After roughly two years of seemingly non-stop GDPR conversation, the California Consumer Privacy Act of 2018 (CCPA) is the latest new kid on the block in privacy compliance, and with its broad scope reaching beyond the borders of California (the fifth-largest economy in the world) it creates unique challenges for the over 500,000 businesses estimated to be subject to the new law.1
Like the GDPR, one of the primary aims of the CCPA is to protect consumers from data misuse, while empowering them with certain rights that require transparency from businesses and provide some control over how that personal information is used.
The CCPA, which will take effect on January 1st, 2020, will force certain companies that conduct business in the State of California to implement structural changes to their privacy programs. In particular, the new rights provided to California residents include the right to request information, right of deletion, and right to opt-out of the sale of one’s personal information. These rights, although not as comprehensive as what is provided by the GDPR, do result in some useful overlap.
The CCPA was quickly passed by the California legislature on June 28th, 2018 and signed into law later that day by Governor Jerry Brown. It was quite the surprise to many U.S. privacy professionals, especially in light of the fact that while “[t]he GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill.”
While it is possible, perhaps even likely, that the CCPA could change between now and its January 1st, 2020 effective date, it would be wise of those businesses to begin their compliance efforts today and make adjustments as necessary, rather than waiting until the eleventh hour.
Luckily, for those businesses that have already been in pursuit of GDPR compliance, they have a head start toward CCPA compliance that should not be overlooked. This article will address some of the key similarities between the CCPA and the GDPR, with a focus on leveraging existing work and building a privacy program so that it can be agile when new laws such as the CCPA get added to the privacy compliance puzzle.
Right to Request Information
Under the CCPA, California residents (“consumers”) will have a right to request the following information from a business that is collecting their personal information:
The categories of personal information collected
The specific pieces of personal information collected
The categories of sources of personal information
The business or commercial purpose for collecting or selling the personal information
The categories of third parties with whom the business shares personal information
Similarly, if a business sells the consumer’s personal information, that consumer can request the following:
The categories of personal information collected
The categories of personal information sold
The categories of third parties to whom the personal information has been sold
The categories of personal information sold to each third party
The categories of personal information that were disclosed about the consumer for a business purpose
Upon receipt of a ‘verifiable consumer request,’2 this information must be promptly delivered to the consumer, free of charge, either by mail or electronically. However, if delivered electronically then, to the extent feasible, the information must be transmitted in a portable and readily usable format that allows the consumer to transfer personal information to another entity. Additionally, the business can provide the information to the consumer at any time, but cannot be required to provide it more than twice in a twelve-month period.
Right to Opt-Out
Consumers also have the right to request, at any time, that a business that sells their personal information stop doing so, and to enable this right, businesses must provide a clear and conspicuous link on their website homepage, titled “Do Not Sell My Personal Information,” to another page where the opt-out can be submitted.
Upon receiving an opt-out request, the business may no longer sell that consumer’s personal information unless they subsequently receive express authorization from the consumer to re-engage in the sale; however, the opt-out must be respected for at least 12 months before a business may request authorization.
Sale of Children’s Personal Information
The CCPA also includes a general prohibition on the sale of personal information of children without prior affirmative authorization. Specifically, businesses may not sell personal information of consumers where there is actual knowledge that those consumers are below age 16, unless the business has: a) received affirmative authorization from the child for children between 13 and 16; or b) received affirmative authorization from the parent or guardian for children below 13.
Right of Deletion
Consumers also may request deletion of any personal information collected about them by the business, and upon a verifiable consumer request, the business must delete the information from its records, and must direct service providers to do the same. Of course, like the GDPR, the CCPA includes a long list of exceptions to the right of deletion, including the need to comply with a legal obligation, or for security reasons, or to complete a transaction for which the information was collected.
Obligation not to discriminate against consumers who have exercised their rights
Businesses also are not allowed to discriminate against consumers who have exercised any of the above rights, for example, by denying goods or services; charging different prices or rates, including through discounts, benefits or penalties; providing different level or quality of goods or services; or suggesting that the consumer will receive a different price, rate, level or quality. There is one caveat to this, however, and this where the difference in service is reasonably related to the value provided to the consumer by the consumer’s data. Additionally, the Act clarifies that it is acceptable for businesses to offer financial incentives to consumers in exchange for the collection, use or sale of their personal information, as long as it is within certain parameters (they cannot be “unjust, unreasonable, coercive or usurious”).
At this point it is clear that the CCPA and the GDPR overlap in the areas of data subject rights, and that there are tools out there that can support both. However, what is less apparent are the other areas of operational overlap with the GDPR that organizations take advantage of in preparing for the CCPA.
