CCPA- What You Can (and Should) Do Right Now
NOTE: This document is intended for general reference only, and is not to be used for CCPA compliance efforts. Many aspects of both CCPA and GDPR are paraphrased and not fully detailed, while other important items are excluded. Please review the law’s text and, if necessary, contact us to discuss a CCPA compliance program for your organization.
On January 1, 2020, the California Consumer Privacy Act, or CCPA, went into effect. The act gives California residents new rights in regards to their personal data, and imposes new data protection and restriction laws for CA residents. The act applies to organizations doing business with CA residents and earning either greater than $25M or processing information of over 50,000 people; this effectively means that most major companies (US and abroad) are impacted by it.
Within the last two weeks, the final regulations of CCPA were approved and the state’s Attorney General reported that the first enforcement actions were underway. Similar to Europe’s rollout of GDPR, businesses are unsure what these actions will mean in practice. Although penalties are clearly stated ($100-$750 per consumer, per incident, or up to $7,500 per violation), rigor of enforcement, variance of fines, and legal outcomes are yet to be seen. There are, however, several steps that companies can take to mitigate risk now.
Update Your Security and Privacy Policies (on Paper and in Action)
CCPA may be one of the strictest compliance frameworks applied to US companies currently; reviewing documentation and policies is critical to ensuring compliance. This means not only reassessing the content as authored, but checking that the practices themselves (e.g., data management in cloud environments) reflects what’s on paper. As with several other compliance and legal frameworks, however, the standard for security is vague, stating “reasonable security procedures and practices.” Fortunately, a pending amendment to CCPA provides some potential guidance on compliance standards:
“…’reasonable security procedures and practices’ include, but are not limited to, a cybersecurity program that reasonably conforms to the current version, or a version that has been revised within the one-year period before the date of a security breach, of any of the following:
A. The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST).
B. NIST Special Publication 800-171.”
While this has yet to be voted on, it does provide some direction in terms of the level of security program the State of California may expect for CCPA compliance.
Enable “Opt Outs”
The “opt out” requirement for CCPA is perhaps the most talked about aspect of the law. This stipulates that CA residents have the right to opt out of PII sharing in a way that’s “reasonably accessible.” It’s similar to the FTC’s opt-out regulations for email marketing under the federal CAN-SPAM Act, which is why emails have “Unsubscribe” links at the bottom of the message.
Requirements for opt outs, such as when they must be provided, how often, and to whom are fairly long and warrant a review of the law itself for complete details. There are several items, however, worth noting:
- If the company exists completely online, opt outs must be made available to anyone who provides an email address.
- If a physical entity also exists, the company must provide a toll-free number for consumers to call and request the opt out.
- In all cases, the company’s homepage and privacy policy page (if one exists, which it should!) must have a “Do Not Sell My Personal Information” link that’s easy to find. This link should direct the consumer to a form to request opt out.
- Companies have 45 days to comply with all requests unless they have a reasonable need to extend this timeframe.
CCPA doesn’t offer specific guidance on how the opt out process works; it very well could be a manual process, so long as that process complies with the organization’s security and privacy policies. Because of the potential for human error, the difficulty in tracking, and the general effort of manual compliance, an automated process is preferred and discussed below.
Enable Verification and Accessibility Systems
Similar to the opt out requirement, CCPA provides consumers the ability to request, change, and delete all PII held by the company no more than two times in a twelve-month period. Accessibility requests can be handled just as opt outs are; via web form and phone at a minimum. Again, a manual system for this, provided it’s within policy, is fine under the law, but not the easiest or safest solution. Employees managing these requests must be familiar with all internal security and privacy policies, as well as the CCPA requirements themselves. This would mean that a typical customer support representative would need to undergo extensive training to be qualified to handle CCPA requests. Therefore, it’s easier to automate this, which limits human interactions and lessens the chances for noncompliance and general mistakes.
A high level automation overview might look like the following:
- A user submits a “right to be forgotten” request through a web portal form.
- The form contents are saved as a file in a storage bucket like AWS S3 or GCP GCS.
- When a file lands in the bucket, it will automatically trigger a serverless function, such as AWS Lambda or GCP Cloud Functions.
- This serverless function will read the contents of the file to determine the user’s name or identifying information it can use to search through the databases or PII locations in the cloud environment.
- Once the user’s information is located, the serverless function will mask or delete the records and log the success or failure of the process.
Consider Consent Requirements
CCPA provides data protection for minors, requiring consent for children 16 and younger if data is to be sold:
- If under 13, the company must obtain “opt in” consent from the minor’s parents.
- If 13-16, the company must obtain “opt in” consent from the minor directly.
This means that, as with opt outs and accessibility, a process for obtaining and storing opt ins should be built into the cloud environment (even though a manually obtained list would be acceptable, it’s not sustainable). These records need to be easily retrieved if requested by the minor or their parents, or by legal authorities, as with the other records mentioned above.
Note: CCPA does not preempt (override) the federal Children’s Online Privacy Protection Act, or COPPA, which has very strict controls on the use of minors’ data. Systems built to comply with CCPA should take COPPA into consideration.
CCPA vs. GDPR
The EU’s General Data Protection Regulation, or GDPR, has been in effect for more than two years. Many US companies have been forced to adopt the GDPR framework, as it covers entities in any country that monitor, store, and/or process EU citizens’ data. CCPA shares some traits with GDPR, meaning compliance for organizations doing business in the EU may already have some controls in place.
| CCPA | GDPR | |
|---|---|---|
| Who’s Covered? | Any for-profit entity doing business in CA that - has revenue over $25M - buys, sells, and/or trades data for 50k+ consumers, for profit, OR Gets 50%+ of revenue from selling PI |
Anyone owning or processing data (“data controllers” and “data processors”) of EU citizens (“data subjects”) |
| Opt Outs | Business must: - Enable and comply with an opt out procedure in line with CCPA guidelines - Have a “do not sell my personal information” link in homepage and privacy statement |
- Right to opt out of data processing for marketing reasons - Right to withdraw consent for processing data |
| Privacy Notices | Businesses must notify consumers about the type of information collected and how it’s used. | Same as CCPA, but companies must also note if the data is collected directly or by a 3rd party. |
| Access to Data | Consumers have the right to request and receive their data within 45 days. No right to data correction. | Consumers have the right to request and receive their data within one month. Right to correct and complete data. |
| Security | No specific requirements, but entities must follow “reasonable security procedures and procedures.” A Right of Action can be filed in event of a breach. | Businesses must take “appropriate technical and organizational measures” to provide adequate security. |
| Minors | Opt in process for minors 16 and under, and only for the sale of data. COPPA still applies. | Opt in for children 16 and under, but age may vary in different member states. Tighter security regulations on minors’ data, and opt in is for all data collection. |
The full impact of CCPA has yet to be understood; it will likely be a few years before the State of California will complete prosecution of the first entities held accountable under the law. With CCPA being the first major consumer privacy act to mirror GDPR within the US, however, it’s expected to have a measurable influence on data collection. While there are many unknowns, basic compliance measures can be taken now, with the added benefit of further securing an entity’s data in the process.
Thank you to Jason Dyke for his technical contributions.