It’s here, it’s in force, and if you’re doing business in California, it should be on your radar. It’s the California Consumer Privacy Act (CCPA), and it’s the most ambitious piece of privacy legislation in US history. It marks a new dawn for the privacy rights of consumers in California. If you haven’t already prepared for it, then you’re extremely late, and your business is potentially vulnerable.
Passed on June 2018 within a week of its introduction, it is also among the fastest. It came into effect on January 1, and if your company does business with anyone in California, then it affects you. If you have not taken steps to comply with it, there is no time to lose.
The law introduced a swathe of new measures that hold companies accountable for their use of citizens’ personal data and put them on a similar track to those dealing with Europeans under the General Data Protection Regulation (GDPR). Companies are subject to the legislation if they collect a consumer’s personally identifiable information (PII), if they do business in California, and if they fit one of the following conditions: make more than $25m per year, commercially process PII from at least 50,000 consumers, households or devices, or derive more than 50% of their revenue from selling consumers’ personal information.
The penalties for data breaches under the Act are daunting. A company could pay up to $750 per incident to each consumer ($750,000 for the theft of a 1000-consumer database), or actual damages, whichever is the greater. The State can also fine them up to $7500 per consumer for each intentional violation. Given the size of some breaches these days, that represents a massive potential penalty.
One of the biggest misconceptions among US companies outside California is similar to one that also led US businesses astray in the run up to GDPR, warns Corey Nachreiner, CTO of application firewall company WatchGuard: companies are wrong to think that they are not affected if they are based outside California.
“Most businesses in the US that are cross-state will be affected by this,” he warns. That includes businesses selling online.
The Effects on Business
Those companies that have already grappled with GDPR will find the California requirements “more of an evolution,” explains Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).
Those companies that are operating only in the US and haven’t yet built out a strong privacy program are the ones that will have a lot of work ahead of them, she adds.
Part of that is down to what Fennessy describes as a broad definition of personal data under the CCPA when it comes to the legislation’s data breach provisions. It includes anything that could be directly or indirectly linked to a consumer or household. That could include an alias or other online identifier, cookies, a device identifier, pixel tags, customer number and even information linked to a household. It also includes things not generally listed under US data privacy legislation, like purchasing histories, internet activity including browsing patterns and inferences drawn about consumers using their data. As such, it goes even further than the GDPR in its definition of personal data.
The law offers consumers several private rights of action, including the right to find out what information a company holds about them and into which categories it falls, which categories they sold and to whom, and where that data came from. Businesses must provide that information in a portable format, and they must honor requests to delete it.
Fennessy also points to the need to provide a button on a home page and on all pages collecting information that enables the visitor to opt out of having their information sold to third parties. The definition of ‘selling’ is also pretty broad, she explains.
“It depends on whether the entity with which you’re sharing data is processing the personal data for the original entity’s business purpose on behalf, and under the instructions, of the original business, and that relationship has to be governed by a contract,” she explains. That will affect a wide variety of companies, including those in the adtech space, she says.
“Most businesses in the US that are cross-state will be affected by this”
Enforcement Issues
Timelines aside, Fennessy also points to the intent of the California State Government and private individuals. “The California Attorney General (AG) has been very clear that they do not intend to take a ‘gotcha’ approach here,” she says. “They want companies to work diligently to come into compliance, but they’re not looking to catch folks out.”
Outside the data breach provisions, there is also a 30-day ‘period to cure’ timeline to fix privacy violations, says Mariani, so that companies can address their problems before penalties come into play.
However, that doesn’t mean that the AG won’t bring measures to firm up the interpretation of the law, Mariani argues. Big tech could fight a government case on the grounds that the law was ambiguous, so building a series of established settlements with other companies (known as assurances of discontinuance) would help to prevent that strategy. That means hitting smaller companies with fewer resources.
“I would go after the companies that I think I could get settlements for,” he suggests. “That would help me push out what the law means to other businesses so I can enforce the law more.”
The AG isn’t the only litigant that companies playing fast and loose with customer data should worry about, Mariani adds. They could risk severe penalties for both data breaches and other privacy infractions under the private right of action provisions, he warns.
What to Do About It
That means companies that have left things late and are struggling to catch up should focus on several core things. If they haven’t thought about data governance until now, then they should look at what they’re collecting, why, and what they’re doing with it, advises Mariani.
For many companies, that will involve a data audit using some kind of automated tool, says Nachreiner. “So make sure you look for tools that can help do that data audit, and can classify not only the personal data, but a lot of metadata, that’s going to be considered PII as well.”
As the sale of data stipulations in the legislation use contractual relationships to determine whether a company is liable under CCPA, it’s also important to assess those contracts, warn experts. If you are transferring data to others, then you must push obligations to treat that data lawfully downstream to those partners, he warns.
The AG’s proposed guidelines for complying with CCPA also mandate training for any employees tasked with handling consumer inquiries about the company’s privacy practices.
Under CCPA, the private right to action measures came into effect first on January 1 2020. The State’s ability to enforce CCPA won’t kick in until July 1 2020, or whenever proposed regulations fleshing out the law are approved, whichever is sooner. Companies should focus first on creating systems to service those private right of action needs, says Mariani.
Ideally, this will be an automated system to provide transparency about how data is used, but companies who are already in violation may have to fall back on manual procedures for now. The draft regulations enforcing the law also dictate the use of verification systems to authenticate the identity of people asking about their data, warns Fennessy; you don’t want to inadvertently give a customer’s data to an imposter and break the law.
Other measures to begin with include updating privacy notices and also implementing an information security program. Absent of any firm guidance, companies can look to the Center for Internet Security’s Cybersecurity Controls. Former AG Kamala Harris said that failing to implement these indicated a “lack of reasonable security” in a 2016 report on data breaches.
“The California Attorney General (AG) has been very clear that they do not intend to take a ‘gotcha’ approach here”
What Happens Next?
Companies cannot afford to do nothing in their CCPA compliance, warn experts; but it won’t be the only strict privacy law to pass.
“Bills are percolating in other states like WA, NY and IL,” explains Michelle Richardson, director of the Center for Democracy and Technology’s privacy and data project. However, these may take some time to bear fruit.
“We are watching closely but it’s hard to predict which ones can build the coalition necessary to pass such a sweeping proposal,” she continues. “Most states have much shorter sessions than California – this is even harder when legislators have to work in annual two or three month bursts.”
There’s also the fact that many states don’t have ballot initiatives, points out Mariani. Alistair McTaggart, the real estate mogul who conceived the CCPA, could only do so because he was able to force big tech’s hand by beginning the effort as a ballot.
While states continue to push the issue, there are also movements at the federal level. Until now, federal privacy law has been a patchwork of sector-specific measures like HIPAA and enforcements by the FTC, often under the FTC Act. Dedicated privacy laws are only just now hitting the hustings. One of these is Senator Ron Wyden’s Mind Your Own Business Act (formerly the Consumer Data Protection Act) which would introduce fines and potential time for CEOs or chief privacy officers that flouted the rules.
For businesses that have not yet come to grips with the CCPA, there’s no time to lose. The law already allows private individuals to launch actions against businesses that violate these strict privacy rules and the State’s ability to penalize them will kick in soon. It is time to talk to your lawyer, and your tech team, today.