Many organizations have viewed the building of records of processing as the first step in privacy compliance efforts, as doing so can serve as a foundation for tackling a multitude of obligations across frameworks (not only GDPR Article 30). This work can and should be leveraged for purposes of CCPA compliance, as it is imperative to identify the personal information that your organization processes, as well as where those data subjects are located. Knowing this will help you identify which laws are triggered by a data subject request (e.g., CCPA versus GDPR) and what your obligations are.
Operationally, up-to-date records of the above information will need to be kept in order to adequately respond to a request for information. One of the first places that we see many of our customers at OneTrust go to is building a data inventory, which becomes instrumental in properly handling data subject rights. Tools for managing data subject requests can help streamline the intake, management and fulfillment of requests, and in combination with a data map or data inventory, can ensure that requests are handled efficiently and accurately.
Create Standard Operating Procedures (SOPs)
If you dig in to your organization’s data subject request workflow, odds are you will find that the workflow is not contained within any single part of the organization—there are multiple different collection points and public-facing areas where data subjects interact with the organization, and different teams that a request touches before the request can be fulfilled.
For example, a request might be recorded by a member of the customer support team, who then forwards the request to the privacy team, who then might make an assessment as to whether the request is valid, what laws are triggered, etc. Privacy might then have to create a ticket to IT, sales or marketing to make the requisite changes (e.g., deletion, opt-out, or portability). After the changes are confirmed, privacy might either handle the response themselves, or forward it back to the support team to contact the data subject. And all of this must be done within 45 days of receipt of the request, which, may seem like a long amount of time at first, but as any seasoned privacy professional knows, can go by in a flash if not managed well.
Of course, this is just one example—there are a number of different scenarios that need to be anticipated (e.g., web-form submission, in-person, email opt-out, etc.), and these scenarios and how they are to be handled should be mapped out in a standard operating procedure (SOP) to ensure accuracy and consistency in handling. In the end, it will make life much easier if decisions on how to handle different requests are made ahead of time, rather than on the fly.
Consent & Preference Management
The right to opt-out of the sale of personal information can be treated similarly to withdrawal of consent. A tool needs to be provided to consumers so that they can indicate their wishes in a clear and unambiguous way, and your organization needs to facilitate that process and respect the consumer’s wishes to opt out. Therefore, if your organization has already implemented a tool for consent and preference management, you could expand your use of that tool to this purpose as well, enabling the right to opt-out, while creating and managing records of those preferences.
Businesses are also responsible for ensuring that individuals responsible for handling consumer inquiries about privacy practices or CCPA compliance are informed and educated on how to direct consumers to exercise their rights.
From an operational perspective, this highlights the privacy team’s role in translating legal requirements for the workforce, facilitating the training process, and ensuring that the training actually works. For instance, will your employees know a data subject request when they see one? Will they know the workflow or standard operating procedure (SOP) and where to find it if they do not?
Again, if you have had any experience with GDPR or other privacy laws, you may already have training in place that you can expand to reflect some of the nuances of the CCPA, to ensure that you are covering all your bases at once.
Privacy by Design
Privacy by Design is a framework encouraging the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices, thereby achieving the strongest privacy protections possible. The term “privacy by design” was originally coined by Dr. Ann Cavoukian while she was the Information ad Privacy Commissioner of Ontario, Canada. Dr. Cavoukian broke PbD down into “7 foundational principles.”
An integral part of any privacy by design program is the privacy impact assessment (PIA)—a tool used to identify and reduce privacy risks, and ensure that you have considered the various privacy requirements and principles that a particular activity might be subject to. For instance, the CCPA specifically calls out the principles of notice, data minimization and purpose limitation, all of which can and should be examined in a PIA:
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
To ensure that privacy is baked into the collection, use and disclosure of personal information, organizations should also consider delegating to privacy champions in different business teams who can help facilitate privacy by design efforts, such as in ensuring data minimization and purpose limitation in the development of new products and services, and in handling data subject requests.
The CCPA is a law unlike any other in the United States and will have a broad impact. Companies will need to begin preparing as early as possible to be ready to respond to the new rights provided to consumers, as well as to any potential changes to the law that could be made between now and January 1st, 2020.
1 While this article will not fully explore the issue of scope, it is important to note that the CCPA provides certain thresholds for companies doing business in California before they are considered subject to the law. According to research conducted by the International Association of Privacy Professionals, the law will affect an estimated 500,000 businesses.
2 The California Attorney General is expected to establish rules and procedures for identifying a ‘verifiable consumer request.’