While many corporate employees are winding down to prepare for their family holidays, don't be surprised if your corporate privacy and legal professionals avoid-or hover over-the spiked egg nog at your office party. Why? The California Consumer Privacy Act ("CCPA"), the most demanding privacy law enacted in the U.S., is about to become effective January 1, 2020. Given these CCPA compliance costs and risks, a risk assessment may be appropriate to determine which of these CCPA compliance/risk management needs may still be on your company's holiday wish list:
With CCPA amendments signed into law by Governor Newsom as recently as mid-October, and CCPA regulations proposed by the California Attorney General still not final, companies doing business in California are still figuring out what their compliance requirements will be on January 1, and continuing thereafter.
Enforcement of the regulations will be delayed until six months after issuance of the Attorney General's regulations, or July 1, 2020, whichever is sooner, but will likely be retroactive to the statute's effective date. However, there will be a new private right of action for data breaches for lack of "reasonable security measures."
The business cost to comply with the CCPA disclosure law is significant, as compliance requires new disclosures, essential employee training, new procedures for responding to consumer requests, and recordkeeping. The California Department of Finance estimates the cost of CCPA compliance will range from $50,000 to over $2,000,000, depending on the size of the business and the scope of its data processing operations[1].
Wish No. 1: Can My Company Avoid CCPA Compliance?
This may appear to be grandiose wishful thinking. If your company is a for-profit business in California and collects the "personal information" ("PI", as broadly defined in the statute) of California consumers (or California residents), your company will have CCPA compliance obligations. Even if your company only serves enterprise customers and not individuals (with the exception of sole proprietorships or individually-owned businesses), and has California-based employees or job applicants--also protected "consumers" under the CCPA--you will have CCPA compliance obligations, though in 2020, the obligations have been limited to notice and data breach requirements. However, non-profit companies are exempt. Small businesses are also exempt if they do less than $25 Million in gross annual revenue and do not buy, sell or share the P.I. of 50,000 or more consumers annually.
Wish No. 2: We Have Got A CCPA-Compliant Privacy Policy
A one-size-fits-all privacy policy that does not comply with CCPA disclosure requirements will no longer do. A CCPA-compliant privacy policy must inform California consumers of:
- Their CCPA privacy rights, including the categories of personal information that is collected, disclosed and sold about consumers;
- The right to opt out of sales;
- The right not to be subject to discriminatory treatment by exercising their rights;
- The business's verification process for consumer requests, including the information consumers must provide for verification; and how to designate an authorized agent to make requests on their behalf;
- A company contact for more information;
- Date of the last update to the privacy policy;
- For large businesses (that buy, receive, sell or share the personal information of 4 million or more consumers), they must publish metrics on the number of requests to know, delete and opt out that it received, complied with or denied, and the median number of days to respond.
Wish No. 3: We Have Met The Notice of Collection of Personal Information Requirements
A business that collects personal information online can satisfy the notice requirement by providing a link to the business's online privacy policy. However, where personal information is collected offline or by a printed form or application, a business must provide the consumer with a paper version of the notice or "post prominent signage in the business location directing consumer to the Web address where the notice can be found." If you are a financial institution subject to The Gramm Leach Bliley Act or similar annual privacy notice requirements, consider incorporating your CCPA notice within your GLB notice.
Wish No. 4: We Have Given Proper Notice of the Right to Opt Out of the Sale of P.I.
If a business does not and will not sell personal information under the CCPA during the time period in question; and states this in its privacy policy, then it is exempt from this notice requirement. Otherwise, if it does sell or in the future will sell their personal information, it must give notice of the right to opt out of the sale of P.I. This notice must include information about the web form and any offline method through which consumers can submit their optout requests. A business that sells personal information must also have a "Do Not Sell My Personal Information" or "Do Not Sell My Info" link on its website homepage or the download or landing page of its mobile application. Ideally, you have worked with our Web developer to design it and included a link to it in the footer of your privacy policy. Finally, if an opt out request has been received, you have the duty to notify any third parties to whom the P.I. has been sold and instruct them not to further sell the P.I.
Wish No. 5: We Have Examined and Updated Our Vendor Agreements with all Third Parties
For this wish to come true, we have had our CIO/CISO/privacy professionals map our data flows for "personal data", "personal information" and data that has been "sold", with any gap assessments having been determined. Have you set up a systematic internal program for data mapping? What relationships do you have with third parties that involve the sharing of personal information of California consumers? Does the service provider exemption under the CCPA apply so that there is no data mining but only servicing our business alone pursuant to our contract? Do these third parties share P.I. with other third parties? Have we included a provision to prohibit the use, retention or disclosure to any third party? Is there a verifiable request mechanism included to respond to consumer requests within a time certain (i.e. 30 days of receipt)? Do the agreements include specific terms agreeing to comply with the CCPA, and not to share the P.I. of your consumers with other third parties without your and/or consumer consent? Have we required our vendors to implement reasonable security measures for the personal information that we share/sell to them? Finally, have we updated the indemnification and limitation of liability provisions to provide for CCPA risk, and required the vendor to obtain cyberinsurance liability coverage?
Wish No. 6: We Have Trained Staff and Procedures in Place to Respond To Verifiable Consumer Requests for Disclosure or Deletion with an Appropriate Verification Regime
We have employees trained on the CCPA and what the requirements are, including timelines for responses to consumer requests to know and to delete personal information (10 days to confirm receipt and a description of the verification process-whether for password protected accounts or otherwise; 45 days to respond (90 days if provide explanation for extension of time). We have a two-step deletion procedure, providing for confirmation that the consumer wants their personal information deleted prior to executing the deletion request, assuming no statutory exceptions apply. As provided in the California Regulations, we have implemented risk-based verification procedures appropriate to the type, sensitivity and value of the personal information and any risk of harm to a consumer that would result from unauthorized access or disclosure. We have established new record-keeping requirements so that we maintain a record of each consumer rights request for at least 24 months.
Wish No. 7: Our Vendors Have Demonstrated Compliance
Our vendors have completed third party assessment reviews (including a cybersecurity evaluation) and they are or will be CCPA-compliant effective Jan. 1, 2020. We have obtained information on their data retention practices, and their access request and deletion processes/practices. We have identified incident notification channels and processes. We have reviewed our and their data maps and data flows and whether there is any onward transfer occurring. If appropriate, we have reviewed their CCPA compliance white paper.
Wish No. 8: We have Implemented Reasonable Security Measures To Prevent Data Breaches
Our CISO has implemented the Center for Internet Security Critical Security Controls, we have a written information security plan, we conduct periodic risk assessments, and we use robust redaction and encryption methods (as needed). Depending on the sensitivity of the personal information that we handle, these steps should minimize the risk for and CA AG penalties or a private action for data breach for failure to maintain reasonable security measures.
Even if all your CCPA Christmas wishes have not been fully realized by January 1, 2020, as with the EU's GDPR, compliance will be an ongoing effort for affected businesses.
Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.