Act is how to interpret the definition of “sale” and how to know if exceptions – like that for a “service provider” – apply.
When asked, most companies state honestly they do not “sell” customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (“consideration”) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.
In general, the CCPA imposes strict requirements on the “sale” of personal information (e.g., “Do Not Sell My Personal Information” button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of “sale” under the CCPA for disclosures to a “service provider.” The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.
What qualifies as a ‘service provider’?
The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a “service provider” is:
(1) A legal entity organized for profit.
(2) That processes personal information on behalf of a business.
(3) To which the business discloses a consumer’s personal information for a business purpose.
(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.
Businesses must also:
(5) Provide proper notice to consumers about personal information sharing practices.
(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.
In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that
(7) Prohibits the recipient from:
(a) Selling the personal information.
(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.
(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.
The business would also need to:
(8) Obtain a certification that the recipient understands these restrictions and will comply with them.
In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.
How does the service-provider exception play out in practice?
A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?
These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.
Customer relationship management provider
A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?
Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the “business purpose” as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of “service provider.”
Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information “on behalf of” the company when it analyses data, including personal information, as an independent assessor of the company’s financial statements. As such, an independent auditor likely does not meet element (2) where it does not act “on behalf of” the business.
What are the other options?
If the vendor is not a “service provider,” does that mean the disclosure is always a “sale”? No.
The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the “on behalf of” requirement that applies to service providers, so it might fit for an independent auditor.
Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.
Relentless Privacy and Compliance Services offer a complete CCPA service to ensure your compliance.
Start Your Compliance Today
Like any new project, the question of “where do I start?” is frequently one of the biggest hurdles and can delay the initiation of the project. Therefore, to help with this first step, we’ve set out below our top tips for tackling the CCPA compliance.
(1) Leverage your GDPR or other privacy programs. Although there are significant differences between the CCPA and the European Union General Data Protection Regulation (“GDPR”), many of the obligations imposed by the CCPA (e.g., notice, information gathering, obligations for data sharing, access rights, deletion rights, and opt-out rights) are similar enough that companies can and should try to leverage the work they undertook to address the similar obligations for GDPR as the starting point for building out a CCPA compliance program.
(2) Identify a cross-functional CCPA team. To address the requirements of the CCPA in a meaningful way, companies will need to tap into the expertise of a variety of different stakeholders and departments across the organization and develop a coordinated approach. In addition to needing strong legal and privacy support to help shape different elements of the CCPA program, it is critical to obtain the support and buy-in of the IT teams to implement the technical obligations of the CCPA, such as mechanisms that allow consumers to opt-out of the sale of their personal information and manners to delete personal information. Similarly, stakeholders from marketing or other functions that are key users of personal information with the company are critical for helping companies understand how personal information is gathered from consumers and how it is used across the company. Without this 360 degree view of information collection, use and sharing practices, it will be very difficult to develop the multi-layered solutions that are critical for CCPA compliance.
(3) Develop a strategy for information gathering and categorization. As with all privacy compliance programs, the foundation for a strong CCPA compliance program is understanding and documenting what personal information your organization collects as well as how such information is used and disclosed (both internally and externally). This is a deceptively complicated task and may be the most labor and time-intensive element of the building your CCPA compliance program. Obtaining this information from across the company in sufficient detail to meet the requirements of the CCPA often requires additional resources in the form of staffing or specialized service providers is needed.
(4) Determine where you “sell” personal information. One of the most formidable elements of the CCPA is its broad definition of what constitutes the “sale” of personal information, for which the company must provide notice and a right for consumers to opt-out. This definition sweeps in a broad array of disclosures that do not meet the traditional notions of sale (e.g., intra-affiliate sharing of personal information in certain circumstances). Therefore, companies need to really understand their disclosures of personal information – including in the online environment (e.g., online behavioral advertising) – and develop a strategy for determining which disclosures qualify as sales and for addressing opt-outs related to these disclosures (or opt-ins for minors). In addition, it will be important to develop template contract language for the various types of disclosures and to begin to build out the mechanisms for honoring consumer choice requirements under the CCPA.
