The California Consumer Privacy Act of 2018 (CCPA) was enacted in June 2018 with the fundamental goal to protect consumers’ personal data by regulating and enforcing business compliance regarding collection and use of that information. The CCPA guarantees consumer rights to request information, delete information, and opt out. In addition, the Act obligates companies to inform about collection, receipt, and sharing of that information.
The CCPA requires any for-profit company that does business with anyone in California to:
- Identify all:
- Collected personal information
- Categories of collected personal information
- Sources of personal information and categories
- Recipients (shared and sold) of personal information and categories
- Provide and publicize Opt Out links
- Implement procedures to address consumer requests for:
- Collected personal information and categories
- Sources and recipients of personal information and categories
- Deletion of personal information
Coming specifically in response to the massive Cambridge Analytica data misuse, the CCPA addresses growing consumer concerns about what data is being collected without their cognizant knowledge and where that data is ending up. The CCPA is the most recent response in the quest to mitigate the damage to consumers when personal information reaches unwanted place by expanding and guaranteeing additional rights.
New Consumer Rights
Under CCPA, consumers have the right to ask a business for specific collected personal information about that consumer and any associated categories, the business reason for collecting it, and how/to whom the data was shared.
Consumers also have the right to request to have their information deleted and for confirmation of the completed deletion.
Consumers have the right to opt out of sharing their personal information. Interestingly, you can’t penalize a customer for opting out, but you can financially incent your customers to opt IN.
The CCPA is one sign of a movement to emphasize consumer rights over those of big business, ultimately resulting in better consumer identity protections, but also increasing the burden of responsibility on businesses like yours.
Now is the time to get started and get ahead with compliance.
Does it apply to B2B?
The most likely answer is yes, B2B tech needs to prepare for CCPA. Keep in mind that CCPA applies not only to your company, but also to all companies you do business with; we’ll refer to “business contacts” to mean companies you buy from and sell to. Even if you don’t meet the following requirements, your business contacts might be required to stipulate that you follow the regulations outlined in the CCPA as a third-party vendor.
If you or your business contacts have employees, customers, or consumers who might reside in California, now or in the future, ask yourself these questions:
- Are you a for-profit company doing business in California? (Non-profits are exempt.)
- Do you or your business contacts meet at least one of these three criteria?
- Your gross revenue exceeds $25 million.
- You receive and/or share personal information for least 50,000 California residents annually.
- You derive at least 50% of annual revenue from the sale of personal information.
CCPA: HIPPA and GLBA
CCPA may not apply to all or part of data covered by HIPPA (health-related info) or GLBA (financial data), which is already protected by those acts.
According to a JDSupra post by Alanna Elinoff and Odia Kagan, “The CCPA does not apply to you with respect to Protected Health Information (PHI) (as the term is defined under HIPAA) that you create, receive, maintain or transmit. If you process personal information that is not PHI and are otherwise subject to CCPA, the provisions of CCPA will apply to you… The CCPA will not change any of your existing obligations under GLBA with respect to the Non-Public Information (NPI) that you process.”
When does CCPA take effect?
The CCPA became effective in June 2018 and was amended in August 2018. Enforcement begins six months after the final regulations are published or July 1, 2020 — whichever is earlier.
Certain advocacy groups, such as marketing groups, are lobbying for changes to the implementation timing and a refined definition of what constitutes personal information, for example. “The Internet Association, which also counts Amazon, Twitter and Uber as members, spent about $200,000 on lobbying since the law was adopted last year,” according to The Washington Post.
Of course, the compliance details are really in the regulations. In some ways, the effective date is a moving target with ill-defined rules. Regardless, you will need to be compliant at the right time — whenever that is.
What can you do now?
At some point in the future (think 2020), you will have to be able to demonstrate legal compliance. This means documenting every policy and procedure you have in place to meet the CCPA regulations. Yes, the regulations are still being refined and amended, but it’s generally accepted that the following parts will need to be included in your company’s adherence plan:
- “Clear and conspicuous” opt out link, database, and procedure
- Consumer request procedures, including databases & forms, for information access and deletion, categories of information, and information-sharing partners
- Collected personal information and categories and the points of collection
- Business contacts, and categories of business contacts, from/with whom personal information and categories are shared
An added incentive to start now? The CCPA states that once the regulations are enforced, consumers will have the right to make requests that extend to the previous 12 months. You’ll want to include all 2019 data to guarantee compliance.
- Description of consumer rights to request, from the past 12 months
- Specific collected personal information
- Categories of collected personal information
- Categories of sources and recipients (business contacts) with whom personal information is received from and shared with
- Business purpose for collecting and sharing personal information
- Deletion of collected personal information (and confirmation thereof)
- Designated methods for submitting requests for information outlined above
- Separate lists of specific and categories of collected personal information, from the past 12 months
- Details of any financial incentive program offered to consumers who opt in to having their personal information collected, shared, and/or deleted
- Link to a “Do Not Sell My Personal Information” page
Opt Out Link
CCPA does allow you to create a separate additional homepage for California residents only, as long as reasonable efforts are made to direct all California residents to that page.
