ZenGage, the new Slack community for information security and GRC professionals, recently hosted CCPA expert Dr. Maxine Henry, in its first #AMA (Ask Me Anything) live Slack chat series.
The nation’s most stringent data protection law (so far), the California Consumer Privacy Act of 2018 takes effect Jan. 1, 2020— and it’s generating a lot of buzz. Businesses from coast to coast are girding themselves for sweeping changes in how they collect, share, and protect California residents’ personal information. With the deadline for compliance right around the corner, GRC professionals have a lot of work to do.
In this candid discussion, Dr. Henry answers a broad range of questions, starting with the rights that the CCPA grants to California residents, including
- The right to have their personal data deleted
- The right to be informed when their data is collected
- The right to know the categories of third parties receiving their data
- The right to “opt out” of having their data sold or shared
Dr. Henry also discusses some of the most demanding provisions of the law.
- Subject Access Requests are expected to “flood” businesses in 2020. Is your business ready to handle them?
- “Do Not Sell” buttons will be required on the home page of every business that meets the CCPA compliance thresholds. Does your website need one?
- An audit trail of your compliance efforts will be critical to avoiding heavy fines and penalties if your organization gets breached. Dr. Henry’s advice: “Document, document, document.”
Other topics explored during the #AMA included:
- 10 things you can do now to prepare for the CCPA
- The minimum actions business must take to comply
- 13 California bills that could change the law this year
- Which other states are putting in place privacy protection laws
- The biggest CCPA compliance challenges, and how to handle them
Read a summary of the questions and answers below this post.
Q: What is CCPA?
A: CCPA, also known as “GDPR 2.0,” is California’s new data privacy law. It differs from GDPR in a lot of ways, but it does have many of the same privacy rights as GDPR, including
- The right to have your data deleted
- The right to be informed about what data will be collected
- The right to know which categories of third parties are getting your data
- The right to be informed when those categories change
To comply with the CCPA, businesses will need to be a lot more transparent about how they collect, use, and disclose personal information. The CCPA requires organizations to tell Californians when they are selling their personal information, and says they must allow those consumers to opt in or opt out of those sales.
The law also contains:
- New consumer rights to access and delete personal data
- New penalties and statutory damages in the case of a data breach
- Added enforcement powers for the state’s attorney general
All “in-scope” businesses will need to fine-tune how they manage data, expand their processes and programs dealing with customer and employee rights, and update their privacy policies before Jan. 1, 2020, when the law takes effect.
Q: What will the companies have to do to comply?
A: To comply with CCPA, businesses must:
- Implement processes and procedures to authenticate and respond to consumer requests regarding their data
- Offer at least two ways for consumers to make those requests, including a toll-free phone number and, if the business has a website, a web address
- Update disclosures in their online privacy policies at least once a year
- Train employees or contractors in the consumer rights available under the CCPA and how to help them under the law
- Include CCPA-specified language in their contracts with service providers
Q: What sets CCPA apart from any other privacy law?
A: The implications of this legislation are huge. For the first time, the CCPA gives people ownership of their data. The law goes far beyond the standard breach notification and security requirements. It applies to B2C and B2B companies worldwide that have locations, customers, or employees in California.
Q: What are the potential penalties for violations of the CCPA?
A: The fines and penalties are:
- $7,500 per intentional violation–meaning that, if 1,000 records were breached because of intentional noncompliance with the CCPA, the offending company could face a fine of $7.5 million
- $2,500 per unintentional violation if, after being notified of noncompliance, the business doesn’t resolve the issue within 30 days
The CCPA also provides a “private right of action” to California residents when their personal information gets breached because a business wasn’t in compliance with the law. Businesses could face fines of $100 to $750 per resident or incident–even if the plaintiff can’t show evidence that they were harmed by the breach.
Highlights of the CCPA’s “private right of action” include:
- It allows statutory damages for data security breaches.
- It defines “security breach” as “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”
- It narrows its definition of “personal information” in this context to Social Security numbers, credit card/account numbers, and medical information.
This year, the California Legislature considered a “Private Right of Action” bill that would have extended a consumer’s right to sue. That bill stalled in committee after heavy lobbying by interest groups, but I expect it will be re-introduced next year.
Q: It’s been said that CCPA was hastily put together and that it is still a “work in progress…” Do you agree?
A: Well, I am not going to say, “hastily,” but the CCPA was pushed through. There was a bill submitted that was almost 90% word-for-word like GDPR. To get the bill through, several sections were removed, so what passed seemed a bit choppy and incomplete. There are about 13 or so bills planned to fix some of the inconsistencies in the current bill. We expect to see these completed by September.