(5) Be ready to update company privacy statements and similar disclosures. The CCPA sets out specific content requirements for online privacy policies and also requires that consumers are notified about personal information collections at or before the information is collected. Companies need to understand what specifically must be included in their consumer facing notices and be prepared to update them to meet these content requirements.
Don’t have the required Resources?
Let Relentless Privacy and Compliance Services take the strain and help you deliver CCPA efficiently and seamlessly
Find Out More
One last tip: Don’t forget to monitor other state and federal law developments. The CCPA is not the only US privacy law on the horizon. Nevada recently enacted a similar but more limited consumer privacy law, and a number of other states are expected to follow suit this year or next. At some point, federal privacy legislation may also come into play. Companies should be looking down the road at these rules and trying to anticipate and leverage the steps for CCPA compliance.
As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act. While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.
To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice.
In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.1 Based upon that sample, and as of December 20, 2019, only 4% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage.2
The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA. Within that sub-sample, 18% of companies have included a “Do Not Sell My Personal Information” link.
Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request. One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold.
It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).
With 4 days until the CCPA enters into law on 01/01/2020 see how Relentless Data Privacy can achieve your base line compliance in time for the 1st January
For more information and resources about the CCPA see our
Award winning blog
- Using a computer random number generator, BCLP selected 10% of the companies listed among the Fortune 500 in 2019. Revenues for the selected companies ranged from $85 billion to $5 billion. While BCLP did not conduct statistical analysis to determine whether the sample selected accurately represented the range of businesses in the United States, the sample contained companies focused on retail, financials, food, agriculture, manufacturing, entertainment, and energy.
- In the event that a business sells personal information (as those terms are defined within the CCPA), the Act requires the business to include a link on their homepage and in their online privacy notice titled “Do Not Sell My Personal Information.” Cal. Civil Code § 1798.135(a)(1), (2)(A).Note that the percentage of businesses that include the Do Not Sell link decreases from our last weekly report. The decrease was due to the broadening of the sample frame from 6% of the Fortune 500 to 10% of the Fortune 500 in order to increase statistical confidence.
Find Out More
Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.
The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but act. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.
Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?
Is it time to stop reading this article and go about your day?
Not exactly. Here’s the truth:
The Consumer Privacy Act Could Impact Your Business
In fact, according to the International Association of Privacy Professionals (IAPP), the legislation will apply to more than 500,000 companies in the United States. That’s not to mention the impact it’s likely to have internationally.
- But what exactly is this impact?
- How will the new Consumer Privacy Act affect your business?
At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.
Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world and offer our expert insights on what you might need to do to ensure long-term compliance.
However, before we get to that, let’s first answer the one question that’s most on your mind:
What is the California Consumer Protection Act 2018?
Signed into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:
- “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
- “It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
- To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
- “The categories and specific types of personally identifiable information that it has collected about them.
- The types of sources it has used to collect that information.
- The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
- The categories of third parties that the information will be shared with.
What else does the CCPA say?
Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:
Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.
Provide the same levels of service and pricing to individuals who exercise their privacy rights.
Being sure not to sell on personal information if an individual has said no to this.
Does CCPA Apply to My Business?
Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:
- The business has annual gross revenues which total at least £25 million
- For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
- Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
- This includes those businesses who are based in other US states, or even in other countries.
The immediate and long-term impact of CCPA
So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:
If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.
Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.
So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.
CCPA doesn’t come into effect until January 1st, 2020.
At time of writing, that gives affected businesses under one month to get ready. But what about those businesses not immediately impacted by CCPA? What happens if you don’t have customers in California?
Does that mean you can forget all about data protection and carry on as normal? Not quite.
Here’s the thing:
The California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.
In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.
So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.
How GDPR Compliance Can Help You Prepare for CCPA
Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?
In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way to CCPA compliance
If not, don’t worry: Help is at hand.
At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.
From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.
See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance
Book your free, initial consultation online today, .