A guide to CCPA, aka California Privacy Law

INTRODUCTION: WHAT IS THE CCPA?

The California Consumer Privacy Act will come into effect on January 1, 2020, and this fact may have a big impact on your business. California is the crown jewel in the United States economy — if it were a standalone country its $2.7 trillion GDP would be the fifth largest in the world, sitting ahead of the United Kingdom. This, combined with the state’s status as an incubator for tech innovation and consumer culture, gives it an outsized importance for all kinds of businesses operating at local, national, and multinational levels.

Put simply, any enterprise that reaches a certain scale will now be forced to contend with the CCPA, and it’s likely other states will soon follow suit with similar legislative pieces of their own- California has long been a bellwether for US-wide tech legislation. This article is a piece-by-piece examination of the CCPA and an analysis of its business impact, with particular attention given to the consequences for Small-to-Medium Enterprise (SME)’s data management, systems, and practices. By conclusion it should be clear that the CCPA is nothing to fear for management and development teams that are proactive and thoughtful in adapting to its prescriptions. For those that don’t use the appropriate amount of care, the consequences can be severe.

GETTING STARTED: WHAT IS THE SCOPE OF CCPA?

Reading through the CCPA is quite a different exercise to reading through the GDPR, the other major piece of consumer data protection legislation to emerge in recent times. Whereas the language of the GDPR is clear and its structure is logical, the language of the CCPA is a dense “legalese” and the structure of the Act skips from one area to another without a consistent thread. This is primarily due to the fact that the CCPA is a series of builds or amendments to previously existing pieces of legislation whereas the GDPR was an attempt to craft a comprehensive data protection policy from scratch.

The upshot is that it’s most sensible to analyze the CCPA under topic groupings rather than from top to bottom, and the first topic it’s essential to consider is scope: Who does the CCPA apply to? There’s a host of ways a business can be considered subject to CCPA requirements. The following are key thresholds to determine whether your business qualifies.

Regardless of the amount of data you collect, do you have gross revenue over $25 million? Then the CCPA applies to you. But if you’re not operating at that scale and still collect, buy, or sell the personal information of over 50,000 people, households, or devices per year, then the CCPA also applies to you. If a business doesn’t process that amount of personal information, but still earns more than half of yearly revenue (no matter that number) from selling consumers’ data, then the CCPA is applicable. Of course, your company must also have a business presence in the state of California, because that’s as far as the legislation’s power extends.

The second scope-related question is what is meant, in the case of the CCPA, by “personal data”. Whereas other pieces of data legislation take an umbrella-view of defining what constitutes personal data, the CCPA attempts to spell out in more explicit detail the types of information that count. The list here is extensive and worth comprehensive review, but a key point to realize is that the CCPA covers information that can be linked to households as well as individuals. In effect this means that certain information which would not be protected under other pieces of legislation because they can’t be associated with an individual — say TV viewing records or non- individual linked purchase behavior data — are considered personal data under the CCPA because they can be tied to a household.

DIGGING DEEPER: WHAT ARE THE INTENTIONS OF THE CCPA?

Once the question of scope is addressed, it’s possible to begin examining the intentions of the California Consumer Privacy Act and, at macro-level, the measures it takes to achieve those intentions. Section 2 of the Act explicitly outlines the aim of this piece of legislation: Empowering citizens of California to:

• Know what personal data is being collected about them
• Know whether their personal data is sold or disclosed and to whom
• Say “no” to the sale of their personal data
• Access the personal data that an organization has collected about them
• Obtain equal service and price from companies that collect personal data even if they exercise the privacy rights granted to them in the CCPA.

Right away a development team or project manager tasked with architecting their SME’s data infrastructure should see that these aims, if adequately supported by the legislation, carry far-reaching consequences for the way in which businesses build their data management systems. Gone is the old notion of a company’s data as a silo, removed from the day-to-day activity of the business, which can only be altered with great care. This is replaced by the idea of data is an organic mass, with pieces being constantly added and subtracted through continuous interaction with both company employees and product consumers. If flexibility and agility isn’t built into the architecture, from collection and storage to retrieval and analysis, a business will face real challenges in staying CCPA-compliant.

BUSINESS OBLIGATIONS: CCPA’S IMPACT ON THE DATA LANDSCAPE

Given the objectives stated, what are the concrete steps businesses must take to avoid running afoul of the CCPA? Here’s a list a summary of the most important:

Businesses must be able to disclose to a requesting consumer the categories and specific pieces of personal information that the business has collected.

This means that businesses must have both a clearly-signposted method for consumers to lodge a request for information, and a streamlined system for disaggregating an individual’s information from their database and delivering it in a timely fashion. It’s worth noting also that a business is only obligated to provide this info up to two times in twelve months — though it may seem self-evident, this means a system is also needed to track Information Requests so that one individual doesn’t overly burden the system. Consider that even some businesses operating at scale don’t posses a system for request intake nor keep a single-location record of information requests. In this scenario it’s entirely feasible that a single individual could take up far more valuable staff time than legally necessary through repeated information requests.

These are easy solves if considered upfront but can be a challenge if they’re retrofitted only when the problem becomes evident. An additional requirement of this capability is that the delivery of this data must be free and in reasonably consumable form, which means that businesses can’t charge a consumer to receive a record of their data record, and they also can’t present that data in some arcane file format that the consumer will have difficulty decoding. All in all, this requirement could lead to significant business impact for companies that are not already up to speed on current best practices for data management.

