Is CCPA Still Happening?
With most of the world focused on the COVID-19 pandemic, it’s been easy to lose track of what we were paying attention to prior to the outbreak. The California Consumer Privacy Act (CCPA) falls into that category for many of us, but not for California’s Attorney General. The groundbreaking privacy legislation, designed to protect the rights of California consumers, went into effect on January 1, 2020 and enforcement will begin on July 1st. The AG’s office has been busy working on proposed CCPA operational regulations and released the second round of draft modifications on March 11th. Many have wondered if the July 1, 2020 enforcement date will be delayed due to COVID-19, but the Attorney General has confirmed that enforcement will start as originally planned.
Should Businesses be Concerned?
The short answer is, “Yes.” For those waiting for the enforcement date to begin considering the impact and compliance obligations of the CCPA, it may already be too late because compliance is backdated to January 1, 2020 and the statute calls for a 12-month lookback period. For those who don’t think their organization is subject to the CCPA, you should find out for sure because fines and penalties are significant for security and operational non-compliance.
CCPA has provisions that address data breaches and unauthorized access, disclosure, or theft of California consumer personal information. If you have not taken precautions to protect California consumer personal information using reasonable security procedures and practices then you may be at risk of civil action with damages from $100-$750 USD per consumer, per incident, or actual damages (whichever is greater). You may also be subject to injunctive or declaratory relief or any other relief the court deems fit. Seriousness of the misconduct and other factors will be assessed by the court in determining statutory damages. The point is that penalties for not reasonably securing California consumer personal information can be costly.
From an operational perspective, the California Attorney General may bring civil action against a CCPA violator that does not remedy a statutory violation within 30 days. Penalties may include an injunction, a monetary penalty up to $2,500 USD per unintentional violation, or a monetary penalty up to $7,500 USD per intentional violation. If you are directly or indirectly subject to the CCPA and are not prepared to handle California consumer requests to know, requests to delete, or requests to Opt-In or Opt-Out in a timely and compliant manner, then you may be at risk. If you are a service provider that collects or processes California consumer personal information or if you hire a service provider that collects or processes California consumer personal information on your behalf, and you do not have a formal process for handling CCPA requests, then you may be at risk. If you buy or sell California consumer personal information and are not informing each affected consumer of their CCPA right to Opt-Out prior to or during the purchase or sale of the information, you may be at risk. Even if you think the CCPA does not apply to you there may still be CCPA-related impacts you did not consider, so you should think about your risks and take appropriate action.
How do you know if your organization is subject to the CCPA?
Our advice is to seek a qualified legal opinion from an attorney with knowledge of both the details of your organization and the CCPA. The CCPA statute itself also provides some guidance, but it does contain ambiguities, as well. CertainPoint has compiled several questions based on the statute that might help.
Does your organization conduct business in California?
The term, “Conduct business in California” is not defined in the CCPA statute, but other California laws are used to define this term. From a CCPA perspective, you don’t need to be domiciled or located in California to be conducting business in California. If you engage in business transactions with California entities or consumers, or if you own property or pay taxes in California, then your organization is likely conducting business in California and may be subject to the CCPA.
Is your organization in business for profit or financial benefit?
Generally, if you are a non-profit organization or your organization does not receive financial benefit for business conducted in California, then you may not be subject to the CCPA. Be aware that just because your organization may suffer a loss during a financial reporting period that does not necessarily make it a non-profit organization. If you are in business with the intention of making profit or some other sort of financial gain, then your organization may be subject to the CCPA.
Does your organization collect, distribute, process, use, or determine the purposes and means of processing personal information about California consumers?
“Personal information” is a broad term as it relates to the CCPA. It includes any piece of information that could reasonably be associated with a person, household, or a device that can directly or indirectly connect to the internet. Name or alias, home address, account number, email address, biometric data, Internet Protocol (IP) address, and browser history are just a few examples of what the statute defines as personal information. The entire list is very lengthy, but these examples should give you the general idea.
“California consumer” is any natural person (including a minor child) who is currently or was previously living or domiciled in California.
