Going through our series of blog posts, hopefully you now have a better idea of what the California Consumer Privacy Act of 2018 (CCPA) is and, most likely, have had a chance to determine whether it applies to your organization.
As you will have noticed, the CCPA is particularly expansive and, not unlike what the General Data Protection Regulation (GDPR) does within and outside of the European Union; the CCPA will affect (and somehow already does) organizations both in California and beyond its borders.
Across the globe, companies processing California’s residents’ personal information will need to implement and maintain appropriate measures to comply with the CCPA requirements and its implementing regulations.
To ensure compliance, your organization, should amongst its first steps:
An easy first step in assessing the impact of the CCPA on your organization is by starting at the very beginning with questions like:
There is a good chance you already have some data mapping experience through your GDPR compliance process, but you can’t completely rely on your GDPR exercise to understand your risks and risk mitigation strategies. We’ve discussed the differences between the GDPR and the CCPA, in a previous blog post. Notably, the CCPA’s definition of personal information (and the categories of personal information) is a bit broader than the GDPR’s definition of personal data. For example, browsing history and search history also constitute personal information, along with information related to devices and a “household.” Additionally, you must distinguish between the sale of personal information and the disclosure of personal information for a business purpose. Your new CCPA readiness data map must account for these differences and meet the CCPA’s “look back” requirements (which requires a record of personal information collected before January 1, 2020). It is often recommended that the data mapping exercise be integrated into your organization’s privacy by design philosophy to ensure it is always up to date.
While data mapping exercises can often be time-consuming at first, they are essential to your organization’s ability to respond to any data access, portability, and deletion requests and ensure compliance with the CCPA.
Update Employee Policies
It is not entirely clear if the CCPA applies to employee data collected by employers in the course of employment of the individual. The CCPA is meant to apply to consumers. However, the definition of consumer includes “a natural person who is a California resident,” leaving it unclear whether an employee located in California would be protected with the collection of their employment data in their role as an employee. Based on some of the prohibited acts under the CCPA if a consumer refuses to allow their information to be collected (for example, refusing to deliver goods or services or charging different prices for goods), there is reason to believe that this does not apply to employers collection of employee personal data in their role as an employee. At the moment the Attorney General of California is in the process of six rulemaking workshops, which may provide more clarity on this issue.
If it was found to cover this type of data, employers should focus on covering data that is collected but not already exempted by the CCPA or preempted by federal law. For example, the CCPA exempts benefit plans that are subject to HIPPA. Other employee benefit programs (primarily those around retirement plans) may be preempted by ERISA (Employee Retirement Income Security Act of 1974). Where there is not a conflict with the subject areas above, the CCPA may cover information around wellness programs, discount programs, and other fringe-benefit programs.
New Processes and Systems
Having well-defined processes, systems, and trained employees will make or break your organization’s ability to handle the new requirements under the CCPA. As you hone your processes you should involve stakeholders across departments, and clearly delineate responsibilities for key tasks (e.g., obtaining appropriate consent, processing requests, reviewing the data map, complying with the requests). Here too, you’ll find that transparency and accountability are key.
While data access, portability, and deletion requests look familiar they take on a new flavor under the CCPA. Unlike the GDPR’s data deletion right’s contingency on the occurrence of six specific grounds (e.g., consent withdrawn or objection made), the CCPA’s data deletion right can be exercised for any reason (with a few exceptions) and there is no limit to the number of deletion requests a consumer can make. Similarly, the CCPA’s right to data portability is not conditioned on the basis of processing as is the case with the GDPR right (e.g., if the basis for processing is consent). It is likely that your organization will see at least one consumer request, so what’s your plan?
Once you receive a request for data access, portability, or deletion, you will need a system and process to verify the identity of the requester and to assess if the requester has the authority to make the request. And you’ll have just 45 days (generally) to respond to the request and perform the specific request made. You should ensure your organization has reviewed the data map, informed the appropriate stakeholders in the organization that these requests are going to come, and specify who is responsible for handling which part of the request. Notably, it is important that stakeholders from different departments—from engineering to HR—are prepared to support these requests and have an idea of what will be required of them. You may want to consider organizing request response drills to work out some of the kinks in your processes and systems before the real thing.
New to the CCPA is the consumer’s right to opt-out of the sale of their personal information. Companies will need to update their homepage to add to a clear and conspicuous “Do Not Sell My Personal Information” link (and online form), and then your processes to track and comply with the actual opt-out requests will need to kick in. Additionally, you cannot request authorization to sell a consumer’s personal information for at least 12 months following the exercise of their opt-out right.
As compliance evolves with the passing of new privacy legislation, your systems and processes should continue growing and evolving to meet the new requirements and benefiting from your organization’s collective experience.
Monitoring Legal Developments
Organizations additionally need to watch out for future developments. The CCPA has already undergone its first amendment on September 23, 2018; a mere two months after it was initially passed and a second amendment was introduced earlier this year. The CCPA also requires the California Attorney General (CAG) to adopt regulations to further the purpose of the CCPA. More information regarding the rulemaking process and activities can be found on the CAG website.
Your monitoring exercise should not be limited to the CCPA though. Obviously, companies are urged to consider existing industry-specific laws. While the demand for a federal legislation offering consistent protections and standards has been high for a while and might not be adopted in the near future, following the path of the European Union and California, a few other US states as well as countries around the world have recently implemented data protection and privacy laws to which your organization may be subject.