CCPA goes into effect on Jauary 1st, 2020.
Based on the EU’s General Data Protection Regulation and, more loosely on NYS’ Cybersecurity Regulation 23 NYCRR 500, the CCPA is the most expansive privacy regulation ever adopted. With the extension of “personal information” to include household and device identifiers such as location and address, and the rights granted individuals under CCPA to control this otherwise public information, the laws effects will be long-felt and, may, significantly change the consumers experience.
Business Who Are Affected
ANY for-profit company who does business in CA and who meets any one of the following:
- >= $25 million in annual sales
- Buys, sells, or shares information on >= 50,000 individuals, households, or devices
- Any combination thereof that meets that threshold
- Derives more than half of its annual revenue from selling personal information
The CCPA’s intent is give consumers greater control over their personal information by creating myriad new rights for California residents whose personal data is collected, processed, or sold by companies that are covered by the law, effectively any business that does business in California – with few, very few, exception. This entitlement of “control” is granted in four ways:
- Notification: A business must notify consumers what Personal Information is being collected from them, how that Personal Information is being collected and used, and whether, and to whom, it is being sold or disclosed. They must also notify the consumer that they have the right to have their Personal Information deleted from the business’ record, and from that of the 3rd parties with whom they have provided that information. These notifications or disclosures should generally occur via publicly posted privacy notices, and additionally be made available and presented upon request by a consumer.
- Sale and Use of Personal Information: Consumers must be given a simple and easy way to opt-out of having their Personal Information sold to a 3rd party. Those consumers who are under the age of 16 must affirmatively opt-in if their Personal Information is to be sold, and of a parents, or guardians consent must be given for children under the age of 13. Opting out must also include links on the Home Page of the businesses website that read “Do Not Sell My Personal Information”, allowing California consumers an easy exercising of their right to opt-out.
- Removal of Personal Information: Consumers have the right to request that a business delete their Personal Information. Businesses must comply with these requests in a timely manner and that the information is also deleted by third-parties with whom they may have shared that consumer’s Personal Information. Exceptions to this requirement exist, such as in the case where the Personal Information is needed to complete a transaction or transactions.
- Service Equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a fee for exercising any of their rights under the CCPA, excepting where that fee includes a different level of service customers whose Personal Information is retained if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” In other words businesses can offer a financial incentive to collect, use and share Personal Information they collect.
Private Right of Action
The CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” They (consumers) can file individual or class action lawsuits, recovering between $100 to $750 in statutory damages per incident without a show of harm, or actual damages where harm is evidenced. This portends a flood of litigation.
However, consumers may only sue over data breaches resulting from a business’s failure to implement reasonable security measures. And its safe harbor provisions for companies protect business from suit by requiring the consumers to notify the business of the alleged violation before they file a lawsuit, and companies have 30 days to cure the alleged violation wherein the suit may then not go forward.
Under CCPA consumers are also entitled to seek injunctive and other forms of relief, setting out different procedures for actual versus statutory damage actions.
Penalties for Non-Compliance
CCPA defines penalties that may be applied when companies expose personal information or otherwise fail to meet their privacy and security obligations. One unique aspect of the California law is that it sets specific dollar amounts that consumers can collect from companies in the event of a breach. A consumer can sue for between $100 and $750 without having to prove that they were actually harmed by a data breach, and can collect much more if they are able to demonstrate material harm.
Businesses that fail to comply with the CCPA are subject to civil penalties by the State of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the attorney general, companies have 30 days to come into compliance in order to avoid penalties, although it is difficult to see how that would apply to a data breach occurrence.
However, these penalties only apply if companies fail to protect personal data from breach, including with encryption or redaction.
What is Protected
“Personal Information” – information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The term “household” adds a new, unique, broadly encompassing dimension to commercial and consumer privacy law. Specifically, information collected by a business does not have to be associated with a name or individual, but rather can identify a household. In the absence of specific clarifying regulation, something as basic as an address would meet this standard.
Along with traditional personal identifiers such as Social Security numbers, drivers’ license numbers and purchase histories, the definition of “personal information” under the CCPA also includes “unique personal identifiers” such as device identifiers and other online tracking technologies.
The CCPA excludes information that is publicly available, which is defined as information that is “lawfully made available from federal, state, or local government records, if any conditions associated with such information,” but excludes biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.
The CCPA also excludes aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or HIPAA.
How to Prepare
- Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect.
- Mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.
- Leverage a SIEM 2.0 platform like CyberGlass to monitor, manage and respond to security alerts such as a breach; this helps identify gaps in the security posture that may lead to a violation.
- Subscribe to a Breach Prevention Platform like PIIGuard360 will help train and monitor your team to ensure they help you protect client data, and protect yourself from a breach that can lead to a violation and penalties.
More to Come…..
CCPA requires that the California Attorney General publish regulations between Jan. 1, 2020, and July 2, 2020.
The Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. At this point, businesses must hope that the final regulations are published well in advance of July 1, 2020, so they can fully prepare for implementation of the many requirements.
This Bill would amend CCPA, expand the rights it gives to the consumer. SB-561 is currently working its way through the amendment process. Should it come to pass, it significantly expands many of the rights engendered in the law. Specifically, these include…
- Expansion of Private Right of Action: provide for a private right of action for all CCPA violations—not just those stemming from a data breach
- Elimination of the Curing Period: eliminate the 30-day safe-harbor provision that currently allows companies to cure the violation and thereby avoid a private right of action; and
- Increasing Diligence for Companies: prevent companies from seeking specific opinions from the Attorney General and instead allow the AG’s office to provide “general guidance” via publications.