CCPA Practice Tip SeriesPDF
The California Consumer Privacy Act of 2018 (CCPA) went into effect on Jan. 1, 2020, creating an array of new obligations and legal risk regarding the personal information of California consumers for businesses covered by the law. Complying with the CCPA can be challenging, but Robinson Bradshaw attorneys are here to help. We are providing a series of CCPA Practice Tips to help businesses understand the new requirements and implement compliance strategies. Drawing on our experience helping clients to prepare for the CCPA, we will break down the challenge of compliance into small, digestible pieces and address key practical issues facing businesses. Of course, every business covered by the law will need a compliance strategy tailored to its unique circumstances. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please do not hesitate to contact any member of our Cybersecurity and Privacy Practice Group for assistance.
Please note that our CCPA Practice Tips take into account not only the CCPA as amended but also the regulations proposed by the California attorney general in October 2019 and other guidance that may become available by the time of publication. As the text of those regulations could change before they become finalized, we plan to update our guidance here as needed to reflect such changes. Please contact us for the most up-to-date information. Click here to subscribe to our Cybersecurity & Privacy list and receive the future Practice Tips via email.
Tip #1: Step-by-Step Approach to Compliance
Published Jan. 2
As the CCPA has now gone into effect, businesses will have about six months before July 1, 2020, when the California attorney general can begin enforcing the CCPA. It could be even longer before the CCPA's implementing regulations are finalized. However, consumers covered by the law can now begin submitting certain types of legal requests to businesses handling their personal information. Businesses also can face litigation under the CCPA's limited private right of action for data breaches of certain personal information.
This first Practice Tip of our series provides an overview of what the CCPA requires from most businesses covered by the law and then outlines a general step-by-step approach to compliance. In future Practice Tips, we will address the applicability of the CCPA, including what types of business are covered and how key terms are defined, and examine important aspects of compliance in greater detail.
Overview of CCPA Obligations
Generally, for most businesses covered by the CCPA, there are four basic requirements that must be addressed from the outset to comply. The business has to do the following:
- Honor consumers' rights to request specific information about what personal information the business collects, uses, discloses and sells about that consumer (a "Request to Know") and to request the deletion of that consumer's personal information collected or maintained by the business (a "Request to Delete").
- Update contracts with service providers and other businesses with which the business shares personal information.
- Adopt commercially reasonable data security measures to protect personal information from unauthorized access, theft or disclosure.
Notably, there are additional obligations for a business that:
- Sells consumers' personal information to third parties, using a special definition for what "sell" means;
- Collects the personal information of individuals under the age of 16;
- Treats consumers differently based on their agreement to provide additional personal information or permit the sale of such information, or based on their exercise of their CCPA rights; or
- Handles the personal information of 4 million or more Californians.
These situations trigger special requirements under the CCPA that are beyond the scope of this Practice Tip. Please contact us for more information if you have questions about compliance in such situations.
Finally, the CCPA's obligations do not currently extend to the personal information of a business's own employees or job applicants or to the personal information of the individual employees or other personnel of business entity clients, customers, service providers or partners/collaborators (e.g., B2B services). The CCPA's obligations around treatment of personal information from these types of individuals have been suspended until Jan. 1, 2021.
Step-by-Step Approach to Compliance
Each business is unique and will need a compliance strategy tailored to its needs. However, we have developed the step-by-step approach outlined below through our experience helping companies prepare for the CCPA. These basic steps provide a helpful framework and starting point for businesses working to comply with the CCPA.
- Gather Relevant Information. In particular, obtain a detailed understanding of personal information "flow" within your business, including what type of information is collected and how it is used and shared. Confirm that your business's databases are configured to handle consumers' Requests to Know and Requests to Delete, such as whether an individual's personal information can be searched and erased. Finally, confirm whether your business "sells" personal information or treats consumers differently based on the permissions given for their personal information.
- Establish Channels for Consumers to Submit Requests. Put in place a toll-free telephone number and an online webform for consumers to submit requests. If your business maintains a password-protected online account with a consumer, also put in place a secure self-service portal for consumers to submit and verify requests. Have personnel who are trained and ready to receive and respond to such communications, and keep appropriate records of the responses.
- Implement Processes for Responding to Requests. Develop an action plan for when consumers submit Requests to Know and Requests to Delete. Special attention should be paid to establishing a secure, sensible, consistent and repeatable process for verifying the identities of consumers submitting requests, so as not to inadvertently expose personal information to the wrong persons.
