In the wake of the Cambridge Analytica scandal, in which the firm is accused of buying nearly 90 million Americans' data that was collected without their consent, the Federal Trade Commission (FTC) launched an investigation that focused largely on the controls an organization must have on how its data is shared with and used by third parties - in other words, the probable infancy of GDPR in the US.
What is CCPA and Does It Apply to My Business?
In June of 2018, California, on the tail of the FTC investigation, the state legislature unanimously passed The California Consumer Privacy Act (CCPA). Establishing a new framework for privacy for business within its jurisdiction, the broad scope is something that is largely unfamiliar in the US. The first step in understanding the implications of this new set of privacy laws is to first understand exactly which businesses they will apply to. CCPA applies to businesses that fall under any one of the below categories:
- Have annual revenue in excess of $25 million;
- Buy, receive, sell, or share personal information on 50,000 or more CA households or devices;
- Derive more than half of their annual revenue from selling consumer personal information.
Forthcoming regulations could potentially clarify some of these parameters, but some small businesses may not be able to escape the reach of CCPA. Although the law is primarily targeted at businesses with considerable amounts of data, there is no escaping the fact that its reach could extend to smaller companies as well. Specifically, small business operations in the state that meet at least one of the requirements above will also have substantial privacy obligations with respect to those operations, most notably regarding employment records.
CCPA applies to the sale of personal information. “Sale” is a broad term defined as, “the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating...a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The following circumstances, however, do not constitute the sale of personal information:
- Consumer-directed disclosure;
- Identification of a consumer who has opted out under the opt-out provision;
- Sharing personal information with a service provider that is necessary for the performance of a business purpose, if the business has provided notice to its consumers, the service provider is acting on the business’s behalf, and the service provider does not sell the personal information;
- The business transfers Personal Information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction where the third party “assumes control of all or part of the business,” subject to certain condition.
CCPA’s Definition of Personal Information
How personal information is defined is the main component in understanding how CCPA laws can impact your business. The CCPA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably linked directly or indirectly to a particular consumer or household.
The personal information as defined in CCPA includes name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number or passport number, biometric information, bank account number or any other financial information, geolocation data, audio, electronic, or visual information, employment-related information, certain education information, or medical or health insurance information.
It also may include inferences drawn from information used to create a profile about a consumer that includes the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Preparing for CCPA
The reality is if your business is required to be CCPA-compliant, and you haven’t begun preparing, you're already behind. Any company that does business with California residents should be ready to respond to the 12-month “look back” requirement meaning that companies will need the records of any personal information collected dating back to 12 months before January 1, 2020, meaning January 1, 2019.
There are several other steps your organization should be taking as you move toward the deadline in order to ensure you’re ready to not only be compliant but also ready to demonstrate your compliance, in order to avoid potentially crippling fines and/or lawsuits.
- Perform an internal review to confirm what personal information is being collected
- Understand the scope of personal information collected:
- How is it being used?
- Is sold to third parties?
- Is it shared with third parties and the purpose of this sharing?
- Review internal policies and procedures regarding the scope/purpose of any personal information collected
- Review and update your internal and online privacy policies to comply with the disclosure requirements
- Create policies and procedures to ensure your organization can respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information
- Prepare to implement technology solutions that can process the consumer requests you receive and the consumers’ rights to opt-out of the sale of their personal information
- Prepare training materials to educate your organization, specifically those handling consumer personal information inquiries
- Conduct third-party audits on service providers who have access to your consumer personal information
While this isn’t a comprehensive list of all the preparations you should be making, it will get you heading in the right direction. In addition, ensuring your data is protected from potential breaches can go a long way to keeping your organization’s data & reputation safe.
Details on CCPA laws were taken from The International Association of Privacy Professionals (IAPP).