The CCPA goes into effect 1/1/20. Are you ready?

When our Director of Operations, attorney Rian Kinney, presented her talk, Privacy: How to Survive aCCPAcalypse 2020 at WordCamp US on November 1st she emphasized that she was discussing the California Consumer Protection Act going into effect in two (2) months not just because California, as an individual state, has the 5th largest economy in the world but because where California goes in regulating the internet, the rest of the United States will follow. 

On November 11th, the same day Rian’s CCPA talk was published to, Microsoft announced, “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents … Microsoft will provide effective transparency and control under CCPA to all people in the U.S.”

Julie Brill, Microsoft Corporate Vice President.

The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.

Quick and Dirty Facts About the CCPA

What is the CCPA?The California Consumer Privacy Act (CCPA) grants California residents with data protection rights and more control over what is collected and shared about them. 

These rights include the right to bring a private cause of action (sue) for data breaches. The CCPA also prohibits class action waivers and mandatory arbitration clauses so you can expect to see a rise in class action suits for data breaches brought by consumers under this law.
When does it go into effect?January 1, 2020. The Attorney General will begin enforcing the law on July 1, 2020, though consumers will be able to begin requesting data collected on them for the 12 months prior, beginning on January 1, 2020.
Is my for-profit company affected?For-Profits must comply with the CCPA when working with any California resident’s information when at least one of the following three criteria apply to your business:

1. Annual gross revenue of $25 million or more; or
2. Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices per year
3. Earns 50% or more of its annual revenue from the sale of consumers’ personal data
What about non-profits?Non-profits are currently exempt from having to comply with the CCPA, however, there have been several amendments proposed which seek to apply the CCPA to non-profts. So stay tuned. 
My company isn’t based in California. Does the CCPA still apply?Like the GDPR, the CCPA protects the user’s rights regardless of where the business is located. If your business is collecting data, what’s important to look at is where the user (consumer) is located, not the business. 
What are consumers’ rights under the CCPA?California residents have the right to:

1. Know what personal information is being collected about them
2. Know whether their personal information is being shared and to whom
3. Access the personal information you’ve collected
4. Opt-out of the sale of their personal information
5. Anti-Discrimination for the exercised their privacy rights.  This includes denying goods or services, charging different prices, or providing a different level or quality of service. However, a business is able to offer a consumer’s different rates (or
service) if that difference is reasonably related to the value of the consumer’s data.
What does “personal information” mean?In the context of CCPA, personal information is quite broadly defined and likely includes all data you’ve ever collected for a consumer or digital visitor. The CCPA specifically defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.

This covers Personally Identifiable Information (PII) previously defined by CalOppa, such as name, address, social insurance number, etc. But it also includes any information about that consumer that can be linked to them. This would include geo-ip, page visits, purchase history, and so on. In other words, if you’re collecting information and users and visitors, it would fall under this regulation.
What are my disclosure requirements?Either before or at the time of collecting personal information, your business has to provide the categories and specific pieces of information collected; the sources where the info. was collected from; the purpose of the collection; which categories will be shared or sold; and a disclosure of the consumer’s rights.

Disclosure requirements are still being decided through public forums and will ultimately be decided by the California Attorney General. 

General Requirements are:

• Clear and prominent link to your privacy policy
• The privacy policy must include the disclosure elements listed above, including all third parties who may receive the personal information
• A clear and conspicuous link titled “Do Not Sell My Personal Information” on the home page and privacy policy.
What does sharing personal information and with whom mean?The CCPA discusses sharing data with third parties and the “sale” of personal information. The distinction between these two is still being defined. Selling personal information is held to a higher standard than sharing.

While the definition of “sale” under CCPA is broad, note that it’s more than just a monetary exchange. A “sale” is any kind of consideration or benefit you get in the exchange of data, eg, sharing data into a cookie pool gives your company benefits. This is also considered a “sale” of data.

In general, you’re sharing and not selling when one of the following apply:

• Disclosing under the intentional direction of the consumer
• Using an identifier to indicate to a third-party that a consumer has opted-out of selling of their data
• Disclosed to a service provider. To qualify, the disclosure must be for a business purpose; pursuant to a written contract that prohibits the further disclosure of the personal information
• You’ve provided a compliant notification to the consumer that the information will be disclosed in this way
• The service provider doesn’t further use the personal information except to accomplish the business purpose.

If the sharing of information doesn’t meet the above criteria, you must enable the consumer to opt-out of the disclosure of information.

You will need to carefully consider the written contracts that you have with third parties that run on your website to ensure that you and they are CCPA compliant. Consider a tool such as to know all of the run-time third-party tags and cookies executing on your s
What does opt-out of the sale of personal information mean?The CCPA requirements for the sale of personal information has three components:

• Disclosure of any selling of personal information as defined by the Act. At minimum this must be in your Privacy Policy. Although not defined yet, it will likely also need to be disclosed more prominently at the point of data collection.
• A prominent and conspicuous link titled “Do Not Sell My Personal Information” on your home page and in your privacy policy.
• A place on your website where the consumer can exercise their various privacy rights under the Act including opting-out the sale of their personal information.
I’m already GDPR compliant. Am I CCPA compliant, too? No. The GDPR exceeds the CCPA in granting users/consumers privacy rights in many regards, but the CCPA has very specific requirements around the sale of personal information (not required under the GDPR such as a ‘Do Not Sell My Personal Information’ link to a consumer portal on your organization’s home page). 

While there is some overlap, there is also a lot of variance between the 2 laws, your privacy professional should work to identify, analyze, implement, and monitor additional privacy compliance if your organization is subject to the CCPA.
What’s the best way to become CCPA compliant?Hire a privacy consultant or attorney to review your privacy policy and website disclaimers on at least an annual basis.

Work with a web development agency that prioritizes Privacy by Design principles and is able to assist with:

• Data mapping and privacy audits
• A notice-and-consent solution installed to ensure consent & notification compliance
• a tool to identify all daisy-chained third-party vendors to ensure you know which third parties you’re potentially sharing personal information with

Additional Resources

CCPA Website – California Office of the Attorney General

CCPA Fact Sheet – California Office of the Attorney General

Data Breach Laws of all 50 states – National Conference of State Legislatures

U.S. State Laws Related to Internet Privacy – National Conference of State Legislatures