California: January 2020 looms large as AG drafts rules for CCPA
By now, companies that do business in the state of California should have January 1, 2020 clearly marked on their calendars. As if you didn't know, that's the data that the California Consumer Privacy Act (CCPA) comes into effect.
Following several years of huge data breaches at companies such as Equifax and Target, the new law, passed in 2018, requires businesses to disclose to California residents what personal information they hold, the purpose for its collection, and details of any third-parties that also have access to their data.
CCPA significantly increases the transparency of the collection, processing and sales of personal data concerning California residents. Under the CCPA, residents have greater choice and control over what happens to their personal information that companies collect.
This law, which was heavily influenced by Europe’s General Data Protection Regulation (GDPR), aims to not only give consumers greater control over the use of their data, but also to enforce consumers' rights by levying heavy fines upon firms that are found to be in violation of the new law.
The law will be enforced by the state’s attorney general, Xavier Becerra, who is empowered to impose a financial penalty of $7,500 per record for each CCPA violation. This could amount to substantial sums for a data breach such as the one that occurred at First American Financial Corp., which reportedly exposed some 885 million records dating back to 2003.
The show ain't over till the fat lady sings
Although the CCPA is due to come into effect on January 1, 2020, attorney general Becerra must draft rules in order to enforce the Act. And this could potentially take quite some time. The law states that the AG must adopt the majority of the CCPA's rules July 1, 2020. The good news is he is on track to have the rules drafted by then, according to the attorney general’s press office.
Apart from wait on the attorney general to set the rules for the Act, no-one can be absolutely certain the CCPA will look like it does now. A number of bills have been introduced, designed to alter, upgrade or downgrade the CCPA. Many of the amendments were rejected, including a bill that would have expanded consumers' rights to bring a civil action for damages.
However, there are plenty of bills still before the legislature that could alter the CCPA. These include:
ASSEMBLY BILL 25 - would exclude job applicants.
ASSEMBLY BILL 846 provides that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
ASSEMBLY BILL 873 excludes from the definition of personal information consumer information that is de-identified, or aggregate consumer information.
ASSEMBLY BILL 874 excludes publicly available information from the definition of “personal information,” and defines the term “publicly available” to mean information that is lawfully made available from federal, state or local government records.
ASSEMBLY BILL 981 would eliminate a consumer’s right to request a business to delete or not sell a consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction.
ASSEMBLY BILL 1130 would close a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.
ASSEMBLY BILL 1146 would exempt the right to opt-out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
ASSEMBLY BILL 1202 would require data brokers to register with the attorney general. Defines a data broker as a business that collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Would also require the attorney general to make the information provided by data brokers available on its website.
ASSEMBLY BILL 1355 would exclude consumer information that is de-identified or aggregate consumer information from the definition of personal information.
ASSEMBLY BILL 1416 would establish an exception to the CCPA for a business that provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.
ASSEMBLY BILL 1564 would require a business to provide a toll-free phone number or an email address and a physical mailing address for submitting information access requests.
One particular bill that is absent from the above list is Senate Bill 561. State Senator Hannah-Beth Jackson, D-Santa Barbara, introduced SB 561. The bill would expand a consumer’s rights to bring a civil action for damages.
The current version of the CCPA enables a limited private right of action. An individual can file a lawsuit if a data breach has occurred involving a company that is found not to be using reasonable security measures designed to protect consumers' personal information.
This Bill was rejected, leaving members of the insurance industry breathing a huge sigh of relief.
However, the attorney general’s office noted that as of January 1, 2020, the CCPA grants consumers the right to request that a business disclose the categories and specific items of personal information that it has collected about the consumer, in addition to the categories of sources from which the information is collected, the business purposes for collecting or selling the information, and the categories of third parties with whom such information is shared.
The CCPA applies to all commercial organizations that do business in state of California, that collect consumers’ personal information - irrespective of whether they are geographically located in the state - and that meet one of the following criteria:
Exceed $25 million in gross revenue;
Buy or receive the personal information of 50,000 or more consumers, devices, or households;
Derive 50% or more of their annual revenue from selling consumers’ personal information.
Companies can be assessed civil penalties of up to $2,500 per violation, or up to $7,500 for intentional violations. An often overlooked section of CCPA is that statutory damages can consist of the actual damages or fall between $100 and $750 per California resident per incident, whichever is greater in the event of a data breach where the "non-encrypted or non-redacted first name or initial with last name plus other data such as an account number is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the company failing to implement reasonable security measures.”
“Personal Information”? - a reminder
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples of personal information include:
Social Security number;
Browser or search history;
Unique personal identifiers such as cookies containing embeded reference numbers;
IP addresses: If IP address identifies a household it could be considered personal data;
Biometric data such as fingerprints or retina scan;
Psychometric data such as information gathered from aptitude or personality tests;
Geolocation data and inferences extracted from data: Using someone's precise location data without permission expressly granted or using an IP address to track user, and;
Audio and visual data such as data from audio or video files
7 Steps to CCPA Compliance
If your company is one of the many that does business in California, but has not yet began its journey to CCPA compliance, there is no time like the present, to get started. January 1, 2020 will be upon us before we know it. So here’s our top 10 list of actions you will need to take:
Form a “Consumer Privacy” team: Form a data privacy team and gather input from your IT, HR, marketing, customer support, finance, and legal departments
Start creating a data map: Identify the types of personal data you collect, and where that data is located. Check that you have been given appropriate consent. Pay special attention to personal data of minors, which requires obtaining appropriate consent for a parent or guardian.
Identify data you disclose to third-parties, and review contracts you have with such parties.
Create a process for responding to consumers’ requests for acess to their personal data.
Review and update your Privacy Notice. You will need to inform your website visitors about what data you collect, how it is processed, who it is disclosed to, and what choices individuals have concerning their personal data, such as the right to access, or have their data deleted. You must also provide a “Do not sell my data” link in a prominent place.
Review and strengthen your data security measures in order to minimize unauthorized attempts to remotely access data, and mitigate any any mishandling of personal data.
Provide data privacy training to all employees that handle personal data. Foster a culture of responsibility for the protection of people’s personal information.
Next month, we will be publishing our e-book entitle The CCPA Effect - The Practical Implications of the California Consumer Privacy Act. This informative and easy-to-read guide can help steer you through the labyrinth of issues to overcome as you journey through the process to achieve CCPA compliance.