The California Consumer Privacy Act: What Startups Need to Know

Published in

Sentant

8 min readJul 2, 2018

The California Consumer Privacy Act, fondly known as the CCPA, raises plenty of questions among startups whose services are used by Californians. To answer some of the most common questions about the CCPA, I’ve assembled some of the most relevant information about the Act for technology startups.

When it takes effect

The CCPA becomes effective on January 1, 2020. There may be changes to it before then, as tech firms are lobbying heavily for concessions.

Who needs to comply

For-profit businesses that collect personal information of Californians and have over $25 million in annual revenue, process information related 50,000 or more California consumers or devices annually, or make more than half of their annual revenue from selling consumers’ personal information must comply with the act.

As a startup, if your traffic is more than 130 or so California users per day, you’ll be in scope right away. Also, if you’re expecting (even by a stretch) to reach $25MM in yearly revenue before or in 2020, you probably should start working on compliance now. It’s also safe to assume that for 2019 funding rounds, venture firms will incorporate CCPA compliance into their due diligence checks.

Regardless of your revenue, if you’re in the B2B Software-as-a-Service market, chances are many of your customers have more than $25MM in revenue. They’ll certainly want any vendors with access to information on Californians to facilitate compliance with the CCPA.

Personal Information

Personally identifiable information, or PII is broadly defined by the CCPA and related legislation. For example, web server logs that record activity from a Californian user by just an IP address would be considered PII and protected under the Act. To play it safe, I recommend that any data able to be linked back to an individual (even by an IP address or unique identifier like a UUID), should be considered PII.

The Act allows the Attorney General to add more identifiers and data elements to the list of protected PII as well. Because of this, it’s probably a best practice to treat any identifiable information about Californians as protected under the act.

Who is a Californian

The CCPA applies to information gathered about any person who is located in California at the time. For example, if a person whose home is in Oregon takes a trip to California and logs into your service from there, any personal information gathered while they were in California will be covered under the Act.

Compliance Measures

Web Site

The Act requires a “clear and conspicuous link” be posted on your business’ homepage titled “Do Not Sell my Personal Information,” that allows opt-out from the sale of their data. This page should also have links to the company’s privacy policies, and any California-specific policies in place.

The CCPA allows companies to have a separate version of their web site for California consumers, and not supply this information on versions of the website served to consumers outside California.

For many tech companies, this could translate to using a geo-ip lookup service to determine whether to serve a site containing CCPA notices and policies.

Privacy Policy

The CCPA contains explicit guidelines on what information must be included in a company’s privacy policies. Some businesses may opt to create a California-specific version of the Privacy Policy, and a different one for individuals outside of California.

At a minimum, a CCPA-compliant privacy policy must:

Contain a description of consumer rights under the CCPA
Provide information on methods of submitting CCPA requests, e.g. deletion
Provide three separate lists, enumerating all categories of California user data that were 1) sold in the past year, 2) shared for a business purpose in the past year, and 3) collected in the past year
Be updated on an annual basis

Data Deletion

Businesses will need to be able to, upon request, delete the data gathered in California associated with an individual. To err on the side of caution, I’d recommend simply deleting all the data associated with that person.

Deletion specifically includes instructing any service providers to delete data they host as well. may themselves be for a larger company. For example, let’s say an early-phase startup hosts a platform for retailers to send out coupons, including to recipients located in California. The startup wouldn’t explicitly be required to comply with the CCPA, as their revenue is too low. However, they can expect to receive deletion requests from their customers who have in turn received them from consumers.

Deletion Exceptions

The CCPA contains exceptions for a lot of difficult-to-delete operational data, as well as data needed for legal reasons. Highlights are that businesses need not comply with requests to delete data needed to:

(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.

I interpret the above as meaning that data in security and systems monitoring applications, such as SIEMs and performance alerts, need not be deleted further to a CCPA request. This will be a relief to security and ops teams, as for other compliance reasons this information is usually retained and protected from alteration or deletion.

There’s also a notably broad deletion exception:

(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

It’s possible to construe the above exception as allowing companies to retain internal records, such as data backups. This would solve a large problem for startups with multi-user apps: how to go back and delete data from backups, while ensuring the backups are still valid. However, that interpretation may be a stretch and it looks like this is yet another area we’ll be looking to the California Attorney General to provide more guidance on.

Regardless of exceptions, you’ll still be on the hook if there’s a data breach of data you’ve retained. So, as best practice I’d recommend retaining only the minimum necessary data under these exceptions after a deletion request.

Encryption and Redaction

The CCPA only exposes business to liability for breaches of unencrypted PII. While not required, the CCPA encourages the use of encryption and data de-identification/redaction by carving out specific exceptions. If a businesses suffers a data breach where only encrypted or de-identified information is compromised, it won’t be liable for damages.

