CCPA – The CA Consumer Privacy Act Compliance Survival Guide

2019 is the year of the CCPA for business compliance professionals in the United States. When the CA legislature passed the California Consumer Privacy Act (CCPA) in June 2018 with an 18-month implementation window, it created the most comprehensive privacy law in the United States and setup a debate throughout state legislatures and Congress about which measures, if any, should be copied.

The new privacy law follows in the footsteps of GDPR and Cambridge Analytica, which dominated the privacy and compliance discussions of 2018 and continue to make news this year, with EU data protection authorities anticipating fines for noncompliance in the hundreds of millions of dollars. Not to be outdone, the Federal Trade Commission in the United States entered into a consent order with Facebook to resolve its investigation into the Cambridge Analytica scandal for $5 billion and another twenty years of compliance monitoring.

Amidst this backdrop, the CCPA law will go into effect on January 1, 2020 after months of lobbying by consumer advocacy groups, industry organizations and businesses. With just a few months to go before the deadline, there is still a tremendous amount of work to be done. The California legislature is wrapping up its consideration of CCPA amendments. It has narrowed more than a dozen privacy bills down to six focused measures to be passed by the Senate and Assembly before they are signed by the California Governor.

The California Attorney General has worked on developing the first draft of the CCPA regulations for at least eight months now. They are expected to be released for public comment this fall and will likely reinvigorate the intense debate between businesses and consumers over data privacy protections. When the final version is published over the winter or early next year, businesses will have the final picture of the privacy law less than six months ahead of when the AG will begin enforcement.

This leaves the CCPA law and its interpretation up for debate for a few more months even as companies are midway through their compliance preparations. The CCPA text was already amended once last year by SB-1121 and its initial technical amendments. If you want to see a copy of what the text will look like if the six remaining amendments pass with their current changes and are signed by the Governor, please contact Clarip and we will send you our working copy.

A number of other states proposed similar privacy laws during the last legislative session. Some copied the CCPA verbatim, while others put their own spin on the legislation. No state has passed a comprehensive privacy law to follow up on the new California law yet, although a few agreed to study the issue ahead of future legislative sessions. If CCPA implementation goes relatively smoothly, there is a good probability that a few states will jump on the bandwagon and give the protections to residents of their own state as well.

CCPA vs GDPR

Companies spent millions of dollars preparing for the European Union General Data Protection Regulation (GDPR) last year. Although the CCPA borrows from the GDPR, it does not copy it. The CCPA excludes businesses which do not meet its size thresholds as well as nonprofit organizations, instead of applying to all organizations. Additionally, there is no mention of privacy by design or data protection impact assessments. It skips the requirement to establish a lawful basis for processing, and requires only a limited opt-out for adults for the sale of personal information, instead of the express, opt-in consent of GDPR.

CCPA Compliance

Businesses preparing for CCPA are working on four major areas. The first is data mapping to understand all of the data they are collecting, how they are processing it, and with whom they are sharing it. The CCPA does not make data mapping a core requirement. However, it is an important aspect to compliance for businesses that want to be able to meet the law’s disclosure requirements, identify their service providers to establish an exception to the right to opt out, as well as find the personal information for efficient responses to consumers exercising the right to access and delete.

The data subject access rights are the second major area. Businesses must give consumers the right to access and delete their personal information, which involves allowing them a mechanism to submit requests, verifying their identity, finding their personal information, executing the request and responding to the consumer within the designated time period.

The third major area relates to consent management. CCPA requires covered businesses to gather opt-in consent before selling the personal information of children under 16 years of age, as well as permits adults to opt-out of the sale of their personal information. Businesses are required to post a Do Not Sell My Personal Information link which allows California consumers to opt-out, as well as qualify their vendors as service providers in order to continue sharing after an opt-out.

The final major area involves beefing up cybersecurity preparations. Although California did not impose new cybersecurity requirements as part of the privacy law, it permits consumers to file a lawsuit to seek statutory damages of between $100 and $750 per person per incident following a data breach where reasonable security procedures were not in place. As a result, businesses that want to avoid class action litigation should take additional steps to make sure that they do not have a data breach involving unencrypted personal information as well as have a strong compliance program for data protection in place.

Looking for Help? Get started on our CCPA guide.