On January 1, the California Consumer Protection Act (CCPA) went into effect, creating new protections for the personal data of California residents and new requirements for the businesses that process it.
The CCPA is state-specific but applies to many businesses that may not consider themselves to be under the purview of California law. Here’s how to determine how the CCPA applies to your organization and take the proper steps toward compliance.
1. Determine who you are under the CCPA
You should first determine if and how the CCPA applies to your organization. Is your organization a covered business? If so, is it “selling” personal data? Are you classified as a service provider or a third party? What about your vendors? Might your organization be multiple of these?
Your organization is covered if it is a for-profit entity that does business in California, collects the personal information of California residents, determines the purposes and means of processing that information, and at least one of the following applies:
- Has annual gross revenues in excess of $25 million.
- Annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
To note, under the CCPA, the term “sell” is defined broadly to include many actions that your business may not have regarded as sales. For example, placement of a third-party cookie on your website to enable advertising could fall within scope, as well as allowing vendors to analyze data for their own purposes. The CCPA definition of personal information is broad and includes cookies, a device identifier, pixel tags, customer number, information linked to a household and more.
2. Update your vendor contracts
Updating vendor or customer contracts is critical to compliance and limiting liability. In fact, for a vendor to be classified as a service provider under the law, a contract must be in place. To avoid the requirements associated with the “sale” of personal information, the stated expectation in contracts and other communication with vendors going forward may become that vendors have not and will not “sell” personal information.
This article guides you through the nuances of determining whether your organization or vendors are classified as service providers or third parties.
Covered businesses need to update privacy policies and other relevant disclosures to ensure consumers are provided the information required by the CCPA at the appropriate time. It is important to note that information regarding the categories of personal information to be collected and the purposes for which the categories of personal information shall be used must be provided to the consumer at or before the point of collection.
Regarding privacy policies, businesses must disclose the following:
- Descriptions of the rights to access and delete personal data, and how to obtain information about disclosures, opt-out of sales and not be discriminated against.
- Methods for submitting requests for information, including a toll-free telephone number and a website address.
- Categories of personal information collected in the past 12 months.
- Categories of personal information sold or disclosed for a business purpose in the past 12 months or a statement that personal information is not sold or disclosed for a business purpose.
- If personal information is sold, provide a link to the separate “Do Not Sell My Personal Information” webpage, which enables consumers to opt-out of the sale of their personal information.
4. Enable consumer requests, engagement and opt-out of data sales
Businesses need to create or confirm availability of processes to enable consumer requests. An important consideration at the outset is whether to adopt a global approach to consumer access requests or segment individuals depending on their location and the relevant legal requirements.
Immediate areas to enable include:
- Access to and deletion of personal data.
- Opt-out of sales of personal information.
- Opt-in to sales of personal information. Organizations selling personal information must create processes to enable opt-in consent for consumers between 13 and 16 years old and parental opt-in consent for those under 13.
5. Implement employee training
The CCPA requires that all individuals responsible for handling consumer inquiries about the business’s privacy practices or compliance with the law are informed of its requirements and how to direct consumers to exercise their rights.
Training on the law’s overall requirements, handling of access and deletion requests, and verification processes, as well as reasonable security practices (given the risk of harm caused by and private right of action associated with data breaches) are key areas to target.
With only 4% of firms considering themselves fully CCPA compliant by November 2019, there is a lot of work to be done in the new few months. Make sure you and your organization are ready, because July enforcements are just around the corner.
Caitlin Fennessy is Research Director at the International Association of Privacy Professionals (IAPP), where she helps to promote the privacy profession through empirical and qualitative research on privacy functions globally. Prior to joining the IAPP, Fennessy was the Privacy Shield Director at the US International Trade Administration. She has a master’s degree in public affairs from Princeton University and a bachelor’s degree in social policy from Northwestern University.