With the CCPA (California Consumer Privacy Act) in effect as of January 1, but regulations still being revised and finalized, businesses are struggling to know what they need to do now to comply. If your business has not yet taken steps to comply with the CCPA or is still uncertain about the precise steps to take, now is the time. We raise and respond to 10 questions below that every business should be asking itself to assess its current status and next steps for CCPA compliance.
The relevant factors for determining whether a business is subject to the CCPA have remained the same despite the shifting draft regulations. Namely, if: (1) you are a company (excluding non-profit and government entities) that (2) collects personal information – or on whose behalf such information is collected – that alone or jointly determines the purposes and means of processing that information, and (3) you do business in the State of California, then you are subject to the CCPA if: (a) you have gross annual revenue (not limited to CA) of more than $25 million; or (b) you collect the personal information of 50,000 or more California residents, households or devices annually; or (c) 50% or more of your annual revenues are derived from selling consumers’ personal information.
Whether you are “doing business” in California is somewhat ambiguous, but will likely be determined by factors indicating intentional, repeated economic activity in the state (i.e., not an unintended or isolated transaction). A physical presence in the state is not necessary, as repeated transactions remotely or online will likely suffice, as could soliciting or advertising to California consumers. Moreover, the 50,000-consumer/device/household threshold may capture a significant number of businesses since IP addresses, geolocation information, or other internet-collected information is defined as personal information under the statute. Although the new draft regulations state that IP addresses that cannot reasonably be linked to a consumer or household would not constitute personal information, it remains somewhat unclear under what circumstances information such as IP addresses can or cannot be reasonably linked or associated with a specific consumer or household in light of, or in combination with, other available information.
Privacy policies should be posted through a conspicuous link using the word “Privacy” on the business’s website homepage and in the settings menu of a mobile application. Privacy policies also need to be easy to read and understand, capable of being printed, and accessible to consumers with disabilities, including by following Web Content Accessibility Guidelines, version 2.1 from the World Wide Web Consortium.
By now, you probably know that “selling” personal information as defined in the CCPA encompasses more than simply selling personal data to third parties in exchange for money. “Selling” under the CCPA is defined as any disclosure of personal information for valuable (not necessarily monetary) consideration and may encompass disclosures of personal information to service providers, use of data analytics tools, or other disclosures in the course of business relationships. Mapping the data collection and sharing practices of your business is essential, and if you are disclosing data to a third party for any reason, you should consider whether it might constitute a sale and whether you need to disclose that sale and offer an opt-out right or whether you can avoid the disclosure being deemed a sale by entering into a written contract that restricts the further use of the information.
The primary way to avoid the disclosure of personal information to a third-party service provider being deemed a “sale” under the CCPA is to enter into a written contract, certified by the service provider, that restricts the further use or disclosure of that data by the service provider for purposes other than providing your business with the relevant services. All businesses covered by the CCPA should consider revising their vendor and service provider agreements to include restrictions and prohibitions on the service providers’ use or sale of personal information disclosed to them other than to provide services to the business. The new draft regulations clarify that service providers may use information disclosed to them for internal use to build or improve the quality of their services, detect data security incidents and fraud or illegal activity, or to retain and employ other service providers as subcontractors if they meet the requirements, without the disclosure being deemed a “sale.”
Most businesses must provide two or more methods for submitting consumer requests, including a toll-free number (mandatory for requests to know), an online interactive form (mandatory for requests to opt-out of sale), a designated email address, a form submitted through mail, or, where interaction is primarily in-person, a printed form or a computer portal. Requests to opt-out of sale should require minimal steps and be easy for consumers to execute. Note that businesses that operate “exclusively online” and have a direct relationship with their consumers need only provide an email address for submission of requests to know. More than two methods of submission for consumer requests may be advisable, and businesses should consider the way they primarily interact with consumers when determining what methods to offer.
Businesses will also need to provide a separate Notice to Opt-Out of Sale Of Personal Information if they are selling personal information, and/or a Notice of Financial Incentive if they are offering financial incentives to consumers to retain, disclose or sell their data. These notices would typically be given via a link on the website homepage or mobile download page. All notices should be easy to read and understand and accessible to persons with disabilities.
