{"id":603,"date":"2019-02-25T09:21:18","date_gmt":"2019-02-25T15:21:18","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=603"},"modified":"2019-02-25T09:21:18","modified_gmt":"2019-02-25T15:21:18","slug":"the-california-consumer-privacy-act-why-and-how-to-start-preparing-now","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2019\/02\/25\/the-california-consumer-privacy-act-why-and-how-to-start-preparing-now\/","title":{"rendered":"The California Consumer Privacy Act: Why (and How) to Start Preparing Now"},"content":{"rendered":"

By now most companies have heard about the California Consumer Privacy Act (\u201cCCPA<\/strong>\u201d).\u00a0 Privacy as an inalienable right has been enshrined in the California Constitution since 1972, and California has developed a reputation as being at the forefront of state privacy legislation. California is also known for grassroots-driven legislation through the ballot initiative process known as \u201cPropositions.\u201d The Cambridge Analytica scandal led to a combination of the two – a proposed data privacy law with extremely burdensome obligations and draconian penalties garnered enough signatures to appear on the ballot in November 2018. \u00a0To prevent this from happening, the California legislature partnered with California business and interest groups to introduce and pass the California Consumer Privacy Act. It went from introduction to being signed into law by the governor of California <\/span>in a matter of days<\/span><\/span> in June of 2018, resulting in withdrawal of the ballot initiative. No major privacy legislation had ever been enacted as quickly. The law will become effective as early as January 1, 2020 – the effective date is six (6) months after the California Attorney General releases implementing and clarifying regulations which are expected sometime in 2019. Given the speed at which it was enacted, CCPA has numerous drafting errors and inconsistent provisions which will need to be corrected. In addition, as of the date of this article, the implementing regulations are not yet released.\u00a0<\/span><\/p>\n

Other states have introduced statutes similar to CCPA, and there is some discussion in Congress about a superseding national data privacy law. Because of this, companies may want to look at CCPA compliance from a nationwide, and not California, perspective. For companies hoping that CCPA will be scaled back or repealed, that\u2019s not likely to happen. \u00a0The clock is ticking for businesses to develop and implement a compliance plan.<\/strong><\/span> <\/span>When determining what compliance approach to take, consider the wisdom of the \u201cHerd on the African Savanna\u201d approach to compliance \u2013 <\/span>the safest place to be in a herd on the African savanna is right in the center<\/span><\/i>.<\/b> It\u2019s almost always the ones on the <\/span>outside<\/span><\/span> which get picked off, not the ones in the center. The ones more likely to be \u201cpicked off\u201d through an investigation or lawsuit are the ones at the <\/span>front of the herd<\/span><\/span> (e.g., those who desire to be viewed as a leader in compliance) and the ones at the back of the herd<\/span> (e.g., those who start working on compliance too late or don’t make serious efforts to be in compliance). For many companies, being in the center of the herd<\/span>\u00a0is the optimal initial position from a compliance perspective. Once additional compliance guidance is released, e.g., through clarifying regulations, press releases, or other guidance from the state Attorney General, companies can adjust their compliance efforts appropriately.<\/span><\/p>\n

In this article, I\u2019ll talk through steps that companies may want to consider as a roadmap towards CCPA compliance.\u00a0<\/span>(This is a good place to note that <\/span>the information in this article does not constitute legal advice<\/b><\/span> and is provided for informational purposes only. I summarize and simplify some of CCPA provisions for ease of discussion; you should look at the specific language of the statute to determine if a provision applies in your case. Consult your own internal or external privacy counsel to discuss the specifics of CCPA compliance for your own business.)<\/span><\/p>\n

 <\/p>\n

A Quick CCPA Refresher<\/b><\/h1>\n

The first problem with the \u201cCalifornia Consumer Privacy Act\u201d is its name. It applies to personal information collected about any California resident (not just consumers)<\/u> in either a business-to-consumer (“B2C”) or business-to-business (“B2B”) context. <\/span>It applies to almost every business entity that collects personal information about California residents, their affiliates, their service providers, and other third parties with which personal information is shared or disclosed. The use of “service provider” and “third party” are somewhat similar under the CCPA – both are businesses to which a company discloses a person’s confidential information for a business purpose pursuant to a written contract. The difference between the two is whether the information is being processed on behalf of the disclosing company<\/u>. For example, SalesForce would be a service provider – it is processing personal information on behalf of your company. However, if the company with whom you share personal information processes it for its own benefit, not yours, it’s a “third party” under the CCPA.<\/span><\/p>\n

