The California Consumer Privacy Act (CCPA) requires that, as of January 1, 2020, all organizations that gather, handle or process the personal data of California residents must be able to provide any data subject with all the personal data they have collected about them during the preceding 12 months. Therefore, if your company is subject to this new regulation, you need to already have CCPA compliance controls in place; otherwise, you will not be able to comply on the effective date.
But is your organization subject to the CCPA? How exactly should you go about responding to requests from data subjects, and what happens if you can’t? The law is not entirely clear on these points. Here are four questions you might want to raise with your legal or compliance team.
1. Is your organization subject to the CCPA?
The CCPA applies only to for-profit businesses operating in California (regardless of whether they are physically in California) that meet one or more of these conditions:
- Earn $25,000,000 a year in revenue
- Trade in the data of 50,000 or more consumer, household or device records per year
- Derive at least 50% of their annual revenue by selling the personal information (PI) of Californian consumers
The first and last conditions seem clear enough, but take a closer look at the second one. There are at least two points that require clarification. First, although the CCPA limits its reach to California residents, it doesn’t specify the location of households and devices, which could mean that the law reaches beyond California’s borders. Second, though the law defines the term “consumer,” it doesn’t explain how to count household and device records. For example, suppose a person uses the same account for all of their devices, including their smartphone, tablet, laptop and smart TV; should you count that as one record or four — or perhaps even five? Similarly, a given device could be shared by all three members of a household, with each of them logged in under a separate account. Do you count that as one device or three consumers, or both?
If either the first or third condition applies to your organization, you know you’re subject to the CCPA. But if they don’t, you need to work with your legal advisors to clarify whether the second condition applies. To facilitate the discussion, be prepared with a complete picture of what data you have, where it is stored and how it is used.
2. How should you verify a consumer’s identity?
If your organization is subject to the CCPA, one key requirement you have to meet is responding to requests from consumers regarding the information you store about them. The first step is to verify that the person making the request is actually who they claim to be; otherwise, you might disclose PI to unauthorized people, putting data subjects at risk of identity theft and your business at risk of penalties for failing to sufficiently protect personal data.
Unfortunately, the law provides little guidance on what exactly a business needs to do to determine whether a request a “verifiable request.” Therefore, you should work with your legal team to decide what would likely qualify as sufficient measures for identity verification.
3. What does it mean to “cure” a violation?
The CCPA gives companies that violate its provisions a chance to eliminate huge penalties (up to $2,500 per violation or $7,500 per intentional violation) and legal consequences. Specifically, the law gives companies 30 days to “cure” alleged violations before litigation can advance.
However, there is no explanation of exactly what is required to “cure” a violation. For example, suppose a business suffered a data breach because a user account was compromised. Would a password change be sufficient to “cure” that violation? Perhaps not, since the law also requires to the organization to ensure that no similar violations occur in the future. So would it be enough if the company also establishes a policy that forces employees to change their passwords regularly? It’s not clear.
We recommend getting legal advice on this matter, since curing violations within the 30-day period could save your business from serious consequences. In addition, of course, you should take steps to minimize the risk of having incidents in the first place, so you have less change of ever needing to “cure” violations. In particular, it’s smart to identify and mitigate your current security risks, establish security controls that enable you to quickly spot suspicious activity across your IT environment, and develop and test an incident response plan.
4. What security procedures would be considered “reasonable”?
The CCPA gives consumers the right of action if “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
However, the law doesn’t clarify what security procedures and practices qualify as “reasonable.” Therefore, you should work with your compliance team to establish a set of security controls that you consider sufficient to protect the PI you store and process. A good place to start is by classifying your data, monitoring and alerting on activity with regulated data, and establishing effective redaction and encryption processes. It’s also critical to make sure that your company’s service providers have reasonable security measures in place as well.
The CCPA is an encouraging sign that steps are being taken toward enforcing a privacy-conscious approach to doing business. New York and Colorado have recently enacted privacy laws as well, and other states are likely to follow. Federal laws are being proposed and debated in Congress. Of course, there are data privacy laws already on the books in other parts of the world, such as the GDPR in Europe and similar laws in India, Brazil and Australia.
As result, companies face ambiguous and sometimes overlapping obligations from local, state, federal and international regulations. As for the CCPA, we can expect amendments that attempt to clarify some of its requirements or add more compliance burden. Businesses need to stay up to date on what is happening in the compliance area, including not just changes to regulations but also what penalties that are assessed for violations and lawsuits that are filed by consumers, so they can adjust their information security programs accordingly over time.