CCPA One Year Later: Enforcement Introduces New Privacy Considerations

Recent changes to CCPA may mean your business is not as compliant as you think

It’s been just over a year since the California Consumer Privacy Act (CCPA) went into effect. And it has continued to evolve with the passage of the California Privacy Rights Act (CPRA) in November 2020, and new regulations to ban “dark patterns” announced in March.

With all the changes, it’s worth revisiting whether your company falls under the scope of the CCPA and its requirements, whether you’re fully in compliance, and whether you have undertaken a comprehensive data privacy assessment to identify any potential issues.

What the CCPA does

You may be required to comply with the CCPA, in addition to other laws governing privacy and data protection, if your company does business in California and meets at least one of the following criteria:

• has at least $25 million in annual revenue (whether derived from California or globally);
• touches the personal information of at least 50,000 California consumers, households or devices; or
• derives more than half of its revenues from the sale of Californians’ personal data.

The CCPA focuses on regulating the collection, safeguarding, and disclosure of a wide range of personal information, defined broadly as including anything that relates to, describes, could be reasonably linked to, or could be associated with an individual or household. It is also important to keep in mind that the CPRA introduces a new category of “Sensitive Personal Information” that includes consumer’s identification numbers and geolocation among other identifiers.

If your company falls under the scope of CCPA, you are not only responsible for your own data collection and safeguarding – you are also responsible for confirming that the third-party vendors handling such information on your behalf are also able to support your compliance with CCPA. If this sounds broad, that’s because it is.

Your company may not be as fully CCPA-compliant as you think. Two significant reasons for this are 1) the law’s broad definition of personal information and 2) the requirement for third-party vendors with which you share information’s ability to support you in compliance with the CCPA. Not to mention that the CPRA expands the obligation to be fully CCPA-compliant to certain third parties, service providers, and contractors.

In addition, don’t assume that if you’re in compliance with the European Union’s General Data Protection Regulation (GDPR), you’re automatically in compliance with the CCPA. Although the two sets of regulations have some overlaps, compliance with one does not necessarily mean compliance with the other.

CCPA introduced new consumer rights

The CCPA as amended by the CPRA applies to any organization that collects any type of consumer data, and it gives consumers with California ties new privacy rights, such as:

• The right to be notified, before or at the moment of collection, about what information you are collecting on them, how it is stored and what will be done with it. This applies in both online and offline settings.
• The right to be notified directly, and to grant or withhold consent, if a company wants to use previously collected information for a “materially different” purpose than was previously disclosed.
• The right to easily choose whether personal information is sold to third parties, including “do not sell my information” buttons on each of your websites.
• The right to see the past 12 months of CCPA-covered data your company has about them, as well as what you have done with the information.
• The right to have this data deleted, within specific timeframes.
• The ability to sue for monetary and statutory damages if particularly sensitive personal information is stolen or accessed by someone else; the individual would have to show that your company failed to take reasonable security measures. This private cause of action includes the potential for class actions.
• The ability to exercise these rights without being discriminated against.

In addition, if your company is covered by the CCPA, you must have a written privacy policy that broadly explains your online and offline data collection, use, sharing and sales practices. And, you must have written contracts with your service providers that restrict their ability to access, process or store personal information, in line with CCPA requirements.

Penalties for non-compliance with CCPA

The cost of noncompliance may be significant.

The CCPA provides for civil penalties of up to $2,500 per each violation and up to $7,500 “for each intentional violation.” For example, if 1,000 consumers were involved in a violation, you could potentially face a fine per each of the 1,000 incidents if you fail to cure the violation within 30 days after being notified of the alleged noncompliance. The CPRA also creates a new agency, the CalPPA, which will be responsible for enforcing the CCPA. Enforcement authority currently rests with the California Attorney General’s Office.

Plus, individual California consumers have a private right of action for security breaches that lead to serious privacy violations if reasonable security measures were not taken by the company. Several such suits are already underway including class actions. The CPRA also expands the private right of action to apply to data breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account.

Information covered by CCPA

One of the most significant barriers to CCPA compliance is the broad range of information it covers. All individual data that you collect on California residents may be subject to the CCPA’s fines and private right of action in the event of a data breach.

This applies to data collected through both active means (e.g., someone enters their information into a website, paper questionnaire or webinar signup form) and passive means (e.g., website cookies). It applies whether the individual is a customer of yours or a visitor to your website. And it includes “inferences drawn” from consumer information that allow you to categorize that individual’s preferences, attitudes, psychological trends, etc.

Road to CCPA compliance

Consider the three steps below as you assess and address your CCPA compliance obligations. A qualified data privacy consultant can conduct a thorough data privacy risk assessment to help you identify and mitigate any potential gaps.

1. Create a clear, workable privacy policy that is relevant and specific to your organization, and make it readily available. Your company must have a written privacy policy that is customized to your collection and data storage practices. This policy should spell out California consumers’ rights, and must be easily available. Websites, webinar feeds, print forms and anything else you use to collect information should also have visible links to your privacy policy, as well as a way for consumers to easily opt out of having their information shared with third parties.
2. Comply with your own policies and consumer opt-out requests. For most companies, this is the most challenging part of CCPA compliance – it is a security and a database administration issue, as well as an operational one. In addition to securing data from improper access, you’ll need to segregate the data you collect based on whether each individual’s privacy choices allow you to share it with third parties. This also applies to information shared with partners and contractors.
3. Have a means for consumers to request their data, a method for checking a requester’s identity and a way of delivering the data they request. Any California consumer can request to see the last 12 months of CCPA-covered information about themselves. The CCPA’s “right to know” requires that companies create a toll-free phone number that consumers can use to request their data, as well as at least one additional method, which may be web-based if you have a website. The process of requesting data cannot be difficult. In addition, because consumer “right to know” requests may be vulnerable to potential identity theft or fraud, you need a way to verify the requestor’s identity and securely deliver this information to the correct individual. (Consumers have already received other people’s information by accident.)

Additional privacy implications of remote work

While you have hopefully been preparing for CCPA and are already on the road to compliance, the fallout from the COVID-19 pandemic may have taken you by surprise. You may also have added new technologies and service providers into your institution’s workflow to accommodate work-from-home solutions.

It’s possible your privacy policy and procedures may not adequately address protection and storage of information that is accessed, utilized or communicated by employees based outside the company’s physical locations, or may not be up-to-date with the technology employees are actually using.

In addition, not every vendor may have been fully vetted for its privacy and security practices, and you may not have even thought about the privacy-related contract provisions the CCPA may require for them. Review your vendors’ practices and policies, and make sure to review your vendor agreements.

CPRA may broaden compliance requirements

With the passage of the CPRA you need to be aware of these future requirements and what they may mean for your organization.

The majority of the CPRA’s provisions will go into effect on January 1, 2023. The CPRA introduced two additional rights for California consumers: the “Right to Limit Use of Sensitive Information” and the “Right to Correct Information.” The CPRA also imposes broader contracting requirements for businesses that sell, share, or disclose personal information to “service providers,” “contractors,” and “third parties.”

These are just a few of the many ways CPRA amends the CCPA. It is important for you to keep the CPRA in mind when working on compliance with the CCPA.

Data privacy is becoming more complex, impacting compliance, IT, security, marketing and other operations areas. Contact me or another member of Kaufman Rossin’s risk advisory services team for assistance with issues related to the CCPA and other data privacy issues.