You’ve seen other organizations scramble with the GDPR. You have friends who work in healthcare discuss HIPAA. Neither of these legislations applies to your business however, which operates entirely in the United States. Privacy compliance simply isn’t a concern…right?
Not so fast: if your organization does a significant amount of business in California, there’s new regulation for which you’ll have to to account for: Assembly Bill 375, otherwise known as The California Consumer Privacy Act. This promises to make new waves for privacy in the United States. If you want to avoid floundering under the new tide, listen up.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is privacy legislation came into force in January 2020. Referred to by some as GDPR-lite, the legislation attempts to limit the unauthorized sale of California resident personal information (PI). The law also introduces data subject ‘rights’, a concept less widespread in the United States than in the European Union. While heavily criticized, it nonetheless breaks new ground for privacy in the United States since California residents will have a new tool to find out what’s really going on with their data after collection.
Who does CCPA apply to?
As the name implies, the CCPA brings new privacy requirements to a specific set of organizations: businesses. The legislation does not apply to public sector offices or not-for-profits. Under CCPA, an organization is a business if it operates:
“for the profit or financial benefit of its shareholders or other owners.”
Size is another requirement for the law to apply. For your company to meet the definition of ‘business’ under CCPA, it must:
- Have a gross annual revenue of over of $25,000,000,
- Derive 50% of its annual revenue from selling personal information, or
- Profit from the data processing of at least 50,000 data subjects.
The law applies to both large corporations and smaller subsidiaries, including those that share brands or trademarks.
This may look like an exemption for small businesses, but it’s not that easy. For starters, all startups, particularly those developing Internet of Things technologies, will need to pay very close attention to profit projections and unit sales. The law also applies to a number of online identifiers, which means it will affect businesses with robust online sales, popular websites and detailed analytics. CCPA only applies to personal information from residents of California, however, so if your business website doesn’t get regular visitors from the golden state, you may be exempt.
There are also a few exceptions. For instance, because of similar legislation already in effect for the following industries,you won’t have to account for CCPA if you’re a:
- Healthcare of health insurance provider
- Financial institution
- Credit-reporting agency
What are the penalties for failing to comply with CCPA?
This law allows the California Attorney General to take civil action against companies that do not comply with CCPA regulations. There’s a penalty of $2,500 USD for each infraction (read: each customer or user affected), and if your infractions are considered to be intentional, this rockets to $7,500 per incident.
Here’s an example: if you’re storing personal information in plaintext, and your database is breached, you’re looking at a minimum fine of $125,000,000 (a minimum of 50,000 data subjects x $2,500). If you had been warned about this issue beforehand, and chosen not to act, this could potentially triple to $375,000,000.
It goes without saying that this is enough to sink most businesses, but as mentioned above, only companies making at least $25 million per year are impacted, and even then, a substantial amount of their profit has to come from the processing of personal data. In other words, most organizations are not affected by CCPA.
What changes does CCPA make?
One of the most positive steps of CCPA is opening a dialogue on consumer privacy rights in the United States. Although CCPA does not grant privacy by default, individuals who want to opt-out of excessive data collection or sharing must have the ability to do so. Privacy is not just ‘nice to have’ or ‘optional’; it is a fundamental right every resident of California should enjoy.
As a result of CCPA, residents of California can now:
- Request businesses disclose categories and specific pieces of PI. CCPA allows for 45 days to comply with verified consumer requests.
- Know where information is collected. Businesses must be able to disclose the categories of information sources. At present, acceptable ‘categories’ are yet defined by the law.
- Understand the business’s purpose for collecting and selling personal information. How a business can use personal information is finite under the law.
- Prevent a business from selling their data, known as the right to ‘opt-out’. Businesses that wish to sell information must notify users.
- Know the categories of third parties with which information is shared.
- Request a business delete their personal information. Businesses must delete information upon request, unless they can provide evidence the information is necessary for exempt practices, such as compliance with other legislation.
- Receive their personal information by mail or electronically. The information should be portable, and allow consumers to pass the information to other organizations.
CCPA also makes explicit provisions against the interference of consumer privacy rights. Organizations may not charge or discriminate against customers asserting their privacy rights. A business may not charge a fee, require account creation or provide a lower quality of service if a consumer challenges them under CCPA. Under CCPA, a social media giant could not, for example, offer privacy only at a paid premium.
What counts as personal information under CCPA?
