May 28, 2019 Article

CCPA Essentials: How to Get Started

Key questions and obligations that privacy and cybersecurity professionals must consider when determining if and how to comply with the California Consumer Privacy Act.

By Sundeep Kapur

The California Consumer Privacy Act of 2018 (CCPA) is the most comprehensive state privacy law passed in the United States to date, providing consumers with granular privacy policy disclosures, access and deletion rights, a “Do Not Sell My Personal Information” button, contractual restrictions between businesses and service providers, and a private right of action, among other things.

Though the CCPA has clearly taken inspiration from the European Union’s General Data Protection Regulation (GDPR), being compliant with the GDPR does not mean that you are compliant with the CCPA. The CCPA has taken its GDPR influence and created many unique complex requirements that demand its own compliance initiative. 

Information Protected by the CCPA

The CCPA protects the “personal information” of “consumers” (i.e., California residents).

“Personal information” is defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This definition is arguably broader than the GDPR’s definition of “personal data.”

Of course, classic identifiers such as name, physical address, email address, and phone number all are considered “personal information” under the CCPA. However, this definition also encompasses IP address, user agent string, cookie IDs, advertising IDs, other “probabilistic identifiers,” browsing history, search history, and even inferences made about the consumer.

Who the CCPA Applies To

Now that we know what information is protected by the CCPA, we need to examine the obvious first question: “Am I even covered by the CCPA?”

Entities must determine if they are a “business,” a “service provider,” or a “third party” (or a combination of the three) as a first step towards CCPA compliance, as each have certain obligations. A “business” has the vast majority of obligations under the CCPA. 

Are you a “business?” The CCPA applies primarily to “businesses.” Essentially, a business is a legal entity that conducts business in the State of California (regardless of where the entity is physically located) and meets one or more of the following thresholds:

  1. Has annual gross revenues in excess of $25 million;
  2. Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year; or
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

At this point, you may be thinking that your entity does not sell personal information and so thresholds (2) and (3) do not apply to you. However, the definition of “sale” in the CCPA is notoriously broad and often requires a second (or third or fourth) look at these thresholds.

A “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Are you a “service provider?” Even if your legal entity does not qualify as a “business,” the CCPA also applies to “service providers.” 

A “service provider” is defined as a legal entity (regardless of where it is located) that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”

Similar to the GDPR, written contracts must be entered into between businesses and service providers. These contracts must expressly prohibit the service providers from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”

So, whether you are a service provider or business, start amending your contracts with your partners now as needed.

Are you a “third party?” A “third party” is defined as any individual, legal entity, group, or organization (regardless of where it is located) that is not:

  1. a business that collects personal information from consumers;
  2. a service provider; or
  3. any other “person” that receives personal information from a business for a “business purpose,” provided that the person has a contract with such business containing restrictions similar to those required between businesses and service providers (described above).

Confused? You’re not alone. The definition of “third party” adds yet another layer of complexity to the CCPA’s obligations. However, analyzing where you disclose personal information to a third party (or if you are a third party yourself) is key to understanding the full obligations of the CCPA, especially its opt-out rights.

Privacy Policy Updates

The CCPA requires a business to update its website’s privacy policy with very specific disclosures. This primarily includes:

  1. the categories of personal information they have collected, sold, or otherwise disclosed about that consumer within the preceding 12 months;
  2. the categories of sources from which the personal information is collected;
  3. the business or commercial purpose for collecting or selling personal information;
  4. the categories of third parties with whom the business shares personal information;
  5. the specific pieces of personal information the business has collected about that consumer; and
  6. a description of a consumer’s right to access, delete, or opt out of the sale of her personal information, and how to effectuate those rights.

As you can see, the CCPA places considerable emphasis on providing transparency around a business’s personal information collection and disclosure practices.

In order to be able to update their privacy policy accordingly, businesses must internally map out what specific personal information they collect (keeping in mind the incredibly broad definition), all sources of such personal information, and every entity that they share such personal information with. Then, they must implement a process to update this map every 12 months.

Access/Deletion Requests

Right of access. Consumers have the right to request businesses to grant access to their personal information. To comply with an access request, businesses must provide similar information to what must be in their privacy policy within 45 days.