“Determine the purpose and means of processing” refers to your organization either deciding to use personal information for a business reason, or directing a service provider or third-party to process, buy, sell, collect, distribute, or use personal information on your behalf.
So, if your organization, or any service provider or third-party you have engaged, in some way uses the personal information of California consumers, then all of you may be subject to the CCPA.
Does your organization have gross annual revenues in excess of $25 million USD?
If the answer is Yes, then your organization may be subject to the CCPA. The CCPA statute does not specify if the $25 million (USD) in annual gross revenues only refers to gross revenues received from California transacted business or from all sources. If your response to this question might change depending on your interpretation, then your organization’s legal and financial advisors should be consulted.
Does your organization buy, sell, or receive annually for commercial purposes the personal information about 50,000 or more California consumers, households, or devices?
The term, “Commercial purposes” is defined by the CCPA statute as, “a means to advance a person’s commercial or economic interests.” So, if you somehow obtain or distribute, on an annual basis, the personal information of 50,000 or more California consumers, households, or devices to advance your commercial or economic interests, then your organization may be subject to the CCPA.
Does your organization derive 50% or more of annual gross revenue from selling California consumers’ personal information?
Again, the CCPA statute does not specify if annual gross revenue refers only to revenues received from California transacted business or if it is from all sources. Please check with your organization’s legal and financial advisors if you need an interpretation. If your organization sells the personal information of California consumers and if you determine the percentage of annual gross revenue from selling the personal information of California consumers is 50% or more of your annual gross revenue, then your organization may be subject to the CCPA.
Is your organization a government entity, insurance company, financial institution, medical or healthcare organization, car dealer or manufacturer, credit reporting bureau, or educational institution?
If the answer is Yes, then your organization may not be subject to the CCPA. Some organizations are excluded from most of the provisions of the CCPA and others that use California consumer personal information may be subject to and governed by other privacy laws and regulations outside of the CCPA.
Complex Compliance Obligations
If your organization is subject to the CCPA, there are many specific operational compliance regulations that pertain to required methods of engaging with California consumers, responding to and fulfilling consumer privacy-related requests, notifications about privacy rights and use of personal information, record-keeping and training practices, reporting obligations, data security controls and provisions, website requirements, identity verification, minor consumers and authorized agents, deletion of personal information from backup systems, engagement with service providers and third-parties, discriminatory practices, and monetary valuation of and incentive programs related to consumer personal data – just to name a few!
The list of CCPA operational rules and requirements is overwhelming and very specific in many ways. Organizations that are subject to the CCPA and obligated to comply with the statute and regulations are facing a large and daunting challenge. For those that have not yet started implementing people, process, and technology-related changes to support the CCPA, you may have a significant amount of work ahead of you and a short period of time to do it.
Preparing for Enforcement
Those organizations that are subject to the CCPA and have successfully prepared for the upcoming enforcement of the statute and regulations should be performing their final testing and implementation of their system and process changes and conducting final training of staff responsible for engaging with consumers and ensuring compliance.
What if your organization is one of many that are subject to the CCPA, but didn’t pay much attention to preparing for it, especially while dealing with the challenges of COVID-19?
What can be done at this late date?
CertainPoint recommends you first make sure your organization is, in fact, subject to the CCPA. If you have verified your organization is in-scope, then you should immediately assess your readiness for compliance and determine operational gaps. Create a plan that addresses the gaps in priority order with focused attention to timely handling of consumer requests, record-keeping and training, and identifying your sources, content, and use of California consumer personal information. Monitor your plan execution and continue to reprioritize and mitigate remaining gaps until your organization is compliant and can pass a CCPA-related audit.
Get Help if Needed
If you are overwhelmed or don’t know where to begin, don’t be afraid to ask for help. Legal and financial advisors, and management consultants with CCPA expertise and solutions are a good start. Determine if you are subject to the CCPA, identify your compliance obligations, perform a readiness assessment and gap analysis, and prepare and execute an implementation plan that achieves your compliance objectives.