The California Consumer Privacy Act: What’s Next

EDITOR’S NOTE: The following column was submitted to THE SHOP by CompliancePoint, a risk management and information security firm with an emphasis on helping companies remain compliant with regulations.

It has been said, that while attending a cocktail party in California, a Google employee stated the following to Alistair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.”

Background

Mactaggart, a real estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world. Between the GDPR going into effect in May of this year and the Cambridge Analytica scandal that consumed everyone’s attention this spring, privacy has become an inescapable topic. Mactaggart’s main claim is that in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal?

With this, he worked to develop a privacy initiative addressing these issues focusing on transparency, control and accountability. These three principles form the basis of the ballot initiative created by Californians for Consumer Privacy, the California Consumer Privacy Act (CCPA). This ballot initiative received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot.

Overall, this initiative  provides consumers with three fundamental rights:

  1. The right to know what personal information is being collected;
  2. The right to know what personal information is being sold and/or shared with third parties as well as the identity of those third parties; and
  3. The right to request that their personal information no longer be sold (i.e., the right to opt out).

In addition to honoring the consumer rights listed above, businesses would be required to provide notice via the privacy policy regarding whether personal data is sold and instructions to opt-out of the selling or sharing of this data. Further, businesses must allow consumers to exercise their right to opt-out through, at a minimum, two methods, including a toll-free number and a URL. Should a consumer exercise one of the rights listed above, businesses would be required to respond within 45 days of the request.

What’s Happening Now?

Fast forward a month and a half after the initiative was first approved. Mactaggart agreed to a deal that would keep this initiative off the November ballot. Instead, Mactaggart and various stakeholders and state lawmakers drafted a bill that varies slightly from the CCPA, but still provides consumers with certain rights to protect their data and requires businesses to develop and implement various new policies and procedures to comply. The bill (AB 375) was signed by California’ governor in June, meaning Mactaggart has agreed to withdraw the CCPA from the ballot.

As originally crafted, the CCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year, or makes 50 percent of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside of the European Union.

The new bill which was signed into law in June provides similar rights to consumers to protect their personal data, but also brings key differences from the CCPA. The law provides the following rights to consumers:

  1. The right to know what personal information is collected;
  2. The right to know whether their personal information is sold or disclosed and to whom;
  3. The right to opt-out of the sale of their personal information;
  4. The right to access their personal information;
  5. The right to request the deletion of their personal information; and
  6. The right to equal service and price, regardless if they exercise their privacy rights.

As originally proposed, businesses have 45 days to respond to consumer requests to exercise any of their rights. The key differences between the CCPA and AB 375 are that AB 375 provides the additional right to deletion and that AB 375 does not provide for a private right of action for any violation (more on this below).

Instead, AB 375 provides businesses with more allowance to limit penalty amounts. Businesses are provided a 30-day window to cure any alleged violations. If the business can prove the violations have been cured and that no further violations will occur, the state attorney general will not be able to pursue legal action. Overall, violators are facing a maximum penalty of $7,500 per intentional violation. Consumers are not provided a private right of action for violations of the rights listed above.

Additionally, AB 375 provides amended rules regarding data breaches. Consumers are provided with a private right of action and can seek damages in the event of a breach where the business has failed to implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Damages that occur as the result of a breach are limited to a maximum of $750 per consumer per incident.

AB 375 will apply to a slightly different array of businesses than the CCPA as it applies to any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50 percent of its annual revenue from selling personal information. As with the CCPA, AB 375 applies to any business collecting or selling personal information from California regardless of the physical location of the business.

These requirements will become effective beginning Jan. 1, 2020.

Businesses subject to this law will be required to implement various new policies and procedures ensuring the protection of personal information, including updates to privacy policies, “reasonable” security protections, and facilitation of consumer rights. Each request from consumers must be formally analyzed as various scenarios may exist in which a business does not have to honor a consumer’s request to exercise one of his/her rights.

Businesses subject to these requirements must begin to map out all personal information collected and shared from Californians. This analysis should include the categories of personal information collected, why the information is collected, and to whom the information is shared/sold. This will allow businesses to more easily respond to consumer requests as businesses can probably expect a high number of requests initially.

Lastly, businesses must determine how they will comply with this new regulation-”will the business honor these rights on a nationwide basis or will the business implement a process to determine the location of the consumer making the request and only honor those requests coming from California? How will it determine this?

ABOUT THE AUTHORS

Greg Sparrow is vice president & general manager of CompliancePoint’s Information Security Practice. He has over 15 years of experience with information security, cyber security, and risk management. His knowledge spans across multiple industries and entities including healthcare, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies, and key management.

Matt Dumiak is director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Dumiak has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.