- Update Contracts with Third Parties. Identify all contracts with service providers and other third parties with whom your business is sharing consumers' personal information. Review those contracts to confirm they feature the commitments required for compliance with the CCPA and update them as necessary.
- Enhance Data Security. For compliance with CCPA cybersecurity requirements, you should consider hiring a chief information security officer or engaging an outside data security firm to assess and help your business implement the appropriate safeguards and align your program with an industry-standard data security framework.
In future installments of our CCPA Practice Tip Series, we will focus on specific steps for compliance in greater detail. Before we do that, however, our next Practice Tip will address the scope of the CCPA and what businesses are covered by the law. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please feel free to contact any member of our Cybersecurity and Privacy Practice Group or any other Robinson Bradshaw attorney with whom you are working.
Tip #2: Which Businesses Must Comply
Published Jan. 9
This second Practice Tip of our series explores the threshold issue of who must comply with the CCPA that has now gone into effect. In general, the obligations apply only to "businesses" collecting consumers' personal information. The CCPA's concept of a "business" generally means:
- Any for-profit entity that
- Does business in California,
- Collects personal information of consumers (including through a service provider),
- Determines the purposes and means of processing such information, and
- Satisfies one or more of the following requirements:
– Has annual gross revenues in excess of $25 million;
– Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
– Derives 50% or more of its annual revenues from selling consumers' personal information.
"Business" also includes any entity that is an affiliate of and shares common branding with an entity meeting the above definition. This likely covers any affiliate with a shared name, service mark or trademark.
Doing Business in California
The CCPA's phrase "does business in the State of California" is not defined any further in the statute. However, based on prior legislation, it is clear that a physical operation in California is not required. Also, given how the statute includes an exception for situations where every aspect of the collection and use of consumers' personal information takes place wholly outside of California, the drafters of the CCPA clearly believed that businesses domiciled outside of California may be subject to the law. Thus, lots of businesses located throughout the United States, especially those with an online presence, will likely be regarded as "doing business" in California for purposes of the CCPA.
Collects Personal Information of Consumers
Here "consumer" means any individual California resident. Of course, this is much broader than how the word is typically used. For example, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients (e.g., when engaging in business-to-business transactions) are technically "consumers" under the CCPA so long as they are California residents. However, because of an amendment regarding this issue, the effective date of the CCPA has been delayed to Jan. 1, 2021, regarding these types of individuals.
Also bear in mind that the CCPA applies both when a business collects personal information on its own and also when the business directs a third-party service provider to collect the information on behalf of the business. Indeed, when service providers are involved, the CCPA includes requirements for what to include in the service agreement.
Determines the Purposes and Means of Processing Personal Information
The CCPA only directly places obligations on a business that "alone, or jointly with others, determines the purposes and means of the processing" of consumers' personal information. Generally, this occurs when the business has a direct relationship with the consumer – that is, they are "your" customer or client – or in other situations where the business is able to dictate and control how the personal information is used. In contrast, service providers that collect, store or otherwise process personal information on behalf of a business client or customer as directed are generally only obligated to comply with certain elements of the CCPA and only to the extent that their business client or customer requires them to do so by contract.
The Extent of the Business, Personal Information and Revenue
Finally, the business must also either (i) have annual gross revenues in excess of $25 million, (ii) annually buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices or (iii) derive 50% or more of its annual revenue from selling (as defined in the CCPA) consumers' personal information. As to the first threshold, there is some debate over whether the $25 million revenue threshold is revenue globally, nationally or in the state of California. Until more guidance is provided, it is safest to assume global revenue should be considered. Additionally, due to the broad definition of "consumer" discussed above, many more businesses will meet the second threshold than a first glance would suggest.
Even if you operate a "business" covered by the CCPA, the law's requirements would not apply to your processing of certain types of personal information, including the following:
- Certain types of personal information already governed by federal or California laws focused on specific industries, such as:
– Health information covered under the California Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA);
– Information collected in a clinical trial subject to the Federal Policy for the Protection of Human Subjects (the Common Rule);
– Personal information transferred to or from a consumer reporting agency if such information is already protected by the Fair Credit Reporting Act (FCRA);
– Consumer financial information protected by the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (FIPA); and
– Personal information covered by the federal Driver’s Privacy Protection Act.
- Publicly available personal information from federal, state or local government records.
- Deidentified or aggregated consumer information.
- Information collected and used where every aspect of the collection and use takes place wholly outside of California (e.g., the paper guestbook at a resort in North Carolina).
