The California Consumer Privacy Act (CCPA) launches on Jan. 1, 2020. Businesses are wisely beginning to prepare. As we start looking at the practicalities, here are some potential real world scenarios and solutions to consider.
Our business received a request for access to all personal information. What are our options to confirm the requester’s identity?
After receiving a request for access to personal information, the business is allowed to validate the request, to confirm the requester is who they claim to be. This may include confirming that the request was made by or on behalf of a California consumer, because they are the persons with these rights.
The business must respond within 45 days of a verifiable request. The deadline may be extended once by 45 more days “when reasonably necessary,” as long as the requester is provided notice of the extension within the initial 45-day period.
If the business needs additional information to validate the request, it should ask for the minimum amount it needs to validate the request. This is to protect the requester’s privacy further and for data minimization on the part of your business. One suggested approach is to ask the requester to confirm personal information that you already hold, rather than ask the requester to provide new data. This could include data linked to the requester’s profile (for example, login information, user name, password, etc.)
The business should establish a standardized process for validation and follow it. When the business collected the data, if it had a process at that time to confirm identity (such as confirming through an email link), then another option would be to follow that same procedure when validating a request.
How can we track and respond to individual access and deletion requests?
This will largely be driven by the size of your organization and amount of personal information you collect. If you have a small business with a few employees and you collect little personal data, you may not get many requests. Prepare established workflow procedures, one for each type of request. Determine who will coordinate and respond by the deadline. Here’s great direction from the IAPP with more detail on designing these workflows.
If you’re a larger organization and anticipate many requests, or don’t have the resources to dedicate to a large volume of requests, you might consider an automated process through a service provider. Companies such as TrustArc, CyberScout and Data Grail offer such tools (no specific endorsement here). They can provide system integration, workflow management and compliance reports.
Our business sells personal information and wishes to keep this option. What do we need to do to keep doing so?
The CCPA doesn’t prohibit the selling of personal information, but it adds an opt-out option that California consumers can exercise. The law requires very specific language in the opt-out link: "Do Not Sell My Personal Information.” It must be in a clear and conspicuous link on the company’s home page. No colors, fonts or other details have been specified, though that could happen in future regulations. Here’s an example of what the link on the home page could look like:
The link must take the requester to a separate internet page where the requester can opt out. Here’s an example of what the opt-out might look like:
No particular language has been set for the opt-out. There is no precise time limit imposed but the business should comply with the opt-out request within a reasonable time.
Our business is updating its data breach preparedness policy. How does CCPA change data breach preparedness or response?
CCPA doesn’t mandate or change anything specifically about preparing for or responding to a data breach. The CCPA states a duty of care on the business to have “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Businesses should continue to look to the applicable state(s)’ data breach law for the specifics of how to prepare and respond. For an interactive data breach map that gives an overview of the data breach statutes in all 50 states as well as U.S. territories, click here.
What the CCPA does change about data breaches is that it provides a private right of action and specifies statutory damages. We can expect to see lawsuits filed by individual California consumers or class actions, arising out of data breaches that involved those persons.
Statutory damages of $100 to $750 per California consumer involved in a data breach are now specified. This means that those persons will no longer have to prove actual damages, which has in the past been a considerable hurdle. “Private attorney general” lawsuits will likely also be attempted.
The statutory damages are currently only limited to matters involving data breach. They don’t apply to the entire law. However, the California Attorney General has publicly recommended in a letter to the law’s sponsors that the private right of action be expanded to the entire law.
We collect some personal information that’s also publicly available. Does information that’s made publicly available still count as “personal information” under the CCPA?
Yes, in most cases. The CCPA broadly defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is the most far-reaching in any legislation we’ve seen, even more expansive than the EU’s definition under GDPR. It’s larger and different from the usual identifiers seen in U.S. privacy laws. The key is being able to link the information to a particular consumer.
If the information can be liked to a particular California consumer, the business should interpret it as covered under the CCPA. This is so even if the information appears publicly elsewhere. It would include, for example, information like business email addresses, business phone numbers, and business addresses that are on public websites; and names and other information posted in public chat forums and review sites. In the interest of data minimization, consider whether you need to collect or keep this information.
This information is likely covered even if the consumer has voluntarily consented to give the information. There is no exception under the CCPA for publicly-disclosed information. The CCPA’s concern is what the business does with it.
In getting ready for the CCPA, lead time is important to minimize costs, get processes in place and avoid surprises. It’s a unique law with leading-edge requirements for U.S. businesses. The global wave of data protection laws shows no sign of slowing.
We may well see more California guidance on or amendments to the CCPA in the next months. Your company’s specific situation may vary from these general potential scenarios, and further clarification may be helpful about CCPA in your real world.
Kelly Wilkins has been a Certified Information Privacy Professional/US for five years and has been guiding legal clients since 1991. She advises clients on how to manage risks from data, on data breaches, and on rapidly changing regulations like CCPA. She is a partner at Snell & Wilmer..