California Consumer Privacy Act (CCPA) Q&A Session

Posted on October 24, 2019

The CCPA is set to be a game-changer when it comes to consumer privacy laws. The Act will expand the rights of consumers and enforce transparency on any company that handles personal information regarding California residents, regardless of where the business is located. The CCPA classifies personal information as name, address, email address, account name, social security number, driver’s license number, education, employment, records of personal property, and other similar identifiers. If you do business or have customers (or potential customers) in California, this webinar is for you. Any company that falls under the CCPA will be required to enhance their data management practices, expand their individual rights processes, and update their privacy policies by January 1, 2020 – which is only a few short months away!

CCPA Overview

The new CCPA is going into effect on January 1st, 2020. Essentially, the law is intended to make structural changes to the privacy programs of companies that conduct business in California. It does this by providing residents the right to a few things:

  • Know what personal data is being collected on them
  • Know about/prevent the sale of their data
  • Access their personal information or data
  • Request a business delete any personal information or data
  • Not be discriminated against for exercising their privacy rights

As more and more of our data is collected and sold, new regulations must be put into place to protect that data and force companies that process it to be transparent in how they are using it.

How Did We Get Here? 

Most consumers love personalized recommendations, whether it be product recommendations on Amazon or Netflix – we’re okay with companies knowing a great deal about us, as long as we can see that it benefits us in some way. Where the problem arises is in how the information is collected and what it is being used for. The law aims to make it more known to the user as to what they’re agreeing to when they “agree” to give a company their information.

Almost every move you make online: every website you visit, search you make, items you purchase, form you fill out – these are all being tracked and the resulting data can be aggregated, traded, and sold. In most cases, the consumer has no control over what happens to that data and whose hands it may end up in.

The data privacy movement is a direct response to this state of affairs.

Does the CCPA Apply to Your Business

Your company doesn’t need to be located in CA to apply to you – in fact, the International Association for Privacy Professionals estimates that more than half a million us companies will be directly affected. The CCPA doesn’t distinguish between brick and mortar and online companies, meaning that a company with zero physical footprint or employees located in CA could still do business in the state and therefore have obligations under the CCPA.

In general, the CCPA applies to a business that:

  • Does business in the State of California
  • Collects or processes personal information of California residents

AND

  • Has annual gross revenues in excess of $25 million
  • Handles data of more than 50,000 people or devices; or
  • Has 50% or more of revenue coming from selling personal information

Question: Does CCPA also apply to cookies?

Answer: Ultimately there is a little bit of a gray area when we’re talking to website cookies but in the end yes, it does apply if there is identifiable information in there.

Who is Protected?

  • Consumers, defined as CA residents that are either: in California for other than a temporary or transitory purpose or domiciled in CA but are currently outside the state for a temporary or transitory purpose.

What is Protected?

  • Personal information: any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples: name, alias, address, unique personal identifier, email address, IP address, browsing and search history, geolocation data and many more.

What Rights Do Consumers Have Under the CCPA?

  • Right to know
  • Right to access
  • Right to deletion
  • Right to opt-out
  • Right to equal service and price

Question: We sell and rent to self-employed contractors – is that considered personal information?

Answer: Once the employee exception gets put into place, I don’t think this would apply.

Question: What does CCPA cover that GDPA does not?

Answer: There are more similarities than differences. Obviously, CCPA is specific to Californians. But the biggest difference we’ve seen is that the CCPA goes into more detail about timelines for different things – they give you exact dates that you have to respond to consumers and make changes.

Question: Do people opt-out online or do they need to call to submit information?

Answer: You need to provide two ways for people to opt-out. So if you have a website what the CCPA is recommending is that you have a form on your website where people could opt out but also provide a 1-800 number where people can call in, to opt-out as well. If you’re primarily brick-and-mortar you have to provide an option to opt-out where the primary part of your business is done. You may have to provide physical forms people can fill out.

When Does the New Law Go Into Effect?

  • Requirements go into effect on January 1, 2020
  • Deadline to publish regulations is July 2, 2020
  • Legal action CANNOT happen until July 1, 2020 (or 6 months after final regulations are published)

What are the Consequences?

  • $7,500 for each intentional violation
  • $2,500 for each unintentional violation

With each case, the court will investigate the violations and determine what exactly the infractions and go from there. Consumers to have to provide advanced notice of 30 days to the company and they have the opportunity to cure the alleged violation and provides a written statement that the violation is cured and no violation will occur again. So basically you are given a chance to right your wrongs in a timely manner.

What Do You Need to Do To Comply?

  • Know how the CCPA affects your organization
  • Map consumer data
  • Fine-tune your privacy disclosures
  • Allow customers to opt-out
  • Come up with a plan on how to handle customer requests
  • Update your software and systems and protect against data breaches
  • Train your teams

Recent Changes to the Law:

  • Job applicant/employee exemption
  • B2B exemption
  • Publicly available info exemption
  • Exempts vehicle and ownership data
  • Data broker registry creation
  • Modification to methods that are available for deletion requests and timeline

California is the world’s fifth-largest economy as of 2018. It’s a huge number of people and a huge sector of business. As this law passes and the kinks start to work out, we have no doubt other states will start to follow-suite.

Question & Answer Portion

Question: Is it acceptable to ask a customer to clear their cookies since we may not be able to drill down with our digital marketing and we may not know what data to delete?

Answer: I don’t know that the clearing of cookies will make a difference. It’s more concerned with what the cookies are collecting and where that information is stored.

Question: How does CCPA relate to retargeting?

Answer: This goes back to the cookie idea. Ultimately the way that we look at it is that being aggregate data. We’re placing the cookie on the user and then showing them ads relevant to them based on things they’ve searched, but we don’t have any personal information as far as who that user is. As long as we give them the ability to opt-out of the actual cookie when the cookie is being placed, we should be fine.

Question: Do we know at this point what other states are working on or considering similar regulations?

Answer: Unfortunately no. There are a lot of unknowns still right now. I think after the 6 month grace period takes effect, we may see other states use CA is the guinea pig and start to adopt similar policies.

Question: If a firm is hired to make sure a company is compliant and they find out they’re not – who is responsible?

Answer: Ultimately the business is responsible.

Question: Is the IP address considered part of the personal information covered?

Answer: Yes, they do specifically call that one out.

While we covered a lot of information here, there is always more to learn. If you have any questions about anything covered here or not – we can certainly help with that process. Please give us a call if you think of anything!