CCPA Are You Ready?
Gonna mitigate risk like it’s 1999…
Most of us are just recovering from the GDPR panic of 2017. Some of us are old enough to remember the SOX panic of 2003. Still a fewer number of us remember the Y2K panic of 1999. [Granted, the former examples turned out to be a little more concerning than the latter.]
We have a new panic brewing on the horizon. If my read of human nature is accurate, we should start hearing about it in our tech circles around May and it should reach board-room frenzy-state by August or September.
I’m referring to the California Consumer Privacy Act or CCPA passed last June (28 June 1918) that goes into effect 1 January 2020.
All of the events mentioned above have a few common threads, an unavoidable hard date that significantly impacted (or will impact) the business, a fairly technical core that is difficult for the non-technical to grasp the business implications, and a seemingly insurmountable technical task to prepare for.
Unfortunately, all of these common threads make all but the most disciplined of us want to “kick the can” down the road until we’re told to prioritize it above our normal day jobs and appropriately prepare for the deadline. The antithesis from what the successful technology leaders are doing in this situation.
The new law was swiftly pushed through the California Legislature last June (2018) to preempt a November ballot initiative that would have locked in more stringent rules. Many in the industry preferred the legislative approach over a ballot initiative. In California, any change to a ballot initiative that passed would require another vote passed to make changes.
What does the new law mean to consumers?
It’s my data, provide it to me on demand and forget me when I no longer use your service
Give me control over what data you collect, share, hold and how you use it.
Keep my data secure by designing your systems to keep my data secure and notify me if security has failed.
What does it mean for companies?
Companies that fit any of the following descriptions must honor the “rights” granted under the new law:
Businesses with annual gross revenues of at least $25 million.
Data brokers and/or other businesses buying, receiving, selling, or sharing the personal information of 50,000 or more consumers, households, or devices.
Business that get the majority of their annual revenue from selling consumers’ personal information.
The law marks a fundamental change of data ownership. Prior to 1 January 2020 the data is owned by the collector. Beginning in January 2020, it is owned by the consumer.
The penalties for noncompliance are stiff. If a business is notified of noncompliance, they will have thirty days after being notified to remedy the noncompliance. If they fail to remedy the issue, they’ll be found in violation of the title and subject to $7,500 for each violation.
The CCPA also defines civil action penalties. These will be not less than $100 and not greater than $750 per consumer or actual damages incurred if they are greater.
Doing some quick math, a data broker meeting only the minimum requirement to be covered under the law (50K consumer records), who had a breach could be liable for $37.5 million in payouts to consumers.
Here is a quick summary of the new regulations:
Disclosure [1798.100] - business must disclose to the consumer the categories of personal information it has collected as well as the purpose it is being collected/used. Going forward this must be disclosed at or before the point of collection.information.
Right to be forgotten [1798.105] - Consumers may requested a business delete any personal information the business has collected. Businesses must disclose along with the information being collected (1a/b) the consumer’s right to request their personal information be deleted.
What must be disclosed [1798.110] - Consumers may request and the business must provide:
The personal information it has collected about the consumer.
The sources from which the personal information is obtained.
The business or commercial purpose of collecting the personal information.
The third parties the data a consumer’s personal information is shared.
The specific pieces of information it has collected about that consumer.
Data sold or disclosed by the business [1798-115] - A third party can not sell personal information about a consumer it has received without providing the consumer an opportunity to opt out of the sale or discloser. Further, consumers may request and the business must provide:
The personal information it has collected about the consumer.
The personal information it has sold and to which third parties.
The personal information it has disclosed and to which third parties.
Right to opt out [1798-120] - A consumer must be able to instruct a business that sells personal information to third parties they want their personal information excluded from sale. A business must disclose and allow a consumer to opt out of having their personal information sold.
Non-discrimination [1798.125] - A business can not treat a consumer that has exercised any of their rights under this law differently. E.g., denying goods or services; charging different prices; providing a different level of quality
Ability to submit requests [1798.130] - Businesses must make available two or more methods for submitting requests. At a minimum this must include a toll-free telephone number and if the business maintains a website, a method via their website.
As you can see, the new Title covers a lot of new regulation territory. Some, I have covered here. Some, including a new definition of PII (personal identifiable information), I’ll cover this in a future post.
The law gives consumers unprecedented control over their personal information, but creates an onerous challenge for companies wanting to continue to do business in California.
For those companies that restructured their operations to comply with GDPR requirements, you may be close to meeting the bar for CCPA. However, for the time being it looks like you will need to expand on your efforts in order to comply with California’s requirements.
In 2002, California was the first US state to legislate a mandatory breach notification law and now, as of 2019, all 50 states have put similar laws in place. I fully expect more states to follow California’s lead in expanding opt-out and disclosure obligation legislation.
What does the future hold?
We should expect to see a whole new area of 3rd party service providers facilitate the outsourcing of consumer privacy risk by storing and maintaining permissions, only allowing businesses to access the data when it’s needed. For example, blockchain initiatives, such as using smart contracts to govern the consumers' permissions, access to customer data or providing consumers with control to withdraw their consent or change the types of data they share, may experience growth in light of these legislative changes.