California Consumer Privacy Act: Broadly Defined & Hastily Enacted
The California Consumer Privacy Act (CCPA) is California's newest initiative in protecting customer data. It will also be larger California business owners' newest headache if businesses are caught unprepared. This Act was hastily passed in June 2018 after the Legislature and initiative backers of the ballot drafted it in about 8 days. Although the language of the Act is still very unclear and significant ambiguities and drafting errors still remain, larger California business owners must familiarize themselves with the purpose and the requirements of this Act soon, as it becomes effective on January 1, 2020.
Painting with a broad stroke, the CCPA creates various rights of "California Residents" to receive a copy of their personal information from businesses who have obtained it, to opt out of the sale of their personal information to other businesses, to receive disclosures about the collection and sharing of their personal information, and to have their personal information deleted from the business's system if they so choose. The CCPA will apply to any business that has greater than $25 million in revenue, that handles the personal information of 50,000 or more consumers, households, or devices, or that derives 50% or more of annual revenues from the sale of consumer personal information. But what does that boil down to? The term "personal information" is so ambiguously defined that it is hard to say what that encapsulates. However, in its simplest form, the CCPA will be enforced against any business that runs 50,000 or more California credit cards because this card data is considered personal information.
The CCPA will be generally enforced by the Attorney General, but it also creates a private right of action for data breaches (think class actions). To comply, affected businesses will have to properly respond to what is called a "Verifiable Consumer Request." This consumer request for personal information collection from the business must be met with a delivery of the required information (usually free of charge) to the customer or employee within 45 days of the request, and the disclosure must cover the 12 months preceding the verifiable request. If the customer requests that the business delete their personal information, the business must delete that personal information and direct their service providers to do the same upon receipt of the request. Additionally, a consumer may opt out of the sharing of their personal information if the business sells such information. The Act provides the business must implement a conspicuous link on the home page of their website titled "Do not sell my personal information," as well to give the opt out option up front.
Although there will be various exceptions to the Act, compliance will be a necessary cost that businesses will need to take into consideration moving forward, which becomes all the more difficult due to the Attorney General's warning that an amendment to this Act is imminent in the next year. Despite the fact that this Act could be changed or supplemented in six months, or even tomorrow, here are some things affected business owners can begin doing now to prepare for compliance with the CCPA as it is now written:
- Perform data mapping and inventory to know what personal information data you have and why you need it
- Analyze and adjust how you collect and share information in order to minimize data collection in your system
- Revise contracts with your vendors to clarify that they are only permitted to use personal information to provide the service to you
- Develop a strategy for dealing with verifiable data requests: automated messaging systems, a designated data request employee, a toll free number to take requests, etc. if you are a larger company, think volume
- Tighten up your security to avoid a data breach and class action suits.
Although this Act does not give bright line rules and guideposts on how to comply, there is an inevitable personal information request storm brewing, and California businesses will nonetheless be required to brave that storm when it comes.