Businesses have 10 business days to acknowledge receipt of requests to know/delete and 45 calendar days to respond substantively to those requests (with an additional extension of 45 calendar days in some cases). By contrast, businesses have only 15 business days to process and comply with requests to opt-out of the sale of information. The new draft regulations excuse businesses from notifying all third parties to whom they have previously sold data about a consumer’s opt-out request, but businesses must still notify any third party to whom the business sells the consumer’s data after receiving the opt-out request (but before complying with request) and instruct that third party not to sell that consumer’s information.
The guidance for how to verify consumer identities remains somewhat ambiguous. In general, businesses are instructed to tailor a consumer identity verification process to the sensitivity and risk of the personal information at issue. The regulations provide that no business should disclose certain sensitive categories of personal information (i.e., the data breach categories mentioned in No. 10 below) in response to a consumer request. But aside from a couple of clear rules, the verification process is largely left to the business. Businesses with password-protected accounts for their users are fortunate because they can use such accounts to verify identities by having consumers re-enter their credentials for the account. Businesses without such accounts for their users, however, must match either 2 or 3 pieces of personal information maintained by the business with information provided by the consumer and, in some cases, require the consumer to provide a signed affidavit under penalty of perjury that they are the consumer who is the subject of the data request. Because businesses are discouraged from collecting additional information in order to verify identities, but must also ensure that the process is sufficiently stringent for the data involved, businesses will need to determine what pieces of personal information can be used to sufficiently and accurately identify consumers. For businesses that maintain customer purchase information, the regulations suggest that verifying the consumer’s identity might involve requiring the consumer to identify items recently purchased or dollar amounts of recent purchases. In any event, the regulations require that a business deny requests to know specific pieces of personal information if the business cannot verify the identity of the requestor to the required level of certainty. However, businesses that have no sufficient method to verify identities of consumer requestors may be subject to greater regulatory scrutiny.
An October 2019 amendment to the CCPA provided for a one-year exemption to employee or job applicant data (used only in the employment or application context) from full coverage of the CCPA. This means that employees cannot make consumer requests to know or delete to their employers regarding their personal information collected as part of their employment. Businesses are still required to provide employees and job applicants with notice regarding the collection, use, and disclosure of their personal information, however, and employees will still be able to bring a private right of action in the event of a data breach.
One of the most dreaded aspects of the CCPA for businesses is the private right of action, with statutory damages, arising from the unauthorized access to (i.e., breach of) certain sensitive categories of personal information (e.g., driver’s license, social security number, account number in combination with security code or password, medical or health insurance information, automated license plate recognition data, email address in combination with password or security question, or biometric data). As a preliminary matter, the private right of action is limited to unauthorized access to this data in nonencrypted and nonredacted form, so businesses should store all such data in encrypted or redacted form. Additionally, businesses should review their security practices and procedures for consistency with industry standards for security, including the Center for Internet Security (CIS) Top 20 Controls, the International Organization for Standardization (ISO) 27001 standards, and the National Institute of Standards and Technology (NIST) framework, among others. While the CCPA does not identify a single standard as sufficient to be reasonable, following industry-standard guidelines for security is a safe bet.
This list is not intended to be comprehensive of all legal requirements and obligations under the statute and regulations. For example, there are various statutory and subject matter exemptions to the statute (e.g., exemptions for certain personal health and financial information governed by other statutes and exceptions to the requirement to delete consumer data when needed for specified business purposes). Additionally, there are special rules applicable to personal information of minors and to businesses that collect personal information of more than 10 million consumers annually or that offer financial incentives to allow them to use, retain, or sell consumer information. You should consult legal counsel regarding compliance requirements for your specific business and practices. However, the questions set forth above address many of the basic compliance questions companies may have about the CCPA as its enforcement data approaches.
For further information, contact Coblentz Cybersecurity & Data Privacy attorneys Scott Hall (firstname.lastname@example.org) and Foram Dave (email@example.com). You can also review additional CCPA articles and resources in our CCPA Resource Center.