Next, at or before the point of data collection, businesses are required to inform consumers as to the categories of personal information to be collected and the purpose for which the categories of personal information will be used.

For any SME operating on “highest common denominator” principles (building a system that’s viable for worldwide operations) this will be no surprise. After all, this is already a requirement under GDPR law, and it’s reasonable to expect that as the world follows in the footsteps of the CCPA and GDPR, upfront disclosure of data collection will become a standard legal procedure. In practice this can have a range of implications for a company’s customer experience on- and off-line. It could be a pop-up box for consent to cookies, it could be an opt-in screen before a user enters the purchase funnel — it could even lead to changes to the purchase experience in physical store locations that are passively collecting data on in-store customer behavior, because under CCPA law, some forms of personal information are protected that can’t be tied directly to an individual. In order to fully understand how this CCPA requirement could change the way a company does business, an in-depth audit will often be necessary.

Lastly, businesses and marketers collecting information on consumers need to be able to wipe out that information completely upon request.

Not only that, but in many cases the business must be able to direct related service providers who utilize this info to wipe it also. Whether the data has been sold as part of a second-party set, or shared as part of a service-delivery process, the requirement stands. This obligation demonstrates that businesses operating under CCPA jurisdiction have no choice but to end antiquated “data-silo” operations that made ongoing alterations to a data store difficult and time-consuming. Furthermore, these businesses will have to ensure that their partners and data clients have this same capability, as they can be held liable for a partner’s failure to remove records from a database.

WHAT ARE THE COSTS FOR VIOLATING THE CCPA?

Of course the CCPA couldn’t hope to be an effective piece of privacy legislation without effective enforcement mechanisms to keep companies honest. What are the consequences for organizations that run afoul of its prescriptions? Put simply: they can add up quickly.

A person, business, or service provider found in violation of the CCPA will be subject to court injunction, and will also be liable for a civil penalty of up to $2,500 per unintentional violation and $7,500 per intentional violation. The important thing to remember is that for companies dealing with large amounts of personal data, violations likely won’t number in the tens, hundreds, or even thousands of customers. A systemic violation of CCPA provisions can easily put a six-digit multiplier on the $2,500 or $7,500 fine. For many SME’s, this could prove a high enough number to sink them completely. And that’s not all: apart from the civil liability, consumers are entitled to bring an action for up to $750 per incident, or, if the amount is greater, the value of personal damages. Thus a business that fails to do something so simple as notify consumers that they’re collecting web data can quickly find themselves looking down the barrel of a damaging class-action civil suit.

In essence, the CCPA is a piece of legislation that takes data protection seriously, and has the enforcement clout to make businesses take it seriously too. The legislation becomes law of the land on January 1, 2020. This means businesses with a footprint in California have approximately 6 months as of the time of writing to ensure they’re not at risk for severe financial penalties resulting from CCPA violations. Time to take action! But what are the steps that teams should take? To wrap up, this paper will examine some of the key steps any business can take to prepare.

FIRST STEPS: HOW SHOULD TEAMS PREPARE FOR THE NEW DATA LANDSCAPE?

Conduct a Review of Existing Data Architecture

If you’re a typical SME trying to prepare for what lies ahead, a best first step is to comprehensively review your data operation. Prepare data maps, inventories, and other records to catalog all points of collection, storage, retrieval, and exploitation of personal information relating to California-based consumers. Only through this exercise can a business accurately plan for the changes needed to be CCPA-compliant.

Consider if California-only web/mobile/business models are needed

For companies operating at global scale, it’s recommend to adopt a highest-common denominator approach to a full data architecture redesign. This will future-proof their operations and save them time and money due to decreased need for bespoke solutions based on territory. For companies with a smaller footprint however, it may be worthwhile to examine building California-specific consumer experiences. Deciding the best business option for your SME is only possible through the previously mentioned systematic audit of existing data operations.

Ensure that there are simple online and offline methods for submitting Data Access Requests

This is an essential part of a company’s relationship with its consumers now required by the CCPA. It’s important to note that the CCPA mandates a toll-free number dedicated to submitting data access requests, so businesses must ensure that their intake system isn’t online-only.

Provide a Clear “Do Not Sell My Personal Information” Option on web properties

This is another non-negotiable requirement of the CCPA. California citizens or those authorized to represent them must be able to easily designate that their personal data is not for sale. It’s important to note that under the CCPA, a user who selects this option can’t suffer a diminished experience if they don’t want their data to be sold (in contrast, the GDPR does allow companies to alter their experience if customers don’t want their data to be monetized).

Plan New Systems That Can Perform The Following Functions:

• Verify the identity of individuals who request data access or data deletion
• Respond to requests for data access or deletion within 45 days
• Determine the age of a California resident (under the CCPA, companies must obtain parental consent for data collection for users under 13. If they don’t have a way to determine user’s age, they can be held liable for disregarding this obligation.)

If this seems like a significant amount of work, it’s because it is. Since its inception, the Internet has been a relatively lawless environment regarding consumer protection. Now the days of the Internet as a Wild West are truly drawing to a close. Just like in the physical world, businesses that wish to profit must follow the rules or face the consequences. Luckily with the proper foresight and attention, CCPA compliance can be a straightforward exercise that doesn’t break the balance sheet.