A little over a year ago I circulated a client email alert with 5 questions & answers. I thought it would be fun to re-release an updated version of the alert with some footnotes and redlined edits.
CCPA 5 Questions
Everyone is still talking about the California Consumer Privacy Act of 2018. There are still many unknowns when it comes to the CCPA, but with the CA Attorney General already in active enforcement mode, decision paralysis isn’t an option. You can’t boil the ocean but you can ask yourself these 5 questions:
1. My business doesn’t target Californians any more than other residents; does the CCPA even apply to us?
Given the CCPA’s broad jurisdictional reach and broad definition of “personal information,” it’s very likely that it applies to your business in one way or another. If you meet the definition of a “business”* or a “service provider” under the law and you don’t qualify for any stated exemptions, congratulations, you’re a member of the CCPA club!
*The Appendices to the Attorney General’s Final Statement of Reasons for its CCPA Regulations (“FSORs”) clarify an important point that was still pending last year: the annual revenue thresholds referred to in subsections 1798.140(c)(1)(A)&(C) are not limited to revenue derived from a business’ California operations.
2. I keep hearing about data mapping but that term isn’t in the CCPA; do I really need to spend the time and money on it?
You’re 100% right that data mapping isn’t explicitly stated. However, it would be impossible to comply with the consumer requests granted by the CCPA without doing a data mapping exercise. That said, you don’t necessarily need an expensive tool in order to do this. There’s more than one way to skin a data map, contrary to what the various technology vendors will tell you.*
*Please see my prior blog post on the importance of data mapping for GDPR and CCPA compliance.
3. We’re not a data broker and we don’t sell any personal information; that means we don’t need to implement a “Do Not Sell” button, right?
Maybe. The CCPA contains a very broad (there’s that word again!) definition of “sell,” which includes not just money but “other valuable consideration.” We are all still waiting with baited breath for additional guidance from the CA legislature or Attorney General’s office as to what this means. In the meantime, any sharing of personal information with third parties (even service providers) should be carefully evaluated to see if a sale might be construed under the CCPA.*
*The AG has not listed the behaviors it views as a sale vs. a mere transfer. However, in reading between the lines of the FSORs and recent adtech platform changes, we should be prepared for a broad application of the term “sale” as it relates to transfers by advertisers to their ad technology vendors.
3. Does my company need to update our online privacy policy?
Why yes, if you’re subject to the CCPA, you do! The CCPA requires very specific disclosures, including some that relate to new rights granted to consumers by the CCPA.
4. We’re not subject to the GDPR and have nothing in place to handle consumer requests; where do we start?!
It’s all about the 3 Ps – policies, procedures and personnel. You will need documented policies and procedures for how to deal with consumer requests to know*, opt-out of sale and deletion in accordance with the CCPA and you will need to train personnel responsible for following these policies and procedures.
*I had initially been referring to these as access requests because that aligns with the GDPR terminology that many businesses are already familiar with. However, the prevailing nomenclature is now “requests to know.”
5. Any other tips?
Sure! Vendor management, information security, data breach response, and privacy training are all also implicated in the CCPA. This is why I recommend that businesses build a holistic privacy program rather than having an ad-hoc response to privacy laws. Building a proactive framework requires coordination and effort at the onset but saves time and money in the long-run by facilitating nimble compliance as new regulations such as the CCPA, the GDPR, and many others are implemented.