\u201cPersonal Information\u201d is defined extremely broadly under CCPA, in some ways even more broadly than under the EU’s General Data Protection Regulation (“GDPR”). \u00a0It is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular <\/span>person or household<\/span><\/span>. It includes but is not limited to IP address, geolocation data, commercial information, professional and employment-related information, network activity, biometric information, audio\/video, and behavioral analytics about a person. \u00a0CCPA covers businesses which \u201ccollect\u201d a California resident\u2019s personal information, defined as actively or passively obtaining, gathering, accessing or otherwise receiving personal information from a person, or by observing the person\u2019s behavior. It also covers \u201cselling\u201d personal information, which is another bad choice of a defined term – \u201cselling\u201d personal information under the CCPA includes selling, renting, sharing, disclosing, or otherwise communicating (by any means) personal information to another business or third party for monetary or other valuable consideration, with some significant exceptions.<\/span><\/p>\n

CCPA creates five (5) rights for California residents:<\/span><\/p>\n

    \n
  • The <\/span>Right to Know<\/b> \u2013 California residents have a general right to know the categories and purposes of personal information collected, sold, or otherwise disclosed about them.
    \n<\/span><\/li>\n
  • The <\/span>Right to Access and Portability <\/b>\u2013 California residents have a specific right to know how, why and what personal information about them is being collected, sold or disclosed, and if information is provided electronically, to receive it in a portable format.<\/span><\/span><\/li>\n
  • The <\/span>Right to Deletion<\/b> \u2013 California residents have a right to request the deletion of personal information about them collected by a business, with some exceptions.<\/span><\/span><\/li>\n
  • The <\/span>Right to Opt Out <\/b>\u2013 California residents have a right to say \u201cno\u201d to a company\u2019s sale, sharing or transfer of their personal information with third parties.<\/span><\/span><\/li>\n
  • The <\/span>Right to Equal Service & Pricing<\/b> \u2013 California residents have a right to equal service and pricing whether or not they choose to exercise their CCPA rights.<\/span><\/li>\n<\/ul>\n

    <\/h1>\n

    Creating and Implementing a CCPA Compliance Plan<\/b><\/h1>\n

    For companies that have not already gone through a GDPR compliance effort, CCPA compliance can seem daunting.\u00a0However, creating a solid compliance plan and getting started now maximizes the chance your company will be in good shape for CCPA once it becomes effective.\u00a0Here are some things to consider as you create and implement a CCPA compliance plan for your business. (Please note that if your company has already gone through a GDPR compliance effort, some of these may already be fully or mostly in place.)<\/p>\n

    1. Identify CCPA Champions within your business<\/b><\/h2>\n

    An important initial step towards CCPA compliance is to identify the person(s) within your company that will lead the CCPA compliance effort. CCPA compliance will require a cross-departmental team. This often includes <\/span>Legal <\/b>(to advise on and help to interpret the statutory and regulatory requirements and to monitor for new developments both on CCPA and similar federal and state legislation, and to create a compliance plan for the business if the company does not have a data governance team); <\/span>Development <\/b>and <\/span>Information Technology <\/b>(to implement the necessary technical and operational systems, processes, and policies which enable CCPA compliance); <\/span>Sales leadership<\/b>\u00a0(for visibility into CCPA compliance efforts and to help manage inbound requests for CCPA compliance addenda); <\/span>Customer Support<\/b> (as CCPA requires customer support personnel be trained on certain aspects of CCPA compliance); <\/span>Security <\/b>(if your company has a Chief Information Security Officer or other information security person or team); <\/span>Data Governance <\/b>(if your company has a data governance person or team); and an <\/span>executive sponsor<\/b> (to support the CCPA compliance efforts within the C-Suite). Depending on your company, there may be other involved groups\/parties as well.<\/span><\/p>\n

    2. Determine <\/b>how<\/b><\/span> CCPA applies to your business<\/b><\/h2>\n

    A key early step in CCPA compliance is determining <\/span>how<\/span><\/span> CCPA applies to your business. \u00a0There are different compliance requirements for <\/span>companies that collect personal information<\/span><\/em>, <\/span>companies that process personal information as a service provider<\/span><\/em> for other companies, and <\/span>companies that \u201csell\u201d personal information or disclose it for a business purpose<\/span><\/em>. \u00a0<\/span><\/p>\n

