California Raises the Bar on Consumer Privacy
The California Consumer Privacy Act gives the state’s residents the ability to see and control the personal data companies have, share and sell. The privacy act started as a ballot initiative in early 2018 and was signed into law just a few months later in June. After first-round amendments were approved, the effective date was set as January 1, 2020, with an enforcement of July 1, 2020.
While it establishes rights to individuals, the California Consumer Privacy Act (CCPA) offers exemptions to some types of firms, particularly those involved in health care. The law raises the bar for companies involved in social media to provide effective control of personal data.
Alistair Mactaggart, a California real estate developer, introduced the original ballot initiative. While at a party where he overheard a technology employee’s conversation about data collection, he realized information privacy should be a major concern. The incident occurred just as the Facebook–Cambridge Analytica scandals were at the forefront of the public’s mind, and the General Data Protection Regulation, or GDPR—a similar regulation to CCPA—was looming in Europe.
Mactaggart formed his CCPA ideas about privacy by focusing on three core concepts: transparency, control and accountability. The privacy ballot initiative for the act received more than 630,000 signatures, almost twice the number required to be included on the California election ballot.
Based on this strong indicator that the initiative would pass, and the implication that it would be effective immediately rather than going through the usual legislative process, lawmakers made a deal with Mactaggart to pass a regulation based on the original ballot’s three principles. The new ballot initiative had a later enforcement date and various other changes, such as less in-depth disclosures that still provided consumers with fundamental rights. With this, the CCPA was developed and approved without waiting for an election cycle.
The act applies to any business either inside or outside the state that collects personal information on California residents and has gross revenues of more than $25 million; annually buys, sells or shares the personal information of at least 50,000 consumers with other companies; or derives 50 percent or more of its revenue from the sale of personal information. Protected data includes any information that can directly or indirectly identify an individual, such as name, driver’s license information, address, passport number, Social Security number and email address.
The CCPA affords California residents several rights. They have the right to opt out of the sale of their personal information. Businesses that sell personal information are required to provide a “clear and conspicuous” link titled “Do Not Sell My Personal Information” on the homepage of their websites.
Under the act, consumers also have the right to understand what is collected about them; to receive clear information regarding the categories of information a business collects; and to know if their personal data is sold or disclosed to other companies and the names of those entities.
When consumers request this information, organizations must name any third party to whom the data was sold. Businesses must respond to requests or notify the customer of the extension within 45 days. If reasonably necessary, businesses can extend this time frame by an additional 45 days.
Because of the strict time limitations to review and respond to these rights inquiries, organizations should have a centralized source where all requests ﬂow for review. Records need to be retained, indicating the day the request was received and the due date for response.
By compiling a data inventory and completing a data mapping exercise, organizations can easily respond. Businesses that do not yet have a personal data inventory or map should prioritize organizing any California personal information processed and review the plan continuously to ensure it is updated.
One way organizations can facilitate customer interactions is by developing templates to respond to each type of request, which facilitates consistency and promptness. Records should document actions, such as fulfilling the request, denying a request due to exemption or extending the time to reply.
To give consumers the most control, organizations can offer a granular opt-down and opt-out option regarding the sale of their personal information through the preference center. Once a consumer chooses to opt-out or opt-down, the company must honor the request for a minimum of 12 months before seeking additional permissions from the consumer to sell the personal data. Professional associations are seeking clarification on the opt-down approach, and the California attorney general may provide thoughts about this practice and whether it will be allowed under the CCPA.
In addition, consumers have the right to access their personal information and receive a free copy of their processed personal data via email or other electronic means. The act also offers consumers the option to transfer that information to another entity. Consumers can request their data be deleted from any business profiles.
Organizations are prohibited from discriminating against consumers for exercising any of these rights. Specifically, businesses cannot deny goods or services, charge different prices for goods or services, impose penalties, provide a different level of quality of goods or services, or suggest that the consumers will receive a different price for the goods or services. However, the CCPA does allow companies to offer different levels of goods/services if they are equitable to the value lost by not being allowed to monetize a customer’s data.
The act provides for certain processing activities that are exempt from the standard CCPA requirements. It does not restrict a business’s obligation to adhere to federal, state or local laws; comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities; or exercise or defend legal claims.
Neither does it restrict an organization’s responsibility to cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law. It also does not inhibit the ability to collect, use, retain, sell or disclose consumer information that does not include specific identity data or aggregated consumer information. Similarly, it allows a business to collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.
Furthermore, the CCPA allows for exemptions for personal data collection in certain situations. These include personal information protected under the Health Insurance Portability and Accountability Act, personal information collected by entities governed by the Confidentiality of Medical Information Act, and the sale of personal information to or from a consumer reporting agency, if that information is to be used to generate a consumer report and use of that information is limited by the federal Fair Credit Reporting Act. Exemptions also are in place for personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, or if personal information is collected, processed, sold or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.
In a time when the Internet is heavily integrated into society and personal information is easily accessible, the CCPA is a start to controlling uncharted territory and setting guidelines for both companies and consumers. More information on the CCPA is available online at www.possiblenow.com/ccpa-compliance-software.
Matt Dumiak is director of privacy services, customer engagement compliance, CompliancePoint, a subsidiary of PossibleNOW.