Your Opt Out link must take users to a page that allows them to opt out of the sale of their personal information, without penalty or limitation of access to products and services. The link must also notify users of any financial incentives to opt IN to the collection and/or sale of information.
If a consumer chooses to opt out, you cannot ask again for authorization to sell their information for at least 12 months.
Consumer Request Procedures
Consumers have the right to request information from you, free of charge, up to two times within a 12-month period. CCPA stipulates that you will have to provide procedures for addressing the following consumer rights to information:
- Consumer request for information, including access
- Consumer request for deleting information
- Consumer request for categories of shared & received information, and the business contacts with whom consumer information is shared/received
- Consumer request to opt out of having their personal information sold
Each of these procedures will need to be logged, responded to, and completed; a deletion request also requires confirmation of deletion. Requested consumer data can be delivered via mail or electronically.
You must provide at least two avenues for consumer requests: a toll-free phone number and your website. Most websites, like Kayako don't yet provide a toll-free number, Do you have a toll-free consumer phone number? If not, add that to your checklist.
Collected Personal Information and Categories
According to the CCPA, “‘Personal information’” means information that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA’s definition of personal information is expanded and worthy of note; beyond publicly available information, which is excluded, there are more potential identifiers than in previous legislation.
CCPA personal information includes, but is not limited to:
- Name, alias, signature
- Physical characteristics or description
- Telephone number(s) and physical address
- IP and email address
- Social security, passport, driver’s license, and similar identifiers
- Insurance policy numbers
- Education and employment information, including history
- Bank account and credit/debit card numbers
- Banking, medical, and health information
- Race, color, gender, age, religion, national origin, disability, citizenship, and genetic information
- Property and purchasing history, including considered and trend
- Biometric and geolocation information
- Online activity, including browsing, search, application, and advertising
There are additional stipulations for under consumer age 16 and under 13, as well. Those requirements are not detailed in this post because most B2B companies don't have customers in that age bracket. If you do, visit this website for more information. HubSpot presented information related to children this way:
You will also need to know at which point you are collecting personal information; CCPA states that you must inform consumers about the categories and purposes of collection at the time of or before collecting. This includes online forms, analytics, and some widgets.
Business Contacts: Sharing and Receiving
Consumers have the right to know all business contacts from and with whom their data is being shared, as well as the categories of those business contacts.
You will need to be ready to respond to consumer requests, going back up to 12 months from the eventual CCPA effective date. To do this, identify all business contacts from whom you receive and with whom you share consumer information. You will also need to know the categories of information received from and sent to each business contact.
Consider amending your vendor contracts to ensure adherence by your data sharing partners.
After you have defined a privacy plan, created your procedures for handling consumer requests, and identified what information is shared with whom, you’ll need a training plan. You are obligated to train all employees who will receive and process requests on CPPA and other pertinent personal data protocols on privacy laws and where to direct consumers who request more information about the applicable laws.
What are the Unknowns?
At this time, there are several unknowns regarding the CCPA, not the least of which is the exact timeframe for enforcement, set to begin six months after the regulations are defined. The regulations will prescribe the requirements to receive, process, and satisfy consumer requests regarding personal data, but these regulations have yet to be released.
The California Attorney General is already asking for amendments, and well-organized business advocacy groups are lobbying for clarification and modifications.
There are several areas open to interpretation and further definition, including:
- Revenues – Is this only revenues earned in California?
- 50,000 or more consumers, households, or devices – Are these only for California residents?
- “Do Not Sell My Personal Information” – What constitutes a “clean and conspicuous link? Does it need to be in the header versus the footer, and does it need to adhere to any special font size and banner color?
Although currently only enacted in California, consumer privacy legislation has a pattern of starting there and being followed by similar laws in other states, and unfortunately is a sign of our online-oriented times.
This legislation allows for state-imposed fines and private legal action by consumers for violations. The bottom line is that privacy is important – to you as a consumer, to you as a business, and to your customers and their customers. By making efforts to protect against unwanted data sharing for your customers, you’re building trust and treating consumers the way you want to be treated.
Even if you’re not ready to comply with CCPA or aren’t sure you need to, the suggestions in this post can help you get your business on the right track. Take the time now, before fines apply, to get your data policies in line so you’re one step ahead.
Note: We are working through the checklist ourselves to bring ourselves in compliance.
Where to Go for More Information
We are not legal experts nor do we claim to be. With every matter of this magnitude, we encourage you to seek the advice of your legal counsel. For more information on the legal side, visit the California legislature's page on CCPA.