Are You CCPA Compliant?
Insight provided by Jason Sarfati, Director of Privacy and Data Ethics, Treliant

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The most comprehensive privacy law yet to be passed in the United States, the CCPA grants residents of California an array of new rights. It applies to all companies that conduct business in California, collect the personal information of California residents, and meet one of the following criteria:

  • Its annual revenues exceed $25 million.
  • More than 50% of its annual revenues are derived from selling the personal data of California residents.
  • It buys, sells, shares, or receives the personal data of at least 50,000 California residents.

Even if a company doesn’t have brick and mortar operations in California or isn’t incorporated in the state, there is still a chance it is subject to the CCPA. The most prominent examples are businesses earning more than $25 million in annual global revenues that support the California market. These include companies that control, are controlled by, or share common branding with businesses that meet this threshold. 

Scope, Penalties for Noncompliance, and Enforcement
Under the CCPA, companies that experience a data breach of unencrypted data as a result of failing to maintain and implement reasonable security procedures will face private-action statutory damages of up to $750 per person per incident or actual damages (whichever are greater). For general noncompliance with the law, the California attorney general may separately bring a civil enforcement action of up to $2,500 for each negligent violation and $7,500 for each intentional violation. Given the number of people likely to be affected by either a data breach or a CCPA-noncompliance event, companies should be prepared for the possibility of seven to eight-figure fines. In addition to any fines, companies are likely to suffer reputational damage from negative publicity and financial losses from customers who withdraw their patronage.

The California attorney general’s office is the exclusive enforcer and regulator of the law. Its incentive to regulate companies is strong—the attorney general has a budget to pursue potential violators, and a portion of the fines collected will be distributed back into the budget upon receipt. Given the breaches that have occurred at some of the nation’s largest corporations, financial institutions, and consumer credit reporting agencies, there is likely to be a strong appetite for enforcement actions in 2020. Banking institutions are probable targets, given the sensitive nature of personal information they collect (e.g., social security numbers and financial data). 

A Summary of the CCPA
Rights granted to California residents. For California residents, the CCPA establishes the right to:

  • Be informed of the collected categories of personal information. 
  • Be informed of the categories of sources from which personal information was sourced. 
  • Be informed of the business purpose for which personal information is collected and/or sold. 
  • Be informed of the categories of third parties with whom the business shares personal information. 
  • Access their personal information.
  • Delete their personal information (subject to some restrictions).
  • Opt out of the sale of their personal information.
  • Receive equal services and prices if they exercise their privacy rights.

How the CCPA defines “personal information.” Under the CCPA, “personal information” includes any information that identifies, relates to, or could reasonably be linked to a particular California resident or household. Important examples include:

  • Identification information, such as names, email addresses, account names, and social security numbers.
  • Commercial information, such as purchases of products or property records.
  • Information on protected classes under federal or California law, such as race, sexual orientation, or gender identity.
  • Biometric information.
  • Information on the internet or network activity, such as browsing or search histories.
  • Employment information.

Preparing for CCPA Compliance
Given that the CCPA has already taken effect, there are a number of steps that companies should take to ensure compliance, including:

  • Establishing a governance structure with well-defined roles and responsibilities for compliance, potentially including a formal privacy lead.
  • Conducting company-wide privacy risk assessments to identify data that is in scope and assessing the impact of privacy compliance and data protection on business operations and performance.
  • Performing data inventories to gain visibility into where data lies within the organization and recording the lifecycle of that data.
  • Developing procedures for responding to data-rights requests from consumers and, if the organization  sells data, developing procedures to allow consumers to opt out of such sales.
  • Ensuring vendor and third-party oversight is adequate and updating vendor contracts to restrict ongoing uses of data by the vendor, as necessary.
  • Drafting online, externally facing privacy notices to explain to consumers what categories of personal information are being collected and how those categories of information are being used.
  • Evaluating and updating internal incident-response procedures and conducting breach-response training and testing, including tabletop exercises.
  • Taking a risk-based approach to securing personal data by conducting maturity assessments of existing security controls and ensuring a suitable level of technical controls based on the organizations’ risk exposure, risk appetite, and resource levels.
  • Most importantly, revising and maturing the privacy policy and program as necessary.

What’s Next?
Early class action lawsuits filed with alleged violations of the CCPA have raised some interesting issues and ambiguities, including:

  • Whether plaintiffs can prove companies failed to implement and maintain appropriate cybersecurity practices and procedures based on current cybersecurity standards (which are constantly evolving and thus a moving target).
  • That class action suits are likely to trigger secondary claims between companies and cybersecurity vendors.
  • That there will be a learning curve for courts as juries—and even judges—attempt to educate themselves on cybersecurity matters.
  • Whether a specific CCPA provision that deems void any contract or agreement waiving the rights of a consumer passes muster under federal law.

As these and other lawsuits make their way through the court system, clarity around the issues mentioned above will increase. In the meantime, businesses subject to the CCPA should monitor the outcomes of these cases. Beyond the CCPA, businesses should monitor new privacy laws in the states they do business. At the time of this writing, at least ten other states have introduced bills with similar requirements, indicating that CCPA-like obligations are soon to become the national norm. Moreover, sometime in the future, Congress is likely to enact a comprehensive federal privacy law, although the likelihood of it doing so this year is relatively low. Regardless, as data breaches continue to affect firms across the country, the best defense is to ensure that sound privacy safeguards are in place.