Whenever new privacy legislation hits, it is critical to understand the law’s definition of personal information. California’s new law in particular attempts to be as direct as possible if information is “personal”, with detailed examples intent on reducing potential loopholes. Under CCPA, personal information means:
“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
- Personal identifiers (name, address, account number).
- Classified data protected by state or federal law.
- Commercial information, such as purchase history.
- Biometric information.
- Electronic network information, including browser history, search history or interactions with devices, apps or websites.
- Geolocation data.
- Audio, visual, thermal or similar information.
- Employment information, including employee data.
- Educational background.
- Other information that can be used to create a profile, including inferences drawn from identifiers, preferences, behaviors or other psychological trends.
There is an exemption to personal information that is already public, but beware before you start scraping profiles off of Facebook. Publicly available under CCPA means:
“information that is lawfully made available from federal, state, or local government records”.
Data collected without the consumer’s knowledge, data sets collected for a different purpose, de-identified or aggregated are not exempt from the law. In addition, the CCPA does not classify biometric data, including facial identifiers, as publicly available information. If your organization is thinking of adding facial recognition capabilities, the CCPA will still apply.
Given the level of detail, organizations should assume any information collected about their customers is ‘personal information’ under CCPA, unless they are informed otherwise by legal expertise. As of March 2019 however, employee data also appears exempt under the law.
What can my business do to be ready?
First of all, be aware that privacy is changing. In addition to the CCPA, more privacy laws are coming into force worldwide. If you collect PI, always confirm where your customers come from and what laws apply. For the CCPA, you’ll need to know what information you collect, what your organization uses it for, and where it resides in case a customer requests erasure. You’ll need to update any records or profiles to include the customer’s ability to opt-out, and make certain they are not included in information sold.
You’ll also want clear messaging ready about what information you collect, when you collect it, how you collect it, and why you need to process it. Under CCPA, a business that collects personal information about consumers shall disclose:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about that consumer.
There are operational aspects to consider, too. For instance, you’ll likely want to appoint a compliance officer responsible for handling requests, analyzing your projections and PI dataset to see if you’re impacted (and compliant), and introducing more privacy-friendly management processes, such as automatically deleting data if a user’s account has been inactive for a specific amount of time.
A duty to verify consumer requests
When outlining consumer rights, the CCPA makes it clear information should only be passed forward from ‘verified consumer requests’. These are requests made by the consumer, the consumer’s legal guardian, or another natural person registered with the State to act on the consumer’s behalf. Businesses, in turn, must be able to verify the identity of the person, their right to make an information request. If a business cannot verify the consumer, they are not obligated to provide information.
This distinction may seem small, but for consumers and organizations can make a big difference. First, by requiring ‘verified consumer requests’, the CCPA includes in the legislation active steps to avoid fraud. It would be easy otherwise for impersonators to access sensitive information by request; by verifying the requests businesses can confirm they are dealing with the right party. Verification of the request also confirms the data subject is a resident of California, and the law applies.
Active opt-outs and specifics for minors
What about customers who want to actively exercise their privacy rights? CCPA includes requirements on how customers can get in touch, and be clear their PI is not yours to sell. Customers must be able to get in contact via email or by phone. Set up a 1-800 number for customer requests. On your website, include a page that allows customers to directly opt-out of selling their data. This page should be titled “Do Not Sell My Personal Information”. You may exclude the “Do Not Sell” page only if customers can opt-out on a page specifically for the privacy rights of California residents.
If your business is collecting data from minors, the rules change slightly. Instead of allowing minors to opt-out, CCPA is clear that customers under the age of 16 must opt-in, and actively give their permission for the sale of their data. If the consumer is under the age of 13, you must receive opt-in consent from their parent or legal guardian. Services, programs and businesses collecting or processing information should always exercise caution. In addition to CCPA, the federal Children’s Online Privacy Protection Act will apply to the data of all customers under the age of 13.
For businesses that have been profiting off of personal data, California’s new privacy law may be a warning. A study in USA Today revealed Americans are more concerned with data privacy than job creation.
There are pushes to see data privacy become federal law, but as Neema Singh Guliani reports in the Washington Post, what some companies may want is weaker federal law that can overturn CCPA. Meanwhile, privacy advocates, including the creators of privacy browser Brave, are concerned CCPA doesn’t go far enough, with too many loopholes that can be exploited. Whether additional amendments will be written into the law remains to be seen. However, given the steep penalties for non-compliance, preparation is definitely the wisest course of action.