Just as global businesses settle into their second year of GDPR compliance, there is a new kid on the block.
The California Consumer Privacy Act of 2018 (CCPA) will be operative on 1 January 2020. It creates sweeping new privacy obligations for organisations "doing business" in California – regardless of where they are headquartered and whether or not they have "on the ground" operations there. It also gives California consumers access and deletion rights and the ability to opt out of the sale of their personal information.
Businesses established in the EU will need to assess whether they are within the scope of the CCPA. If they are, the question is, can they leverage their existing GDPR compliance regime to meet the new CCPA obligations? The good news is that organisations that have already implemented a GDPR compliance programme will have an advantage over a business that was not subject to the GDPR. The not-so-good news is that those efforts alone will not be enough to comply fully with the CCPA, and there may be some additional steps that need to be taken. In this article, we take you through some of the key things you need to know about the CCPA and help you identify some of the gaps you may need to plug in your GDPR compliance regime to fit the CCPA.
WE DON'T HAVE OPERATIONS IN CALIFORNIA: SHOULD WE WORRY ABOUT THE CCPA?
Yes, if you do business in California. The CCPA does not set territorial boundaries based on the physical presence of an organisation in California. It can apply to any "for-profit" entity that does business in California and collects personal information (or PI) of California residents (as a data controller). The CCPA does not define what "doing business in California" means, but it is likely to include not only having operations or personnel there but also selling into California and directing products or services to individuals in California. A business, even one outside the United States, meeting these criteria will be in scope of the CCPA, provided that it also meets one of the following threshold tests:
- Has annual global gross revenues in excess of $25,000,000;
- Buys, receives (for commercial purposes), sells, or shares (for commercial purposes) the PI of 50,000 or more "consumers" (which means California residents), households or devices on an annual basis; or
- Derives 50% or more of its annual revenues from selling the PI of California residents.
It is not clear whether the thresholds are intended to apply on an entity-specific basis or on a group‑wide basis (there are arguments suggesting that they should apply on an entity-specific basis). But your group structure is important; the CCPA also applies to any entity that controls or is controlled by a business that meets the above criteria and that shares common branding with that business.
The CCPA does not restrict the ability of a business to collect and sell PI of a California resident if every aspect of the transaction takes place wholly outside California.
The criteria set out in the CCPA about its scope are not easy to follow, and we suggest that the organisation works with its legal team to ensure that the scope and application of the CCPA can accurately be assessed.
WHAT INFORMATION IS COVERED UNDER THE CCPA?
The CCPA covers a different scope of PI than under the GDPR. For example, under the CCPA, the information must relate to a California resident (whereas the GDPR can apply to personal data of non‑EU residents). PI under the CCPA can also include information relating to a household. In short, it is not safe to assume that personal data mapped for GDPR compliance will match the PI you need to identify under the CCPA.
Note that there is currently a proposal by the California legislature to exclude PI relating to job applicants, employees, business owners, directors, officers, medical staff, or contractors from almost all of the CCPA's scope, provided that such PI is collected and used solely in the context of that person's role as an employee, applicant, etc. This amendment would apply for a period of one year following the CCPA becoming operative. This proposal has a good chance of being passed; however, it could still be vetoed.
Next steps: Using tools from your GDPR data mapping exercise, analyse the collection, storage, and processing of PI about California residents that falls under the specific scope of the CCPA. This could include employees, job applicants, customers, individual contacts at corporate customers and vendors, website visitors, and on-site visitors. Identify the systems in which the PI is stored, the categories of PI that are collected (and from where), and design a process to track this back over the preceding 12 months (as this period is relevant for transparency obligations; see next). Determine how you will identify which individuals are California residents, such as by checking the address that you have on file.
The CCPA includes a number of GDPR-inspired notice requirements. However, a GDPR-compliant privacy notice will require modifications in order to address the CCPA notice requirements, which include (by way of example):
- Listing the categories of PI collected in the preceding 12 months;
- Explicitly referencing categories of PI set out in the CCPA that most closely describe the actual PI collected and processed;
- If applicable, providing relevant information about the sale of individuals' PI to third parties; and
- Informing about the individual's right not to be discriminated against for exercising their rights under the CCPA.