However, they must also provide the “specific” pieces of personal information they have collected on that consumer in a portable and, to the extent technically feasible, a readily-useable format that allows the consumer to transmit this information to another entity without hindrance.

Sound familiar? This is very similar to the “right to portability” in the GDPR. However, the GDPR’s right to portability has limitations on it that do not exist in the CCPA, and since the CCPA’s definition of personal information is so broad, businesses’ privacy and information technology functions must work closely to ensure that all personal information can be exported and sent to a consumer (such as, but not limited to, personal information received from, or stored by, service providers). To the extent this is not technically feasible, businesses should consider documenting their reasoning in case of regulatory inquiry.

Right to deletion. Consumers have the right to request businesses delete any personal information that the businesses have collected about them. There are various exceptions to this right (such as for security or debugging purposes).

This right is very similar to the GDPR’s “right to be forgotten.” However, keep in mind that the CCPA allows for the deletion of “any” personal information that the business has collected. This means that a consumer could request the deletion of certain personal information and not others.

Businesses should ensure that a deletion capability is possible and strive to make their deletion capabilities as flexible as possible, so as to allow for certain personal information to be deleted while retaining other personal information.

“Do Not Sell My Personal Information”

The CCPA requires businesses to provide a link titled “Do Not Sell My Personal Information” on their websites’ homepages and in their privacy policies. This link must take consumers to a page where they can opt out of any sale of personal information to third parties.

In other words, once a consumer clicks that button, businesses must have procedures in place to cease all sales of personal information. Keep in mind the very broad definition of “sale” and “personal information” when preparing for this particular requirement.

So, does the CCPA only require an “opt out” for sales of personal information? Not when it comes to children’s personal information. Children under 16 must affirmatively opt in to any sales of their personal information (and can still opt out at any time). Specifically:

  1. Children that are 13–15 years old can provide their own opt-in consent.
  2. Children that are under 13 must have their parent or guardian provide opt-in consent on their behalf.

Private Right of Action

The CCPA provides for a private right of action for data breaches. In other words, individual and class action lawsuits can be brought against businesses that fail to appropriately protect personal information.

The potential liability can be extraordinary—plaintiffs’ lawyers can bring class actions for statutory damages between $100–$750 per consumer per incident or actual damages, whichever is greater. In the case of massive data breaches, this liability can easily be in the millions.

Thus, it is important that your security program is re-examined for best practices, such as making sure industry-strength encryption and security measures are being used across endpoints and networks, data minimization is employed (only collecting the minimum necessary personal information and redacting as needed), retention policies are created, due diligence is conducted on service providers (including cloud vendors), and data is classified appropriately. An entity covered by the CCPA will be ripe for class action lawsuits if it is lax on its security measures.

Effective Date and Enforcement Date

The CCPA becomes effective on January 1, 2020. From that date onward, consumers can bring private rights of action (e.g., class action lawsuits) to the extent provided under the law.

Enforcement from the California attorney general is expected to begin on July 1, 2020. The attorney general can bring civil penalties of $2,500–$7,500 depending on the nature of the violation (e.g., intentional or not) and can also bring injunctive relief.

Conclusion

There is a lot more to implementing CCPA than meets the eye and, with the threat of active enforcement and class actions, it should not be ignored.  

In fact, due to the CCPA’s 12-month “look back” period, the personal information you’ve collected this year could already be subject to the CCPA—even though the CCPA goes into effect on January 1, 2020, the personal information you’ve collected 12 months prior to that date (i.e., January 1, 2019) is in scope for consumer rights requests and privacy policy disclosures.

The CCPA is also subject to multiple amendments pending in the California legislature that aim to further expand, limit, or clarify the various provisions of the CCPA.

Finally, do not expect a federal privacy law to preempt the CCPA anytime soon (or at all). Various proposals for a federal privacy law have been introduced to Congress over the past year and the process is still in a nascent stage. There are noticeable disagreements regarding the scope of such a law. One of the largest issues is determining whether federal legislation will preempt state law or not. Notably, this issue is largely avoided by current proposals.

The best course of action is to (1) work with your privacy counsel to determine if you are covered under the CCPA and (2) start developing a roadmap to compliance.
 

Sundeep Kapur is an associate at Lowenstein Sandler in Roseland, New Jersey, and New York, New York.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).