Didn’t I Already Do This for GDPR?

If you already have a compliance program for the EU General Data Protection Regulation (GDPR), a lot of this may sound familiar. While the CCPA borrows a number of GDPR concepts and definitions, and your GDPR program will give you a head start on CCPA compliance, the CCPA does require some additional steps.

At a high level, some of the issues that will need to be addressed include:

  • Your data map and record of data processing will need to be updated to (1) reflect the CCPA's broader definition and categories of "personal information" and (2) address any data transfers that could be a "sale."
  • Adjustment of the process for handling data subject rights requests to reflect some CCPA-specific or expanded rights, like the opt-out right, and the broader data access and portability rights.
  • Your vendor management program will need adjustment, and your "data processing addendum will need additional terms to address the CCPA's "service provider" requirements.
  • The CCPA's right of non-discrimination is not directly analogous to any GDPR concepts, and may need to be addressed.
  • Your privacy notice will likely need to be revised (and must be updated annually) to include CCPA-specific disclosures.
  • The CCPA's private right of action/class action and statutory damages present a significant change in risk profile, as a claim may be more likely and costly than enforcement by a government authority. Review and update your information security and response policies and practices to address the new environment.

Part I:

What is the CCPA, and Why Should I Care?

The California Consumer Privacy Act (CCPA) is a wide-ranging privacy law that will come into effect in a bit over eight months. For-profit businesses with (even attenuated) ties to California, the fifth-largest economy in the world, should start to prepare for this sea change in United States privacy law.

Over the next few weeks, we will be providing a series of articles about the CCPA and what you should be doing to prepare. This week, we start with the most basic: What is the CCPA, and why should I care?

What is the CCPA?

The CCPA regulates how businesses collect, use and disclose just about any kind of information that can be related to an individual. Despite an effective date of January 1, 2020, the CCPA remains a work in progress: parts of the law remain ambiguous; key regulatory guidance is still missing; and the law itself is likely to be amended in the near future.

Recent experience with the EU's General Data Protection Regulation (GDPR) shows that it takes time, forethought and preparation to address this sort of broad privacy regulation. Waiting until there is certainty as to what the law requires will not provide enough time for compliance, so it is important to get started.

So Why Should I Care?

The CCPA regulates common business practices across a range of industries, imposes new consumer protections and compliance challenges, and creates new and significant potential liability. These include:

  1. A class-action-friendly private right of action, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain "reasonable" security standards in the event of a data breach (and, if proposed amendments pass, for any violation of the CCPA). Unless there are significant changes to the law, it could spawn the next wave of class action claims.1
  2. Attorney general enforcement authority, with maximum civil fines of $2,500 per "violation" and $7,500 for each "intentional" violation.
  3. The scope of "personal information" protected by the CCPA is extremely broad and reaches throughout a business's operations. "Personal information" includes "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California resident] or household."

    Further, despite the name, the CCPA doesn't just apply to personal information about actual consumers; it also covers personal information of a business's California employees.
  4. The CCPA applies to a wide range of "businesses," but the definition of "business" can restrict transfers of personal information between affiliates. At first glance, the CCPA seems designed to apply to the major technology companies that collect consumer data. However, as discussed in our next installment, its reach is much broader than that, and could sweep in many companies that would not otherwise expect to be significantly impacted by a California online consumer law.

    It is also important to note that because of the limited definition of "business," entities that are "affiliates" under most current legal definitions would only be considered part of the same "business" if they are direct parents or subsidiaries that share common branding. As a result, even transfers of personal information within a corporate family may constitute "sales" of personal information that are subject to consent/opt-out rights, if the transfer is for "valuable consideration."
  5. The CCPA creates new consumer rights for California residents. Businesses will have to comply with individuals' requests to exercise these rights within 45 days. These rights include:
    • A right to opt out of the "sale" of personal information(defined broadly as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . personal information by the business to another business or a third party for monetary or other valuable consideration"), which limits a wide range of ordinary business activity that was previously minimally regulated;
    • Rights of access, transparency and portability (which include a requirement to disclose "the specific pieces of personal information . . . collected" upon request);
    • Right of deletion; and right of non-discrimination.

      Businesses must respond to these requests within 45 days of receipt, and requests for deletion must be passed to a business's service providers.
  6. There are specific contractual terms that must be included in your agreements with vendors that process personal information. Failure to include these terms means: (1) you might be subject to liability for the vendor's violation of the CCPA, and (2) transferring personal information to a vendor for valuable consideration could be considered a "sale," imposing additional obligations on you.
  7. The CCPA is likely only the beginning. Other states are discussing, or have already proposed, broad privacy laws similar to the CCPA and GDPR.2 Federal lawmakers continue to hold hearings on federal privacy legislation. So, even if the CCPA doesn't apply to you today, one of these other laws probably will.

Coming Up Next: "Does the CCPA Affect Me"?

Now that you have an idea of what the CCPA is and why you should care about it, see our next installment for more information about whether the CCPA will affect your organization.

(Spoiler Alert: It probably will.)

1 Note that this breach liability currently only applies to personal information covered by California's data breach notification statutes (e.g. 1798.82)—but California recently proposed legislation to expand those definitions as well.

2 For example, Washington, New Jersey, and Texas, among others, have all proposed privacy legislation that draw upon the CCPA and GDPR.