CCPA Compliance Prep for Small & Medium-Sized Businesses
The California Consumer Privacy Act (CCPA) takes effect in a little over six months, and similar to the GDPR, it has many businesses wondering how difficult compliance will be. However unlike the GDPR, the CCPA is not yet a fully-fleshed out law. It lacks regulations (expected Fall, 2019) and clarity on the definition of several key terms; several bills to amend the law are currently in debate.
The CCPA’s vagueness is not cause for panic. Though the law takes effect on January 1, 2020, the California Legislature passed SB-1121, which extended the deadline for the California Attorney General to draft and adopt the law’s implementing regulations, as well as delayed the AG's ability to bring an enforcement action under the CCPA, to July 1, 2020. (CCPA § 1798.185(a), (c)). In other words, SB-1121 bought businesses a bit of time.
While awaiting the CCPA’s final form, forward-thinking businesses can still take action. Moreover, because the CCPA is modeled in part on the General Data Protection Regulation which took effect in May, 2018, good compliance frameworks exist. Below are a few suggestions to start your compliance effort; if this all sounds like a giant headache, SK&S can help.
1. Check whether the CCPA applies to you.
Many businesses can determine whether the CCPA applies to them with relative ease. If your business:
· Has gross annual revenue of less than $25 million;
· Does not receive personal information of 50,000 or more consumers, households, or devices; or
· Makes less than 50% of its revenue from selling consumers’ personal information;
You are not subject to the CCPA. Counsel can help parse what “personal information” and “sell” mean because the CCPA defines both those terms expansively (more on sales below). You may still want to comply with the CCPA if your business plans on crossing any of these thresholds, but if you don't, kick back and enjoy the coming fracas from the sidelines.
2. Map your data.
Data mapping is the single most important step you can take to comply with the CCPA. Either using excel, counsel, or one of the many software tools built for this purpose, create a written record of:
· Every piece of data you collect from consumers (determine whether it’s Personal Information later);
· Where you get that data from;
· Why you collect it;
· What you do with it;
· Who you share it with;
· How it’s secured.
Once you have mapped your data, drafting a privacy notice and beginning targeted compliance efforts becomes much easier. You will be able to identify gaps in your compliance, assess risk, pull in the appropriate stakeholders, and more.
3. Scrutinize data sales.
The CCPA defines a “sale” of Personal Information as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration.”
While we do not know yet what “valuable consideration” means, lawyers know the word “consideration” as something one would exchange to create a contract. In other words, if your business is getting free PR work in exchange for access to its email list, it would be prudent to call that a sale of Personal Information.
The CCPA also requires that businesses provide a “Do Not Sell My Personal Information” button on their websites.
Therefore, if your business sells anything but the most anonymized of data, consider whether that practice is worth the work needed to give consumers the right to opt out. If selling the data is still worth it, you may have to build the capability for consumers to exercise their rights, including request triage, internal implementation, and even identity verification.
4. Prepare for personal rights requests, but prioritize security.
Many have written about the CCPA granting consumers a personal right of legal action against businesses. However the personal right of action is only for consumers affected by data breaches. Because the CCPA contains rights to deletion, portability, information, opt-out, non-discrimination, among others, it is tempting to assume the personal right of action extends to violations of all CCPA rights; it does not. In fact, the California Senate recently shot down a proposal to extend the personal right of action to other rights in the CCPA. So, if you're a business worrying about a raft of consumer suits, focus on securing consumer personal information because only data breach carries a risk of individual lawsuits under the CCPA.
5. Prepare to train your staff.
A key component of CCPA compliance will be training staff on their privacy responsibilities. From ensuring IT monitors your systems for evidence of unauthorized access, to prepping customer service on how to deal with incoming rights requests, to begging technical experts to minimize collection of Personal Information, CCPA compliance is a company-wide effort that starts with awareness. Companies with HIPAA or GDPR obligations will recognize the shift to privacy awareness that must occur, and that shift has to start from the top. Making key department heads into allies by giving them input on the compliance process instead of orders goes a long way.
Are you preparing to comply with the CCPA or another privacy law? Contact SK&S privacy attorney Thomas Codevilla at Codevilla@skandslegal.com or 720-608-4799. Thomas has extensive experience in CCPA, GDPR, and COPPA compliance.