November 25, 2019

CSG Law Alert: Not in California? Here's Why the CCPA Should Still Be on Your Radar

Even if your business is based on the East Coast, you are likely to feel the effects of the California Consumer Privacy Act (“CCPA”), which will be effective January 1, 2020.

CCPA applies to for-profit businesses that:

• Do business in the state of California; collect, or contract with a vendor for the collection of, personal information of “consumers¹”; and determine the means or purpose of processing the data and…
  • Have annual gross revenues in excess of $25,000,000 OR
  • Buy, receive, sell or share information about 50,000 or more consumers, households or devices for commercial purposes OR
  • Derive more than half of their revenue from selling consumers’ personal information.

So… if you are not doing business in California, or you do not fall into one of the sub-categories enumerated above, why do you need to worry about CCPA?

The answer lies with your customers.  CCPA requires subject businesses to include in their vendor contracts clear statements prohibiting vendors from processing consumer information for any purpose other than as needed by the business.  Further, if a business receives a demand from a consumer to “forget” him or her, both the business and all relevant vendors must be able to identify and delete all data points regarding that consumer.

And just because your business is B2B does not mean you are not subject to CCPA.  A “consumer” under the Act is any resident of California.  Therefore, if a business’s points of contact are located in California, odds are that you are collecting information about those individuals.  To endeavor to avoid this “business” related information causing you to be subject to CCPA, consider contractually directing your clients to have their personnel communicate with you solely through company email and devices.  Of course, for clients that have migrated to a BYOD approach, this may not be possible.  Also of note is that at present, a company’s own employees are not deemed “consumers” for purposes of CCPA.  However, this exemption is currently effective only until 2021 unless the Act is further amended.

Assuming that you are subject to CCPA, then what?

The CCPA has established specific rights for consumers to:

• Know what information is being collected about them at or prior to the time of collection and how that information will be used;
• Know from what sources information is being collected
• Access the information collected about them
• Be “forgotten”
• Opt out² of the sale of their information to a third party

These rights must be “easily” exercised by ready means of submitting requests to the company that gathered the data (whether by a toll-free number, email or other means of communication).

Understanding these obligations (and each has its own nuance as to when the company must provide the information and, in particular, the limited time within which a company can respond to a request) is one thing; implementing policies, procedures and processes to properly fulfill these obligations is another challenge altogether.

Privacy Statements

Consider your website and its Privacy Statement.  The Privacy Statement must clearly state the information and resources mandated by the CCPA to your consumers.

By way of example: if your company is going to sell consumer data, your privacy policy must disclose this fact and must also provide a mechanism for consumers to opt out of the sale of their data without being “discriminated against” if they do opt out.  And if you do not intend to sell consumer data, you must affirmatively state this – and then follow through. Otherwise, you will not only be in violation of CCPA, but also Section 5 of the FTC Act for a deceptive trade practice.

Operations Behind the Page

Let’s assume that your privacy policy has been updated; you have included all of the statements and resources required by the CCPA or your customer.  Now, the question is how you execute on your commitments.

• How will requests be received and tracked for timing purposes? There is a specified, limited time frame to respond to different requests (e.g. 15 days for opting out of the sale of a consumer’s data, vs. 45 days to respond to a request for access to data collected)
• If you receive a request for access or deletion of information, who in the organization will be responsible for verifying that the person making the request is in fact the consumer in question?
• Have you tracked inbound information as to when it was received so that you are not doing more work than required (the right to access is only as to information collected in the 12 months preceding the request)
• If information to be deleted is stored with third parties, how will the request be communicated? How will you confirm the request has been fulfilled?
• Have you tracked all of your sources of information so you can respond to a request accurately (“We collected your information from…”)?
• If in responding to a request you will be sending sensitive data (e.g. copies of medical records), how will you securely transmit the information to the requesting consumer?
• CCPA also requires that all persons in your organization who will be responding to consumer inquiries be trained. Have you assigned roles within your organization to execute on the mandates of CCPA and trained personnel as to their duties?

Records

Record keeping is critical to not only demonstrating compliance with CCPA but is also, in part, mandated by the proposed³ regulations promulgated under the CCPA:

• All businesses subject to CCPA must maintain a record of consumer requests under the CCPA, as well as how they responded to those requests, for a period of 24 months.
• On a 12-month look back, any business that “buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers” must compile the following metrics:
  • Number of requests received (including whether they were complied with, in whole or in part, or denied) – and broken down in each case by category of request – whether for deletion, access, or for opt-out from sale, and the median number of days in which the company responded to each type of request.
    • This information must be disclosed either in the company’s privacy policy, or on its website, with a link from the privacy policy to that data.
  • Annual statistics as to the number of requests received, the types of requests, and the median response time by the business. These statistics must be available publicly, and must be accessible through the company’s privacy policy.
• Each company should document for each request:
  • The type of request
  • The verification process followed
  • The date the request was received
  • The date the request was acknowledged
  • The resources/vendors accessed to respond to the request
  • If an extension is needed to respond, documented communication of the same to the requesting consumer
  • The date the request is fulfilled or denied
  • If a request is denied, documented basis for denial
  • The means by which the information is communicated to the requesting consumer.
• Policies and Procedures for CCPA compliance and execution should be documented and updated

As of this writing, CCPA is less than two months away.  Failure to comply with the law carries with it potentially hefty fines, as well as private causes of action associated with data breaches.  The fact that you may have, albeit in good faith, erroneously concluded that you were not subject to CCPA will not excuse violations.  At best, you may be on the lower end of the spectrum for potential fines.  Your business may be subject to:  injunctions, fines up to $2,500 for each⁴ violation, or $7,500 for intentional violations.

The “good” news is that a thirty-day cure period is available under the CCPA before a fine may be assessed.  However, if a company did not use reasonable measures to verify the identity of a requesting person, and then wrongfully transmitted to an unauthorized recipient the true consumer’s unredacted, unencrypted personal information, the company may be sued by the impacted consumer in a private cause of action for statutory damages of no less than $100 and not more than $750 per consumer.

---

¹ Consumers under CCPA include residents of California and households (and members of households) in California.

² For consumers under 16, they must expressly opt in for a sale of their data.

³ Although the regulations have not been finalized, the companies that implement these requirements now will be ahead of the curve than those that “wait and see” what the final regulations will require.

⁴ If you “sell” information about 1,000 individuals who had opted-out, the fine could be up to $2,500,000; and if you did so intentionally, the fine could be up to $7,500,000.