      \n
    • Does your business collect information directly from California residents, e.g., through online web forms, through customer support contacts, from employees who are California residents, through creation of an account, etc.? \u00a0<\/span>If so<\/strong>, it must comply with <\/span>CCPA requirements for companies that collect personal information<\/span><\/span> (a \u201cdata controller\u201d in GDPR parlance).<\/span><\/span><\/li>\n
    • Does your business receive and process personal information on behalf of customers or other third parties? \u00a0If so<\/strong>, it must comply with <\/span>CCPA requirements for companies acting as a service provider<\/span><\/span> (a \u201cdata processor\u201d in GDPR parlance.) If you are a service provider, you must ensure your service offerings enable customers to comply with their own obligations under CCPA<\/span>.\u00a0 If not, expect a lot of requests for assistance from your customers, which could result in significant manual effort.<\/span><\/span><\/li>\n
    • Does your business (a) \u201csell\u201d personal information to affiliates, service providers or third parties (other than for the excluded purposes under CCPA), and\/or (b) disclose or otherwise share personal information with an affiliate, service provider or third party for operational or other notified purposes? \u00a0If so<\/strong>, it must comply with <\/span>CCPA requirements for companies that \u201csell\u201d personal information or disclose it for a business purpose<\/span><\/span>. It’s important to note that under Section 1798.40(t)(2) of the CCPA, there are certain exceptions that when satisfied\u00a0mean a company is not “selling” personal information under the CCPA.<\/em> For example, a business does not “sell” personal information if a person uses that business’s software or online system, or gives consent for a business, to disclose their personal information to a third party, as long as that third party is also obligated not to “sell” the personal information. As another example, a business does not “sell” personal information when it shares it with a service provider, as long as certain conditions are met.<\/span><\/li>\n<\/ul>\n

      3. Inventory your data assets, data elements and data processes<\/b><\/h2>\n

      One of the most important steps in CCPA compliance, and data privacy compliance in general, is to conduct a data inventory. \u00a0For CCPA purposes, consider inventorying your <\/span>data assets<\/b> (programs, SaaS solutions, systems, and service providers in which data elements are stored for use in data processes), <\/span>data elements<\/b> (elements of personal and other information stored in data assets), and <\/span>data processes<\/b> (business processes for which data elements are stored and processed in data assets). \u00a0This inventory should also collect information on service providers and other third parties with whom data elements are shared or disclosed by your business, and the purposes for which information is shared or disclosed. \u00a0<\/span>Companies should try to complete this inventory as quickly as possible<\/span><\/span>. \u00a0The CCPA compliance team should work to create a list of internal individuals who should complete this inventory; once all responses are received, the compliance team should consolidate the responses into a master table.<\/span><\/p>\n

      The data inventory is a snapshot in time. \u00a0It\u2019s also important to refresh the data inventory on a regular basis, e.g., quarterly, to capture changes to data collection and usage over time.<\/span><\/p>\n

      4. Cease any unnecessary collection and\/or storage of personal information (\u201cdata minimization\u201d)<\/b><\/h2>\n

      Once the data asset\/element\/process inventory is created, businesses should be encouraged to use the opportunity to conduct a \u201cdata minimization\u201d exercise. \u00a0One of the central principles of data privacy is <\/span>data minimization – limiting the collection and storage of personal information to only what is directly necessary and relevant to accomplish a specified business purpose<\/span><\/span>. \u00a0The CCPA compliance team should consider both (a) identifying data elements without an associated data process, which I call \u201c<\/span>orphaned data elements<\/span><\/i>,\u201d and purging and ceasing the further collection of stored orphaned data elements; and (b) identifying data collection which is not associated with an associated business purpose, which I call \u201c<\/span>orphaned data transfers<\/span><\/i>,\u201d and cease any further orphaned data transfers and terminate the associated contracts. \u00a0Also consider validating that record retention policies are being followed so that data is promptly irretrievably deleted once it is no longer needed for a business purpose.<\/span><\/p>\n

      5. Implement a compliance plan for the 5 CCPA privacy rights<\/b><\/h2>\n

      The heart of a CCPA compliance plan is implementing compliance with the 5 privacy rights created by the CCPA. \u00a0A solidly-constructed plan should cover compliance requirements where the business acts as a data collector, a service provider, or a company selling or otherwise disclosing personal information.<\/span><\/p>\n

      a. The Right to Know<\/b><\/h2>\n

      One of CCPA’s core requirements is to publicly provide the necessary disclosure of the CCPA privacy rights, including the specific methods by which a person can submit requests to exercise those rights. \u00a0Many companies will likely add this to their privacy policy, as well as any California-specific disclosures already made by the business. Don\u2019t forget this disclosure needs to be added not only to websites, but to mobile apps. \u00a0The disclosures must include a list of the categories of personal information collected, sold or disclosed for business purposes during the previous 12 months, as well as a list of the business purposes for which the categories are used. If this information is collected as part of the data inventory, it can greatly simplify the process of creating this disclosure.\u00a0 The implementation plan should include a process for updating these disclosures as needed to reflect a rolling 12-month period.<\/span><\/p>\n

      b. The Right to Access and Portability<\/b><\/h2>\n

      Another key requirement is the implementation of a process to respond to verifiable requests from data subjects for the following information covering the 12-month period preceding the request date.\u00a0 Companies will need to provide information including:<\/span><\/p>\n