Just as we always welcome the new year on January 1, new regulations and requirements are there to greet us as well. One new law causing a lot of activity is the California Consumer Privacy Act (CCPA). First signed into law in June 2018, the CCPA took effect on January 1, 2020. Despite the CCPA 2020 enforcement date, the law has a 12 month lookback period for information that needs to be provided to consumers. This means that your organization needs to document and understand how it collects, uses, and shares consumers’ personal data dating back to January 1, 2019.
Similar to the European Union’s General Data Protection Regulation (GDPR), this law vests California residents with rights to control how their data is used. GDPR, in effect since May 2018, created many implementation concerns within the marketplace, and the CCPA is expected to cause the same concern. The uncertainty surrounding the appropriate steps to achieve compliance is steadily increasing with the arrival of the CCPA deadline—and will only escalate further as some companies try to balance the state law and federal law with their consumers, including non-California residents.
How does this affect you?
California has a population of 39 million people—and, through the use of technology and a more transient society, there is a high likelihood of your company conducting business with a resident of California, no matter where you are located. In addition, California is not likely to be the only state to enact a privacy law that vests so much power in the consumer to control their data.
Other states are likely to follow in California’s footsteps. Maine and Nevada recently enacted laws to allow consumers to opt-out or protect online consumer information. Hawaii, Massachusetts, Maryland, New York, Pennsylvania, and Virginia also introduced privacy legislation.
CCPA Requirements: How Does This Apply To Almost Everyone?
In general, the CCPA applies to a business that:
- Does business in the State of California
- Collects the personal information of California residents
- Alone or jointly determines the purposes or means of processing that data
- Satisfies at least one of the following:
- Annual gross revenue exceeds $25 million
- Alone, or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares (for commercial purposes) the personal information of at least 50,000 consumers, households, or devices
- Derives at least 50% of its annual revenue from selling consumers’ personal information
However, uncertainty still exists on the appropriate steps to meet these criteria—especially now that the deadline arrived. For example, does the revenue have to be from California sources or does it apply to the organization in its entirety? It is expected that some of this uncertainty will be addressed when the California Attorney General's regulations are finalized in the first half of this year.
What Does CCPA Mean For Risk Management?
If your organization does qualify as a business under CCPA regulation, it is recommended that you evaluate your data collection and ensure that adequate processes are implemented to address consumers’ requests for monitoring their private information.
The first important step is to determine what personal data falls under the regulation. Unlike the Regulation P: Gramm-Leach-Bliley Act (GLBA), a privacy law for financial institutions, or the GDPR, the definition of personal information is much more expansive. In addition to the personal identifiers found in GLBA—such as name, address, and social security number—CCPA expands the definition to include:
- Medical/health information
- Legally protected characteristics
- Commercial purchases, biometric information
- Internet or network activity information
- Geolocation data
- Sensory information
- Employment and education information
- Inferences drawn from collected data
The Rights of the Consumer Lead 2020
In this new decade, the CCPA empowers the consumer to have more control over what happens to the personal information shared with different organizations.
The consumer has a right to request that a business disclose the categories and specific pieces of personal information that is collected about them, the sources where the information is collected, the purpose of the collection, and the categories of third parties with whom the information is shared. The consumer will now have the right to request that businesses and their service providers delete their personal information.
Some exceptions to this provision do exist. For example, a business is not required to delete information that is needed to complete the transaction for which it was collected, to comply with a legal or regulatory obligation, or to protect against fraud. Any personal information collected, processed, sold, and disclosed pursuant to GLBA is also exempt from CCPA requirements. If a business sells personal information, the consumer has the right to opt-out. If a consumer chooses to exercise their rights under the CCPA, the business cannot discriminate against them by charging a different price or denying goods or services.
New Year, New Disclosures: CCPA Updates
As with any law that grants consumers new or additional protections, disclosures must be provided. Under the CCPA, a business that collects personal information must, at or before the point of collection, inform consumers as to the categories of personal information that is being collected and the gathered information that will be used for its intended purposes. The business cannot collect personal information beyond what is stated in the notice.
CCPA Compliance Checklist
For many financial organizations, compliance will be an expansion of their GLBA program. For others who never faced such requirements, it will require the introduction of a new program. Below are important steps to consider on your road to CCPA compliance.
Phase 1: Due Diligence
In this phase, you need to answer a few questions about your activities, such as:
- Where are your consumers?
- What data are you collecting?
- What are you doing with it?
- What are your plans for it?
- Where is it?
For those businesses that are not located within or near California, you may need to determine your consumers’ residence.
Because this law only applies to California residences, if a consumer is located further away from the state, your company may need to work with business lines to determine if loans were originated or deposit accounts were opened by a California resident.
Once this is determined, the next step is to discover what types of data you are collecting from California consumers. Many more data types fall under the CCPA than the GLBA. This identification can be completed through the performance of risk assessments or other data mapping tools. This process allows you to document what your business collects from consumers and see which state law applies to which consumer.
Data mapping is not limited to your consumers and should include third parties as well. Ensure that any third-party vendors are also compliant with the requests of your consumers. If a consumer requests for certain data to be removed from your records, and that same data is also held by a third-party vendor, the vendor must also remove the data.
Phase 2: Remediation and Documentation
After you determine where data originates from—along with its usage and storage—solid programs regarding the rights process, security, incident response, and data use are needed. You will also need to update documents such as disclosures, consumer consents or opt-out notices, vendor contracts, and privacy policies.
Internal communication and training is also critical. Many employees are not up to date on the new privacy laws and the effect they have on their job and consumer interactions. Trainings should include an introduction to the guidelines and processes needed to address data usage and behavioral targeting through marketing activities.
Phase 3: Updating and Maintenance
Once your program is set up, you should conduct routine reviews and maintenance every 12 months as required by CCPA’s statement regarding privacy policies that are communicated on websites. An ongoing review of data collected and where consumers reside should also be conducted as business can change over the course of a year.
Implementing automated solutions to help your business move through a substantive privacy compliance program should be considered. Such solutions can scan systems to determine where data is held so you can efficiently respond to consumer requests for information or deletion.
Another option is to perform risk assessments on your business processes, third parties, and technologies. Automated systems allow for full-spectrum visibility, and give the robust reporting needed to comply with the regulation. Furthermore, use of assessments through such a system allow responsible parties to view control gaps and begin the process of remediation.
For additional information on the CCPA, please visit the Attorney General’s California Consumer Privacy Act homepage or contact WolfPAC Solutions at (617) 439-9700.