For example, let’s say a startup has a testing instance of its app up on the internet. The test version is run using demo data, which is based on a real user database. However, data has been scrambled so that names and addresses are changed and substituted with generic ones, and it would be impossible to associate the data with any real person. If that test server was hacked and all its data exposed on a public forum like pastebin, this wouldn’t trigger consequences under the CCPA. Simply put, properly de-identified or encrypted data doesn’t count as PII and won’t trigger CCPA penalties.

Clearly, a best practice from a security perspective here would be to encrypt and/or de-identify data whenever possible. I also recommend restricting access to PII data to a small group of employees, such as a core engineering team. This decreases the surface area of what systems and personnel, if compromised, could result in CCPA penalties.

Opt-Out & Minors’ Data

If your business sells any consumer data to third parties, consumers have the right to permanently “opt-out” of the sale of their data. Companies can, no more frequently than once per year, ask opted-out consumers to opt-in for data sale.

The opt-out provisions don’t apply to simple data collection, as the Act only mentions opt-outs of data sale to third-parties.

If a business is aware a Californian is between 13–16 years old, you need an affirmative opt-in from them to sell their data. For those known to be under 13, you need an opt-in from their parent or guardian.

For tech companies that sell consumer data, this means that if you continue to store data on California consumers who have opted-out or are under 16, you should clearly mark these records as opted-out of sale in your database and establish processes to ensure this data is not sold to any third party.

Charging Extra

You won’t be able to charge consumers a different price or give them lesser service if they’ve opted-out of data sale or invoked any other of their rights under the CCPA.

However, if a consumer’s requests are found to be “unfounded or excessive,” businesses can charge a “reasonable fee.” Until there’s clarification from the Attorney General as to what these phrases mean, I’d recommend against instituting any fees related to CCPA requests.

Handling CCPA Requests

Businesses are required under the act to supply consumers at least two means of making CCPA requests. At a minimum, this means a toll-free phone number along with a web site address for filing requests.

Any personal data gathered in connection with a CCPA request must only be used for the purposes of verifying the consumer’s identity and processing the request.

You’ll also have to respond to CCPA requests within 45 days, which can be extended another 45 days if it is “reasonably necessary” and you provide notice to the customer.

Data Breach Liability

The CCPA places a clear burden on businesses to maintain reasonable security procedures. If a company has a security breach resulting in the unauthorized access to PII of Californians, and “reasonable security procedures and practices, appropriate to the nature of the information” were not in place, they’re liable for damages under the Act. It’s only after unauthorized access (e.g. a breach) that consumers can bring a suit under the act at all.

It is unclear what exactly “reasonable” means from a technical standpoint. We may have to wait for clarification from the Attorney General, or relevant case law to emerge to better understand what qualifies as reasonable security.

Further complicating matters, during the initial 30-day notice period, the company has the opportunity to “cure” the violation.

Startups certainly don’t want to be dragged into messy litigation or become a test case for the CCPA. To avoid the chance of strenuous litigation, if you store personal data on Californians make sure your company invests in an effective information security program.

Right of Action and Damages

In the event of unauthorized access to their personal information, individuals may bring civil suits against the company. Individuals or class-action groups filing suit must notify the business with detail on the alleged violation 30 days before filing the lawsuit. The Attorney General must also be notified, and may decide to prosecute the case themselves.

When a business receives the 30-day notice from the individual intending to file suit, it has that time to “cure” the violation and avoid legal action. However, it’s quite unclear how a business could reasonably correct a violation where unauthorized third-parties have accessed consumer data, as the damage has already been done.

Individuals filing civil suit stand to receive statutory damages of between and $100 and $750 per person, per incident. If violations are found to be intentional, damages rise to $7,500.

Healthcare & HIPAA

The CCPA specifically (§1798.145(c)) states it does not apply to health information collected by a covered entity. Instead, the act defers to federal HIPAA regulations for the handling of PHI data.

If an organization collects PII unrelated to PHI, then the California Consumer Privacy Act’s provisions appear to apply. Let’s say a for-profit hospital in California had posted a page allowing anyone to sign up to receive a newsletter. Information collected includes the person’s name, postal mailing and e-mail address. Since this information is not gathered in relation to healthcare, it would have to be gathered and stored in compliance with the Act.

Final Thoughts

The CCPA will certainly demand a response from growing startups. After 2020, having a data breach of Californians’ personal information will surely mean trouble for your business. Before 2020, get the relevant compliance items on your technical roadmap, setup processes to handle consumers’ CCPA requests, and make sure you have an effective information security program in place.