Tip #3: Scope of "Personal Information" and "Sales"
Published Jan. 16
After determining that the CCPA applies, a business will need to carefully assess so-called "data flows" of personal information in order to develop a compliance strategy. To this end, here are some key questions to be answered:
- What personal information is collected?
- From where and how is it collected?
- How is the information used and stored?
- To whom is it sold or otherwise disclosed?
The answers to these questions will go a long way to defining the scope of a business's obligations under the CCPA. For example, the CCPA imposes stricter requirements on businesses that "sell" personal information, collect the personal information of persons under the age of 16, or treat consumers differently based on their agreeing to the collection or sale of personal information or their other exercise of CCPA rights. Accordingly, for this third Practice Tip, we focus on what counts as "personal information" and "selling" such information for purposes of the CCPA.
"Personal information" is broadly defined in the CCPA. It means "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Beyond this general definition, the CCPA provides a list of examples of items that would be personal information if reasonably linked or linkable with a particular consumer or household:
- "Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers."
- The CCPA references another definition of "personal information" in Section 1798.80, which mentions various other types of information associated with "a particular individual," including "his or her … signature, … physical characteristics or description, … telephone number, … insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."
- "Characteristics of protected classifications under California or federal law." This would cover information about a person's inclusion within a protected class under the law, such as his or her race, color, national origin, religion, age, sex and gender, sexual orientation, physical or mental disability, and veteran status.
- "Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies."
- "Biometric information." The CCPA defines this term elsewhere to mean "an individual's physiological, biological, or behavioral characteristics," including DNA, that "can be used, singly or in combination with each other or with other identifying data, to establish individual identity." Some example specified by the CCPA are "imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information."
- "Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement." Notably, this may include IP addresses and similar data that are collected when a person visits a website.
- "Geolocation data."
- "Audio, electronic, visual, thermal, olfactory, or similar information."
- "Professional or employment-related information."
- "Education information" as defined in the Family Educational Rights and Privacy Act.
- "Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
As these examples make clear, the CCPA's concept of personal information goes far beyond the typical categories of personally identifiable information found in U.S. privacy laws. Thus, you must think expansively in the assessment of data flows within your business to identify all personal information that may be covered by the CCPA.
The CCPA does specify a number of exceptions which provide some limits to the scope of personal information subject to the law. For example, "deidentified" personal information, "aggregate consumer information," and 'publicly available information" (i.e., available from federal, state or local government records) are specifically excluded. Furthermore, as mentioned in our earlier Practice Tip concerning the scope of the CCPA, certain types of personal information already governed by industry-specific federal or California laws are also carved out of the statute. Finally, two key areas of personal information have been carved out of the CCPA until Jan. 1, 2021. These are, broadly speaking, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients, such as when engaging in business-to-business transactions.
Sales of Personal Information
A business that "sells" personal information faces additional requirements under the CCPA, including more disclosure obligations and the requirement to have a mechanism for consumers to opt out of the sale of their personal information. Accordingly, after figuring out the data flows of personal information, businesses must also determine whether any of their disclosures of personal information would be considered a "sale" for CCPA purposes.
"Sell," "selling" and the like basically mean a business's disclosure of personal information to a third party for anything of value. Specifically, the term is defined very broadly to mean "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
As with the concept of personal information, this definition of selling goes well beyond what the term typically means. In particular, "other valuable consideration" could mean a wide range of things, such as getting access to another's marketing list or learning additional consumer insights to help with marketing. Thus, in assessing whether a disclosure of personal information to a third party could amount to "selling" under the CCPA, it is important to consider the whole relationship with the third party and how the business may benefit from the disclosure.
The CCPA does specify a number of exceptions, however. The following transfers of personal information are not considered "sales" under the CCPA:
- A business uses or shares with a service provider a consumer's personal information that is necessary to perform a specified business purpose, but only if the business gives the required disclosures to the consumer and the service provider does not further collect, sell or use the personal information except as necessary for the business purpose. The business should have a written contract that obligates the service provider to comply.
- A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party (so long as that third party does not, in turn, sell such information except in accordance with the CCPA). An example would be where the business has a mobile app that integrates with another mobile app or online service, transferring personal information to the third party's mobile app or online service at the consumer's direction. For this exception, the CCPA warns that the disclosure must involve an "intentional interaction" where "the consumer intends to interact with the third party, via one or more deliberate interactions," and that "hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party."
- The business provides an identifier for a consumer for the purpose of alerting the third party that the consumer has opted out of the sale of his or her personal information.
- The business transfers personal information to an acquirer in a merger, acquisition, bankruptcy or similar transaction, so long as the acquirer does not materially alter how the personal information is handled.