Next steps: Review current GDPR-compliant privacy notices. Consider adding in a separate section to list out the additional information be addressed to California residents, or create a separate, stand-alone CCPA privacy notice.
WHAT RIGHTS DO INDIVIDUALS HAVE?
Opt-out rights: The CCPA allows California residents to opt out of the "sale" of their PI to third parties. Note that the definition of sale in the CCPA is wide enough to include sharing PI for non-monetary consideration, such as for preferential product placements in a store. The definition of sale could also cover sharing PI collected via cookies or similar technologies with a company in exchange for enhanced services, such as sharing PI with an advertising network, which might pool the PI collected across a number of client websites in order to better target ads. In this example, because the client companies are essentially sharing the information of their users in exchange for the value of the information collected about those users on other websites, there may be a "sale" under the CCPA. To determine whether there is a "sale" in any particular instance, a business will have to take a close look at the information flows and the consideration, if any, exchanged for them. Organisations that sell the PI of California residents must provide a "Do Not Sell My Personal Information" link on the company's website, and the link must click through to a web page that enables California residents to opt out of the sale by the business of PI.
Access, deletion, and portability: There is likely to be some significant overlap between individual rights processes created for GDPR compliance (e.g. in the process used to verify identity), but there are also some areas of key difference. For example, when responding to an access request, the CCPA requires organisations to specify the categories of PI collected, from whom and for what purposes, and also what PI was sold and disclosed and to whom in the preceding 12 months. It limits the number of permitted requests to no more than two in a 12-month period and provides an initial period to respond of 45 days.
The CCPA also requires organisations to take specific actions in connection with individuals' rights. Currently, this includes making available two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address. However, the CCPA provides an exception for organisations that operate exclusively online and maintain a direct relationship with the California residents whose PI they collect; such organisations need only maintain an email address for receiving CCPA requests.
Next steps: Consider how your existing GDPR individual rights processes can be adapted for use in response to CCPA requests. If you sell PI, as that activity is defined under the CCPA, post a "Do Not Sell My Personal Information" link as required by the CCPA. Create and implement processes to verify, track, and honour opt-out requests.
Under the CCPA, organisations are required to ensure that all individuals responsible for handling queries from California residents about privacy practices or compliance with the CCPA are aware of how to direct individuals to exercise their rights. This will typically be embedded in various internal policies.
- Verify whether GDPR policies can be adapted to cover CCPA obligations (and if not: draft and distribute new CCPA-compliant policies); and
- Consider rolling out training on the revised policies to ensure that relevant members of staff fully understand their contents.
WHAT's THE WORST THAT COULD HAPPEN?
Aside from the obvious reputational risk, the California Attorney General (the state's law enforcement official) can issue civil fines to organisations of between $2,500 and $7,500 per violation. For tech-driven platforms with millions of users resident in California, these penalties could easily rise to GDPR levels and beyond. In addition, the CCPA gives consumers a right to directly file a lawsuit (private right of action) against the organisation if it has failed to reasonably safeguard certain types of PI and which results in unauthorised access and exfiltration, theft, or disclosure.
IS THERE ANYTHING WE DON'T NEED TO WORRY ABOUT?
Unlike the GDPR, the CCPA does not have recordkeeping explicitly referenced. The CCPA also does not include any limitations on how long PI can be retained by a business that falls within its scope.
At the time of writing this article, there are still some proposed amendments to the CCPA that require the sign off from the governor of California. The first main amendment would allow companies to exclude from the scope of most of their obligations under the CCPA information relating to job applicants or employees, so long as that information is collected and used only in the context of employment purposes. The second main amendment would exclude consumer PI obtained in the context of certain business-to-business communications, if certain conditions are met. Note that both these amendments (if passed) would be subject to a one-year moratorium, which would expire on 1 January 2021.
Annabel Gillham is a partner at Morrison & Foerster and a member of its global data privacy team. Alex van der Wolk is co-chair of Morrison & Foerster's Global Privacy & Data Security Practice.
With contributions from Alice Brunning, Data and Privacy Attorney at Morrison & Foerster