Q: Is there a good way to track those 13 bills and their status?
A: I have a pulse on the laws, because I was part of the Rule Making Sessions held early in the year. We can post updates as changes come down from the committees. They are all over the place, and some of the bills have been moved forward, while others are stalled. Here are a few updates on the bills:
- Employee Exemption Advanced, But Narrowed: AB 25, as originally drafted, excluded employees and job applicants from the definition of “consumer,” which would have essentially removed employee data from the CCPA compliance requirements. In response to pushback from employee rights advocates, the Judiciary Committee narrowed the amendment to exempt employers from only certain obligations under the CCPA. Under the current draft, employers will still be subject to private actions by employees in the event of data breach and will still need to provide a privacy notice to employees, but will not have to honor employee opt-out and deletion requests. However, the employee exemption is set to expire on January 1, 2021 and at that time businesses will again have to fully comply with the CCPA’s requirements with respect to employee data.
- Disclosure Methods Amendment Eases Burden for Online-Only Businesses: AB 1564 seeks to modify the CCPA’s current requirement that all businesses provide, at a minimum, two methods for consumers to submit access and deletion requests (toll-free number and website address). Past versions of AB 1564 completely removed the requirement of implementing a toll-free number, but the Judiciary Committee advanced a version of the bill that only exempts online-only businesses from the toll-free number requirement.
- Loyalty Program Amendment Modified to Exclude the Sale of Personal Information: AB 846 clarifies that the CCPA’s anti-discrimination provision does not prohibit a business from running a loyalty or rewards program. The original substance of the amendment remains largely intact, and the bill advanced by the Judiciary Committee now includes a prohibition against the “selling” of information collected in connection with a loyalty or rewards program. If passed in its current form, AB 846 could have a significant impact on loyalty and rewards programs given the CCPA’s sweeping definition of “sale.”
- Judiciary Committee Tables Amendment Easing Definitions of “De-identified” and “Personal Information”: AB 873 would: (1) expand the definition of “de-identified” to include any information that “does not identify and is not reasonably linkable” to a consumer; and (2) narrow the definition of “personal information” to include only information “reasonably” capable of being associated with a consumer or household. AB 873 failed in the Judiciary Committee, but is being held for reconsideration, meaning that passage is still possible (albeit unlikely) before the legislature’s term ends on September 13.
The bills that were advanced by the Judiciary Committee will now move to the Appropriations Committee and, if passed, will go to the full Senate for a vote. The whole bill process is very complex and involves several committees, hearing and motions. I sat in on a couple of these and my head was spinning.
Q: Do you have advice on how companies can remain compliant with existing rules but be prepared for an evolving data privacy regulatory landscape?
A: I think you need a roadmap. You have to take an assessment of where you are in scope (meet the $25 million threshold) or not. Understand why you are collecting the data; the more you collect, the more you will need to be compliant. If you take an assessment of what you have and why you are collecting it, then you can start to look at what it will take to be compliant.
Q: Is there an easy list of what additional things companies have to do for CCPA if they already meet GDPR compliance?
A: If you have done the work for GDPR, you should go back and identify your data for California residents. Make your tag and classify it. Be prepared to answer requests if you are asked. Document, document, document! Make sure you set up a compliance program for CCPA, including assessments, data identification, addressing security controls, and incident management.
Q: How are companies who do not sell/share data expected to comply with CCPA? I imagine that if they do not “sell/share” data, then things like a “Do Not Sell” link would not be required.
A: You will still have to provide the “Do not Sell” button on your website. So the definition of Sell/Share data is a little tricky, because if you share the data with any other company than it is considered sharing. If you do not sell/share data you are still expected to comply with the law, as employees and customers may make requests regarding the type of data you have.
Q: Given the way everything is coming together/evolving, will there be an extended grace period for some of the enforcement? Is that being discussed?
A: I asked that question at the last committee meeting and we were told “no.” Enforcement period will begin July 1, 2020.
Here are some dates to keep in mind:
- January 1, 2020 – Effective date
- July 1, 2020 – Enforcement by the Attorney General
- January 1, 2019 – Look-back period
Q: What are the biggest issues for companies trying to come into compliance with CCPA? Meaning, where do you see companies struggling the most?
A: It’s across all areas. Several companies did not need to comply with GDPR, so they did nothing. The ones that did are trying to segregate California residents’ information from the rest of their data.
