The California Consumer Privacy Act is now “Live”: Are You Ready?
The California Consumer Privacy Act (“CCPA” or the “Act”) became effective with the New Year. While this may catch many off-guard, the good news is that due to some regulatory uncertainty, the California Attorney General has stated that official enforcement actions under the CCPA will not begin until July 1, 2020, four months after the finalized regulations are released on March 1, 2020. This does not mean, however, that companies can expect a free ride until then.
What does this mean?
Even though the CCPA is now in effect and companies within its purview are legally required to be in compliance with the Act, uncertainty remains about whether certain online activities of non-California based companies may fall within its jurisdiction. This, of course, makes it difficult to discern whether the CCPA applies to non-California based companies directly and, if so, what activities by these companies will be regulated under the Act.
Given this uncertainty, companies across the country are taking proactive steps to demonstrate compliance with the CCPA in the lead up to July 2020. What makes these initial proactive steps both interesting and useful is that the California Attorney General has gone as far as stating that demonstrative steps to comply with the CCPA would be looked upon favorably in a subsequent enforcement action.
What steps should you take now?
The following steps are our recommended “basics” that may demonstrate to the Attorney General a reasonable attempt to comply with CCPA:
1. Know Your Data.
Perform a basic inventory to identify what data you collect and where that data comes from. You should also be able to “map” where that data is stored and how long it is retained. This information is uniformly valuable for many other types of risk assessment activities.
Having a data map can be a useful tool to understand whether one has California consumers and will assist in formulating business processes that would allow those consumers to exercise their rights as required under the CCPA. Though not required under the Act, some companies are extending these California consumer rights to non-California consumers. It will be easier to administer that way and will place these companies in a better position as other states move to copy the CCPA's consumer rights.
This may also be a good time to check website data analytics and SEO status. Remember: it’s not just the number of human consumers that the CCPA counts—it’s the number of devices, too. This is why website analytics will play an important role. Having a firm grasp on your company’s website data analytic should guide the determination of whether there are California residents accessing your company’s website and allows confirmation of what data is collected and how that data is processed.
2. Determine whether the CCPA applies.
Now comes the hard part: interpreting the vague language of the Act. A “business” is required to comply with the CCPA if certain criteria/thresholds are met. As defined under the CCPA, a “business” means a for-profit entity (and we are quoting directly from the statute now):
. . . that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
A. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted . . . .;
B. Alone or in combination, annually buys, receives for business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
C. Derives 50 percent or more of its annual revenues from selling consumers’ personal information. [CCPA, 140(c)(1)(A)-(C)].
While there is no definitive explanation for what this language means, and numerous privacy professionals have voiced concern about its ambiguity, we believe it can be deciphered to mean:
A “business” is a for-profit entity that:
1. Does business in California;
2. Collects the personal information of California consumers;
3. Determines how that information is handled; and
4. Meets one or more of the following thresholds:
A. Has annual gross revenues in excess of $25 million;
B. Annually buys, receives for business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
C. Derives 50% or more of its annual revenues from selling consumers’ personal information.
Currently, the second threshold criterion (in 4.B. above) is the one most likely to catch some businesses off guard, and is also the most ambiguous. To date, there hasn’t been any clear guidance interpreting the broadly worded definition of “sell” under the Act. The clearest guidance we can provide so far, based upon legislative history and California law, is that a “sale” means a bargained-for exchange for money or similar valuable consideration. It is safe to say, however, that company websites that display advertising would fall within this category.
3. Confirm your Cyber Insurance will Cover a Breach under the Act.
This should be a quick, albeit important, check with your insurance broker. Of particular concern under the CCPA is the right of Californian residents to sue when their nonencrypted or nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure. This same private right of action is available to residents of the EU under the General Data Protection Regulation (GDPR).
We have always recommended periodic reviews of privacy policies, and now is a particularly good time for such a review and update. Additions regarding how consumers are able to exercise their rights under the Act should be included as well as disclosures regarding how information is collected and processed. We would also recommend an additional “OPT OUT” link to be made available on the main consumer-facing website with instructions for how consumers would be able to “opt out” of the sale of their data. We don’t foresee that consumer privacy protections and rights will be relaxed any time in the near future, so it’s best to anticipate these changes proactively.
Dangerous Windows 10 Flaw Discovered by the NSA
Yesterday - January 14, 2020, news broke that the NSA contacted Microsoft directly to inform it of a major security flaw in Windows 10. The patch will be released today, so don't delay to download and update your Windows 10 operating system.
Would you like Continuing Industry-Specific Updates on Data Security and Privacy?
The last several years have seen major shifts in both international and domestic privacy regulation. The GDPR has caught many companies by surprise in its intricate application since its effective date in May 2018. Similarly, in addition to California, New York’s Shield Act will go into effect March 21, 2020, giving the NY Attorney General more investigative powers and increased breach penalties more than existed in the state’s current data breach law. New York also joins the list of other states, including Illinois, Texas, and Washington that include biometric data within their definition of personal information.
In this dynamic privacy and data security environment, the Cybersecurity team at Butzel Long is offering a subscription service to interested clients. For a small annual fee, we will apprise subscribers of the latest developments that are likely to impact their businesses. In addition, if the update directly leads to your request for legal work on that topic, we will offer a discount on our legal fees. We are offering new subscribers a promotional rate of $1200 for the first year (prorated based on the month subscribed in 2020). Thereafter, and for those subscribing in 2021, the annual fee will be $1700. In addition, if the update you subscribe to directly leads to your request for legal work on that topic, we will offer a discount of 10% on our legal fees for that task.
For more information, call or email Claudia Rast at 734.213.3431 or firstname.lastname@example.org.