by Kellie M. Delaney
No sooner did many big companies breathe a collective sigh of relief that they had tackled some of their obligations under the EU’s General Data Protection Regulation (GDPR), than the California Legislature passed the California Consumer Privacy Act of 2018 (CCPA), aiming to head off a state ballot initiative that was otherwise headed for the ballot in November. The CCPA will take effect on January 1, 2020. So California businesses – and anyone who does business with California consumers – is understandably asking, now what?
Background on the GDPR
The GDPR is a comprehensive regulatory framework from the European Union that extends a host of privacy rights to individuals, among them the right to be forgotten, the right to data portability, the right to correct data that’s incorrect, and others. It could apply to companies who have employees in the EU or who hold or process some kind of personal data of an EU citizen. It includes extensive requirements for security breach notifications, designation of a data protection officer, requirements for international data transfers and sanctions that could be as high as 4% of a company’s annual revenue.
Suffice it to say, the GDPR is a really big deal if you do business in the EU and handle personal data of any kind. Companies were required to be compliant with GDPR in May 2018. In one PwC survey, 88% of companies expected to spend over $1M to comply with GDPR.
Many small businesses (SMBs) are under the impression that they’re not covered by GDPR as an SMB. However, if you handle the data of an EU individual on a regular basis, you’re probably subject to the GDPR. The only exemption is for SMBs who occasionally handle such data.
Which Businesses are Covered by the California Consumer Privacy Act
There are 3 different ways to be considered a “business” (basically a “data controller” in GDPR terms) covered by the CCPA. An entity that collects consumers’ personal information, determines how it’s processed, and does business in California, would be covered if (1) its annual gross revenue is greater than $25M; or (2) it receives or discloses personal information of more than 50,000 consumers, households, or devices each year; or (3) it derives more than 50% of its annual revenues from selling consumers’ personal information. A “service provider” (a “data processor”) is covered when the entity processes information on behalf of a business, for a business purpose, pursuant to a written contract. In that case, the contract must prohibit the service provider from retaining, using, or disclosing the information for any purposes other than those covered by the contract or otherwise permitted by CCPA.
Those thresholds may appear to exclude many small businesses form the ambit of CCPA but consider this: if you have a website that gets on average 150 unique visitors per day, that amounts to over 50,000 per year and you may need to comply with the CCPA if you collect personal information from those consumers.
California laws define personal information in various ways. But broadly speaking, most laws define “personal information” as information that could be used to identify a particular person. Some data, like healthcare details or a social security number, is usually recognized as sensitive personal information. The CCPA goes further and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” which could include a device associated with a particular household (like Alexa, or a Wi Fi IP address).
What to Expect Next
Although it’s not an omnibus law like the GDPR, the CCPA is a more comprehensive data privacy scheme than most jurisdictions in the United States have ever passed. Among other things, it has provisions for breach notifications, civil penalties, the right to opt out of data sales, and a private right of action for security breaches with unauthorized disclosure when the data is unencrypted and not redacted. The California Attorney General’s office is responsible for drafting regulations and for enforcement of the CCPA.
That said, the CCPA is far from final. According to a recent panel sponsored by the IAPP at Santa Clara University, substantive changes to the law will be pursued by the California Legislature in 2019. The legislature expects significant pressure from industry lobbyists to limit the scope of the CCPA.
One thing is sure: the CCPA is not going away. Assuming there is no federal law passed, California—and other states—will continue to pass and amend laws that govern data privacy and impose steep penalties for the failure of cybersecurity measures that result in data breaches. Even with different state laws, most of the concepts and principles embodied in these laws will be similar.
Which means there is no need to sit on our hands and wait to see what happens. Every business, of every size and scope, can take steps now to do a data privacy assessment. If you have employees, customers, and you retain records of your transactions with them, you are probably a “data controller” who has obligations, legal and ethical, to keep that data secure.
How to Prepare for the CCPA and Smart Data Practices
All businesses can benefit from understanding the data they do have. There are plenty of other privacy laws on the books, in addition to CCPA or GDPR. And having an inventory of your data, relevant policies, and record retention practices can save you many headaches for all kinds of reasons. You can start your assessment with these steps:
1. Document the personal data your organization handles. Identify the data you have, where it’s located, how it was obtained, who you share it with, why you obtained it in the first place, and whether it’s still relevant or necessary for you to keep it.
2. Assess whether you could respond to a request from one of your data subjects to delete, update, or move the data somewhere else.
3. Be sure you have obtained the necessary consent for collecting, retaining, or processing personal data. You may be obligated to provide a mechanism for consumers to opt out of the sale of their personal information.
4. Develop a plan for what you would do in the case of a data breach.
5. Appoint someone as your data privacy contact. For companies subject to GDPR, this person—a Data Privacy Officer—is a requirement.
When you develop a compliance approach to CCPA, think broadly about the types of personal information your business collects. At a minimum, you will need to update your privacy policies, websites, and related procedures, when the CCPA takes effect.
Contact us today for more information. We’re following the development of the CCPA and available to consult with companies who need guidance on GDPR, CCPA, and other privacy issues.
Kellie M. Delaney is Of Counsel at Clear Sky Law Group. She can be reached at (510) 556-0367 or kdelaney@clearskylaw.com.