Second, the whole SAR (Subject Access Request) seems to be a big problem. I have an automated solution for that, but you need to do the data mapping, classification and tagging before you can automate the SAR process. Documentation seems to be elusive for some companies. Have you updated all your policies and procedures, website, notifications? Do you have a compliance-based tool like ZenGRC to manage your GRC activities?
A lot of companies don’t. They are trying to manage this process via spreadsheets….. which is very difficult. Also you will need a consent management tool to handle that portion of the law. Then, at the end of the day, you have to show that you did everything humanly possible to comply with the law…. if you have a breach, your documentation is the first place they are going to look… It makes a difference, because if you do nothing the fines and penalties are more.
Q: How do you see CCPA influencing other state-level regulations on data privacy?
A: Right now there are about 16 privacy bills pending in different states. A federal committee also assembled to look at developing a federal privacy law. Talks are still going on but it’s slow going. Several states that had some type of privacy law either updated and expanded or are completely rewriting them.
Q: What implications will multiple state-level privacy regulations have?
The implications are major: It means it’s time to get your house in order. Manage your compliance program in a tool like ZenGRC so you can have traceability to your actions and artifacts, be prepared to serve up SAR’s — I am sure these are going to be a big part of everyone’s pain come January 1. “I want to know what data you have on me?” If you can’t answer that question for your customers, employees, contractors, you are going to get in trouble. This is one of the problem areas I see, and one that will spark fines and penalties.
Q: Would you consider CCPA as the gold standard / template that other states are building from?
A: Most definitely. Other states are looking at California to determine what they should focus on next, and what changes they need to make for their data privacy laws.
Q: Does CCPA apply to non-profits?
A: No. The CCPA defines “business” as a for-profit entity that collects consumer personal data and meets at least one of the following thresholds:
- Annual gross revenue over $25 million;
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; and
- Derives 50% or more of its annual revenue from selling consumer personal information.
It is important to note that the CCPA applies to all businesses, headquartered inside or outside California, that collect personal data of California residents. The CCPA does not apply to non-profits or California state and local governments.
Q: What is a “verifiable consumer request” and how does a business respond to one?
A: It is a verified request from a California consumer for their information. If you receive a request from a California consumer, you (the business) must take the necessary steps to verify that the person is who they say they are. You can send a request to the consumer for more information or you can set up automated verification through a SAR system.
How a business responds will depend on what tools and process they have in place. If your business receives the request in writing, you should ask the consumer to verify certain information. This information should match your records. If you use an automated process, you can establish the parameters in your system as to the verifiable attributes you will accept. Once you have these, then you should provide the data that is requested and delete or change the information per the consumer request. Whatever process you use, make sure you document your decisions, processes, and all requests. If you are ever breached or audited, the attorney general will want to see these records.
Q: 10 things you can do to prepare for CCPA:
A: Understand what “personal Information” is in California
- Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers
- Subdivision (e) of Section 1798.80 further states:
- Protected classification under California or federal law
- Commercial information
- Biometric information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, etc.
- Professional or employment information
- Education information
- Inferences drawn from any information identified in the subdivision that could create a profile about a consumer… consumer preference, psychological trends, predispositions, behavior, attitudes, intelligence information, abilities and aptitudes
- Keep track of all documentation related to governance, risk and compliance of CCPA in a tool.
- Keep all SAR requests in one place. CCPA-impacted companies can expect a flood of data subject requests in 2020.
- Have a ‘do not sell’ button. This is required by CCPA and it’s an obligation even GDPR-impacted companies haven’t faced before. All companies impacted by CCPA must place a “clear and conspicuous” link button titled “Do Not Sell My Personal Information” on its online homepage.
- The ‘sale’ of data is complicated. Companies may not swap data for cash, but under CCPA the definition of sale is very broad. It includes the “transfer of any personal information for a California resident for which there is valuable consideration” even if no money is exchanged.
- Think strategically about your organization, data, customers, vendors, data processors and systems.
- Appoint at least one leader/task force to lead the privacy program. Establish your audit programs in ZenGRC.
- Inventory your data assets and flows. Consider using a data inventory template form.
- Conduct a risk assessment/gap analysis in ZenGRC by benchmarking practices identified in Phase 2 with the applicable legal requirements. Conduct a data impact assessment in Zen GRC for high-risk processing (e.g., data flows associated with children, medical, financial, or location data). Develop a remediation plan based on risks identified in Phases 3 and 4. Update and implement the appropriate policies and procedures to govern data practices, including internal/external governance policies, procedures, and external facing policies (e.g., website, mobile app), vendor management policies, and employee training. Map artifacts to controls in ZenGRC.
- Use Zen GRC to maintain auditable records and demonstrate compliance.