Eight Weeks and Counting to the Deadline. The California Consumer Privacy Act (CCPA) becomes effective on Jan. 1, 2020. With the compliance deadline rapidly approaching, the finish line seems farther away than ever. In this article, we provide an overview of key changes in the final CCPA and how the state’s attorney general regulations fit into the puzzle. The good news is that businesses can take just a few critical steps now to develop policies and procedures that both comply with the current law and can be adjusted to align with the final regulations that go into effect next year.
There Could Not Be More at Stake. Since the law’s inception, businesses have struggled with uncertainty regarding what the law means and how to prepare for compliance—and for good reason. The CCPA’s expansive definition of “sale” and the “Do Not Sell My Personal Information” provisions threaten to disrupt targeted advertising and make it more difficult for companies doing business in California to reach and develop commercial relationships with Californians. AdTech companies (many founded and based in California) could be disintermediated if advertisers return to first party ads and away from programmatic advertising given the lack of certainty and industry-supported technical standards for compliance. Even businesses with few or no contacts with California may be subject to the CCPA if they control or are controlled by a company or share common branding with a business operating in the state subject to the CCPA.
Don’t Hyperventilate or Give Up! While the California attorney general recently issued draft regulations for the CCPA proposing stricter and more detailed requirements, they are not yet the law. In fact, there is a comment period that ends Dec. 6, 2019, and final regulations are not expected until approximately April 2020 (after yet a second comment period)—four months after the Jan. 1, 2020, effective date. Fenwick will analyze those regulations in a separate alert. Meanwhile, enforcement by the attorney general will begin soon after (no later than July 1, 2020).
10 Essential Measures to Take Now to Prepare for Compliance. With the final amendments passed by the California legislature and signed by the governor, this alert is designed to cut through the noise by (i) summarizing what you need to know about the recent CCPA amendments and (ii) providing 10 practical measures you can take now to prepare for the CCPA on a risk basis and in line with evolving industry practices.
Where the Law Stands Now – The CCPA Amendments and Other New Laws. California recently amended the CCPA and adopted other laws impacting data privacy in several ways:
- HR data is partially exempt from the CCPA for one year (AB-25). This should be a relief for many exhausted HR managers. However, the exempted information does not get a complete pass because the CCPA’s data breach private right of action and privacy notice provisions still apply.
- Definition of “personal information” under California breach notification law (and CCPA Private Right of Action) expanded to include biometrics and certain government issued IDs (AB-1130). California’s breach notification law was amended to cover unique biometric data, facial recognition, tax identification numbers, passport numbers and other forms of government IDs. These types of data are now covered by the CCPA’s private right of action for breaches.
- The private right of action applies to breaches of nonencrypted and nonredacted personal information (AB-1355). The initial version of the CCPA provided a private right of action when “nonencrypted or nonredacted personal information” was disclosed as the result of the business’s failure to maintain reasonable security. As a practical measure to limit liability where personal data is either encrypted or redacted (i.e., not both), the law was amended to clarify that the private right of action is not available if the personal information was either encrypted or redacted.
- CCPA definition of “personal information” was modified to limit impact on data analytics and target marketing.
- Definition narrowed – requires reasonable association with an individual (AB-1355). Personal information now includes information that is reasonably capable of being associated with, or could reasonably be linked… with a particular consumer or household. The addition of the word “reasonably” excludes information where association with a particular consumer is technically possible but extremely unlikely.
- Deidentified and aggregated information excluded (AB-874). Personal information does not include deidentified or aggregated information or information lawfully obtained from government records. These changes are a big win for businesses that perform analytics.
- Impact. These two amendments will benefit data analytics and selected targeted marketing where individual information is pseudonymized (low likelihood of reidentification) versus completely anonymized (incapable of re-association).
- New expansive data broker registry law (AB-1202). California also enacted a new law requiring “data brokers” to register with the AG annually. A data broker is broadly defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Noncompliance can lead to fines and other penalties. This amendment may expansively impact AdTech and co-promotion efforts (e.g., airline and rental car cross-promotions and other lead-generation arrangements).
- Responding to data subject requests for access and deletion made more business friendly (AB-1355). In a win for businesses, the CCPA was amended in three ways to make it easier for a business to manage and prevent identity theft: (i) for consumers who maintain an account, the business can require the consumer to make a request through the account, (ii) a business may also require authentication that is reasonable in light of the personal information requested and (iii) to help prevent possible identity theft, businesses are prohibited from providing a requestor their social security and other governmental ID numbers, financial, health and medical account numbers, and password and security information.
- A toll-free number is no longer required for online-only businesses that have a direct relationship with a consumer (AB1564). Businesses are still required to provide a toll-free number in many cases. Businesses that maintain consumer-facing websites must allow consumers to submit requests via those websites. Many smaller companies not sure how to comply are investigating potential answering machine and service solutions.
