Another year, another privacy law on the horizon. In 2018, the big push for compliance with the European Union General Data Protection Regulation (GDPR). In 2019, companies are reeling from the new law governing data protection passed by ballot initiative. The California Consumer Privacy Act (CCPA) intends to place on companies who collect California residents’ personal information. But the question remains, in the morass of regulatory writing, “What is the CCPA? How do I navigate the requirements?”
Requirements of the California Privacy Law
What is the reason for this California law?
In the findings and declarations, the new law sets forth a series of reasons for its existence. Unlike the EU, the United States lacks a cohesive set of data privacy requirements. Recognizing that the internet has changed privacy rights exponentially, Californians for Consumer Privacy, a non-governmental organization, forwarded their suggestions to the California Attorney General in November 2017.
The initiative led to the adoption of the CCPA which intends to protect consumer data compromised as the result of a data breach. In June 2018, the California Legislature passed the bill. On September 23, 2018, Governor Jerry Brown signed amendments to the California Civil Code enforcing the measure.
What do the California privacy requirements mean to businesses?
While focusing in part on data security, the privacy law focuses less on networks, software, and systems and more on consumers controlling data.
Although January 1, 2020, appears to be the date the law becomes effective, the CCPA requires that the attorney general publish additional regulations between Jan. 1, 2020 and July 2, 2020, that seem designed to clarify the law.
To fall under the CCPA’s regulatory umbrella, a business must meet one of any three requirements:
- Generating an annual gross revenue of over $25 million
- Receiving or sharing California resident personal information more than 50,000 people
- Earn at least 50% of its revenue from selling California resident personal information.
Non-profits and companies that do not meet any of the above requirements are exempt.
What are the implications of the CCPA?
Using language similar to the GDPR, the law intends to protect California residents and apply to business inside and outside the state. An online company that sells California resident information but is based in Ohio would be subject to the requirements.
Since the CCPA is incorporated under the California Civil Code, businesses will be subject to lawsuits for data security breaches that improperly disclose consumer information. Statutory damages can be $100-$750 per California resident and incident, actual damages (if they are greater), or any other relief that the court determines.
Moreover, any intention violation can be fined up to $7,500 while unintentional violations can incur a fine of up to $2,500.
What are the categories of personal information?
The CCPA defines twelve categories of consumer information that businesses need to document and maintain records over.
- Real name, alias, postal address, unique ID, IP address, email address, account name, social security number, passport number, or anything similar
- Anything considered personal information in Civil Code 1798.80
- Anything related to race, ethnicity, gender, or other protected class information as defined by California or federal law
- Commercial information such as property records, products or services, or purchasing histories/tendencies
- Biometric data
- Any information collected from the internet or network activity such as browsing history, search history, or website/application/advertisement interaction
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Psychometric information
- Professional or employment information
- Inferences made based on any of the other 10 types of information
- Any of these categories of information collected for children or minors
What personal information must be provided upon request?
All businesses will be required to provide, upon consumer request, the types of personal information it collects.
As part of this, businesses collecting information from California residents will need to provide at minimum a toll-free telephone number and website where people can request their information. Then, companies must disclose and deliver the information within 45 days of the request.
What is the right to know about sold or disclosed personal information?
If a business sells consumer information or discloses it to a vendor, the consumer can request the categories of information involved. However, it doesn’t stop there. Companies need to provide third-party identities and contact information as well.
Then, the business needs to explain the business purpose for the disclosure/sale or explain that no business purpose exists.
How to comply with the right to know and disclosure requirements?
All businesses need to verify the customer information request which means linking information the consumer provides to personal information the business collected. Additionally, companies need to identify the category or categories of information collected for the preceding 12 months.
If the business sold or disclosed information about the consumer, they must also provide names and contact numbers for the third party and the categories of information sold or disclosed to the third parties for the preceding 12 months.
What is the right to say no to the sale of personal information?
Also called the “right to opt out,” businesses that sell personal data must provide consumers the option of saying no. The business cannot sell that information unless otherwise directed.
How to comply with the right to opt out
The first step to compliance is a “clear and conspicuous link” on the homepage that says “Do Not Sell My Personal Information.” In other words, businesses need to literally, not figuratively, spell this out for consumers. Although the law indicates that businesses don’t need to have this link on their homepage, it also specifies that businesses choosing not to incorporate the link need to maintain a second website just for California residents.
On the page, businesses need to outline their privacy policies and California-specific descriptions of rights. Moreover, the “Do Not Sell” page must clearly link to a California specific page detailing consumer privacy rights and opt-outs for the CCPA.
How ZenGRC Enables CCPA Compliance
CCPA compliance will require documentation collection, storage, and retrieval. Additionally, with more people interacting with vendors who interact with consumer data and employees monitoring consumer requests, CCPA compliance will require more communication between internal and external stakeholders.
With our workflow tagging, organizations can delegate tasks and follow progress to ensure appropriate completion. Particularly crucial for CCPA’s 45-day timeline, businesses can monitor consumer request fulfillment activities to maintain compliance.
Our task prioritization mechanism allows businesses to review workflows so that they can mitigate cyber risks as well as review controls within the organization necessary for maintaining opt-out and opt-in information.
Finally, ZenGRC acts as a single-source of information so that all workforce members involved in CCPA compliance can access the same information and documentation to support audits.