Four Issues to Consider About the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the State of California’s response to the European Union’s General Data Protection Regulation (GDPR). Because California tends to be a vanguard in the context of new regulations (e.g., in data breach notification requirements and vehicle fuel efficiency standards), the CCPA may become the de facto standard for state-based — and maybe U.S. federal — privacy regulation over the next several years. Moreover, the CCPA may be enhanced in the near future given that in late June 2020 a state measure qualified for the November 2020 ballot.
Corporate decision-makers should ask themselves four questions about the CCPA:
Why is CCPA Important to Consider?
The CCPA applies to a wide range of organizations that fall into one or all of the following parameters:
- Most companies that have information about California residents and that generate at least $25 million in annual revenue
- Companies that have personal data on 50,000 or more California consumers
- Companies that generate more than 50% of their revenues from sales of personal data.
The CCPA applies to any “natural person who is a California resident.” The CCPA defines these residents’ “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It may include:
- a person’s actual name
- any aliases they might be using
- Social Security numbers
- postal addresses
- online identifiers
- unique personal identifiers
- email addresses
- IP addresses
- account names
- driver’s license numbers
- passport numbers
- records of personal property
- products or services that have been purchased, acquired or considered
- consumption histories and tendencies
- biometric information
- browsing and search history
- any data related to their interaction with a website, application or advertisement
- geolocation data
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- non-public personally identifiable information as defined under the Family Educational Rights and Privacy Act
It may also include inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. In short, just about any information about a California resident or anything they do online will likely be subject to the CCPA.
At least 500,000 businesses in the United States will need to comply with the CCPA, plus millions of businesses worldwide that have customers or information about consumers who live in California. The penalties for non-compliance are significant: each consumer whose data was breached may be entitled to recover damages of up to $750 or the actual damages from the breach, whichever is greater; injunctive or declaratory relief; or any other relief set by a court.
Moreover, the State of California Attorney General’s office can also impose penalties of $2,500 or $7,500, respectively, for each non-intentional or intentional violation of the CCPA.
What are the Impacts of CCPA on Data Retention?
The CCPA is, for all intents and purposes, a privacy regulation designed to protect the confidentiality of California residents’ personal information and to give these residents specific rights about how their information is processed and managed. However, the CCPA has important implications for data processors and controllers on several levels with regard to data retention:
- The CCPA contains a “look back” provision that requires data processors and controllers to review all of the information that they might have on a California resident for the preceding 12 months from the date that a verified consumer request is received.
- California residents can submit data requests to a business that they believe holds information about them, and they can request that the data be deleted. This is similar in scope to the GDPR’s “right to be forgotten.” As a result, businesses that hold information on California residents must not only be able to obtain this information from their records quickly and easily, they must also do so completely so that no vestiges of personal data remain within their systems.
- However, some organizations have regulatory obligations that supersede the CCPA’s data deletion provisions. For example, financial services firms that are subject to SEC and FINRA recordkeeping requirements, or healthcare organizations subject to HIPAA data retention requirements, can retain certain types of data even if a deletion request is received. Consequently, organizations must appropriately classify data to ensure that it is retained or deleted in compliance with the applicable regulatory obligations to which it is subject.
- Finally, businesses must have defensible deletion capabilities within their archiving and backup systems to demonstrate that they have complied with any and all deletion requests that they have received.
Complicating things, however, is that many businesses don’t have access to all of their data. For example, in an era of Bring Your Own Devices (BYOD), applications, mobile apps and cloud services, some proportion of corporate data will be retained but will be outside the control of IT and/or those charged with CCPA compliance. Osterman Research estimates that roughly 5% of all corporate data is stored outside of corporate control on various personal devices and in personally managed cloud accounts.
Further complicating matters is that if an organization uses the Retention Lock feature within Office 365’s archiving function, this data cannot be deleted during the retention period that has been established.
What Lesson Can We Draw From GDPR?
What will enforcement look like under CCPA? It’s hard to tell at this point, but two important lessons learned from the GDPR can be illustrative of what businesses should expect:
The targets may not be what you expect
While many expected that the GDPR was designed, at least in part, to pursue the likes of Google, Facebook and Apple, the first fines under GDPR were not as expected. For example, the first GDPR penalty in the UK was a €275,000 fine against Doorstep Dispensaree, a London-based pharmacy that was fined for leaving 500,000 paper documents in unlocked containers. The first German enforcement of the GDPR was a €20,000 fine against Knuddels.de, a social media provider that had more than 800,000 email addresses and passwords accessed in a hacking incident. We can expect that fines under the CCPA may also be against unlikely targets.
That said, it’s important to note that a number of GDPR fines have been issued against high profile firms as was expected. For example: fines of €110.4 million to Marriott International and €204.6 million to British Airways from the UK’s Information Commissioner’s Office, and €50 million to Google from the French data protection office (Commission Nationale de l’Informatique et Des Libertés).
Regulators may start out slowly, but ramp up quickly
While the GDPR went into effect on May 25, 2018, only nine fines were issued during the first seven months. However, during the next seven months, 50 fines were issued. In the following seven months, 132 fines were issued. As of this writing, GDPR fines have reached in excess of €470 million against 284 entities and the numbers continue to climb. In just the first year following the beginning of enforcement of the GDPR, 281,088 cases were logged.
How Can You Manage CCPA?
Are privacy regulations like the CCPA good for business? Should you comply with the CCPA? The answer to both is a definite yes! While maintaining compliance with the CCPA is and will be painful for organizations that don’t yet have their information governance house in order, there can be some benefits that organizations may realize from implementing a program to comply with the CCPA. For example, decision-makers should focus on things like:
- Ensuring that there are clear definitions for the business purpose that will be satisfied for capturing content. This will help to ensure that the appropriate data is collected and not more than is necessary to satisfy a particular business purpose.
- Mapping data sources across the organization to internal controls to ensure that this data is protected.
- Updating consent policies that will describe what content is going to be captured, and that allows compliance with the CCPA’s provision that enables data owners to opt-out of having their information sold.
- Making sure that the intentions and practices surrounding how data is collected, used, accessed, retrieved and disposed of are transparent to data owners. The key is for data owners to fully understand how and why their information will be used.
- Ensuring that internal systems, as well as outside data controllers and processors, can respond to all required inquiries in a timely, thorough and reliable manner.
- Updating third-party security and privacy attestations and certifications, such as SSAE-18.
By deploying appropriate archiving and information governance technologies into the DNA of their information processing activities, organizations can realize value from those technologies for other purposes. Organizations can extract intelligence and insight into how their organization really operates and streamline their legal discovery process.
A cloud-native, context-aware, extensible archive for global enterprises with complex security, data privacy and regulatory requirements. Learn More
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.