10 Essential Measures to Take Now to Prepare for Compliance
Given the complexity of the CCPA requirements, and the relatively short time period between adoption and implementation of the final regulations, businesses should develop policies and procedures that both comply with the law and can be adjusted to align with the final regulations. The CCPA and our recommended action items can generally be distilled down to affecting four key areas: (i)notice and choice, (ii)individual rights, (iii) improving internal processes and service provider oversight, and (iv) being proactive.
Based on our knowledge of industry initiatives and what we have seen others doing in this time of uncertainty, the following represent practical measures you can take now to prepare for the CCPA on a risk basis and in line with evolving industry practices.
Notice and Choice Action Items
- Map out a “Do Not Sell” function. Sale opt-outs require more complex handling than other types of requests and could require notification of downstream vendors under the AG regulations. If your business is selling personal information, you should develop your own manual (e.g., email) techniques for receiving and operationalizing Do Not Sell requests, while looking to leverage industry approaches such as the proposed Internet Advertising Bureau (IAB) CCPA Framework and Digital Advertising Alliance (DAA) Framework. While still developing and gaining support, we have been very active in learning both.
- Don’t forget to include HR notices! As described above, while there is a one-year respite under the CCPA for various obligations relating to HR and worker personal information, the CCPA still requires businesses to inform employees and applicants about the categories of personal information collected and the purposes for which it will be used. Be comprehensive. Many companies are now developing employee and worker privacy notices.
Individual Rights Action Items
- Make sure the price is right…. Flag financial incentives involving consumer information to avoid anti-discrimination claims. Financial incentives are only permitted if the different price or service is reasonably related to the value provided to the business by the consumer’s information. Conduct an inventory of your business’s financial incentive programs now (including any data-driven dynamic pricing or discount programs, loyalty programs or demos) so you can quickly develop conforming pricing guidelines in view of the final regulations.
- (i) Developing a data subject rights “playbook” which contains procedures and templates for confirming receipt of requests, verifying the requests, providing requested information, and fulfilling consumer options and
- (ii) Conducting data subject request tabletop exercises with the appropriate stakeholders to ensure that the business is ready to address requests on Jan. 1, 2020, and make sure that call centers, support centers, receptionists and chat functions have scripts and know where to direct consumer requests.
- Consider also tools and other methods to track data subject requests. Upgrade your data management capabilities to meet the serious burdens imposed by the proposed regulations. These regulations specifically state that a ticket or log format can be used to maintain records related to consumer requests. Many companies are customizing Jira or other ticketing systems or considering new tools offered by Transcend, Clarip, Informatica or ones incorporated into larger tools offered by TrustArc, Nymity and OneTrust.
Improving Internal Processes and Service Provider Oversight Action Items
- Update your inventory of third-party data sharing. Understand your data flows to ensure that you have what you need to implement Do Not Sell requests. Many companies are doing a bottoms-up inventory reviewing all interfaces, SDKs and other means to share data with third parties. Make sure you are able to identify the third parties to which you have sold personal information in the past 90 days, so you can notify them if required by the final regulations.
- Review your DPAs with respect to data control. Evaluate whether your business is best served by relying on the service provider or other exceptions under the CCPA or allowing further downstream data use by others. If you collect data directly from an individual, review how service providers use your data and update your contracts as appropriate. This step is important, as many vendors who wanted to retain independent data rights, and classified themselves as co-controllers under the GDPR, are rethinking the value and exposure of that position in light of the possibility to have limited liability as a Service Provider under the CCPA (but only be allowed to use data as explicitly specified in a DPA or contract).
“Be Proactive” Action Items
- Adopt “reasonable security” (or at least map to CIS20) to prevent a costly data breach and class action. Select an appropriate standard defining reasonable security for your organization, such as the CIS 20 Controls. While most security organizations operate against and use ISO/IEC 27002:2013, NIST Cybersecurity Framework, PCI-DSS or other security framework, many organizations in anticipation of CCPA are now performing gap assessments in view of the selected standard and developing a plan for addressing any deficiencies. At a minimum, many companies are mapping their security controls to the CIS20, a safe harbor defense against from class actions under the CCPA. See Five Steps to Mitigate CCPA Class Action Risk: What Companies Need to Do to Increase Data Security.
- Prepare for registering as a data broker. Determine whether your business would be considered a data broker under the law. If so, develop procedures for registering with the AG on an annual basis.
Consider making public comments in response to the regulations. The AG proposed draft regulations are detailed and have many operational and unintentional business impacts. Let the AG know your business’s take on the proposed regulations. Any public comments must be submitted by Dec. 6, 2019.
Need a Life Preserver in the Storm? For more detailed information regarding the action steps discussed above or our take on how some of the evolving industry initiatives and standards may impact your company, please reach out to the Fenwick Privacy team.