On June 28, 2018, the California legislature passed unanimously and Governor Jerry Brown signed into law AB-375, also known as the California Consumer Privacy Act of 2018 (CCPA), now the strictest data privacy law in the United States. The new law grants California residents an expansive series of rights related to their personal information and requires significant transparency about how businesses collect, use, and disclose consumers’ personal information. Companies that are subject to the requirements have until January 1, 2020 to get ready.
That date may sound like it’s a long way off, but it actually gives organizations less than 18 months to bring their processes, policies, and technical systems in line with the new requirements.
While some publications are calling this statute “California’s mini-GDPR,” there are some key differences between the two regulations. To help you better understand which organizations the CCPA affects, what it requires, and what it could mean for your company, we’ve created a brief overview that answers some of the most pressing questions around the law.
Which Companies Will CCPA Affect?
Companies around the world have to comply with CCPA if they collect, use, disclose, or receive personal information of a California resident and they meet one or more of the following criteria:
- Have annual adjusted gross revenues over $25 million, or
- Buy, receive, sell, or share personal information of at least 50,000 consumers, households, or devices (Note: This threshold can be exceeded inadvertently, because most companies operate websites and inevitably capture IP addresses, which are personal information), or
- Derive 50 percent or more of their revenues from selling consumers’ personal information.
Many U.S-based businesses who do not have employees in the EU did not include their HR systems and other employee data in their GDPR readiness plans. Now, any business with employees in California will need to consider the data privacy rights provided by CCPA in their data life-cycle health analyses.
Personal data of "households" and “devices” is included in the scope of the CCPA as well as data that does not even contain a name. For example, annual water or energy consumption of a household, a particular employee's job description, an internet protocol address, web browsing history, and "purchasing tendencies" are in scope of personal information, even without other identifying information.
What Rights Does the Law Give California Residents?
The law confers on California residents an array of rights concerning their personal information, including
- The right to request information about the types of data a business has collected about them, categories of sources, business purpose for collecting or selling information, and the categories of third parties with whom the business shares consumer personal information, along with specific information collected about the individual
- The right to access their personal information in a portable format, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity (perhaps your competitor) without hindrance
- The right to request deletion of their personal information by the business and by its service providers, colloquially known as the “right to be forgotten”
- The right to request that a business that sells their personal information (or discloses it for a business purpose) disclose the categories of information it sells or discloses
- The right to opt out of the sale of their personal information (Note: This verbiage marks a key difference between CCPA and the GDPR, as the latter requires explicit affirmative consent. Also note that the CCPA requires affirmative “opt in” for minors or their guardians before selling a minor’s personal information.)
- The right to equal service and price, even if they exercise their privacy rights, “unless doing so is reasonably related to the value provided to the consumer by the consumer’s data”
How Does the Law Define “Personal Information?”
In addition to the usual components of personal information (name, postal address, email address, social security number, etc.), the CCPA’s definition also encompasses
- Biometric information, including DNA, fingerprints, retina, face, voice, and other identifiers
- Internet activity information, including browser history, search history, and interactions with websites, applications, or advertisements
- Geolocation data
- Professional or employment-related information
- Education information not publicly available
- Inferences from personal information to create a consumer profile reflecting preferences, attitudes, behavior, abilities, aptitudes, and other personal characteristics
What Are Legitimate Uses of Personal Information Under CCPA?
Unlike the GDPR, which does not define legitimate interest, CCPA offers a definition of the “business purpose” that justifies the use of personal information. It defines business purpose as the use of personal information
- For operational purposes of the business or service provider, or
- For other “notified purposes,” if the use of personal information is “reasonably necessary and proportionate” to achieve the purpose for which it was collected or processed, or to achieve another operational purpose “that is compatible with the context in which the personal information was collected.”
The specific business interests listed in the statute include
- Auditing related to customer interactions (such as counting ad impressions)
- Detecting security incidents
- Debugging systems to identify and fix errors that impair functionality
- Short-term, transient use, provided the information is not disclosed to a third party or used to build a profile or alter the customer’s experience (e.g. contextual customization of ads shown as part of a single interaction)
- Performing services on behalf of the business or service provider, such as delivering customer service
- Performing internal research for technological development and demonstration
- Verifying or maintaining the quality or safety of a service or device that is owned, manufactured for, or controlled by the business
As is the case with GDPR, many aspects of the CCPA are open to interpretation, especially some of the broader exceptions, so the business community will be watching further developments closely. At this point, the most important action items will be to understand which of your data processing activities are affected and to begin creating a readiness plan.
Some steps that you can take now include the following:
- Determine whether and which parts of CCPA apply to your business.
- Assess your data life-cycle — where data pertaining to California residents, households, or devices enters your business, which IT systems it interacts with, and where it proliferates both inside and outside of your business.
- Perform a data map/process inventory to prepare for access, deletion, and portability requests.
- Perform a gap analysis and prioritize a remediation roadmap based on your risk tolerance.
- Update your privacy policies to include disclosures required by CCPA.
- Update your service provider contracts.
- Provide a clear and conspicuous “Do Not Sell My Personal Information” link on your homepage.
- Determine the age of California residents to be able to comply with CCPA provisions regarding personal data of minors.
- Consider your approach to change management to ensure that all individuals who handle personal information and consumer inquiries know how to handle such.
Data privacy compliance can be a complex task with many steps and specific actions. Fortunately, Primitive Logic has extensive expertise in the areas of data governance, data architecture, integration, and data security. We’ve worked with organizations of all sizes, from SMBs to Fortune Global 100 companies. So leverage our expertise, and if you are unsure about any of the steps ahead, let us know.