Conservative estimates indicate that California’s new data privacy law, CCPA, impacts as many as 500,000 or more businesses across the United States. While many consumer-privacy advocates herald CCPA as another good step toward maturing organization use and protection of personally identifiable information, most impacted companies are not prepared to comply with specific obligations set forth by CCPA.
Related, several business surveys conducted in 2019 indicate that many businesses are still not prepared for CCPA compliance. Perhaps most surprising, some companies reported they were not aware of California’s new Data Privacy Law, nor did they understand how or if CCPA obligations apply to their business.
That stated, many organizations are very aware of cybersecurity risks associated with managing business systems, networks, and data-center(s) with consumer information. To mitigate the cybersecurity risk, many organizations either staff internal IT and Information Security teams, contract with outside firms for these special skills and services, or some combination of each.
Even so, most organizations do not include staff employees with skills-sets and capabilities heavily focused on tracking data use, management, and privacy or compliance related to information governance regulations. The CCPA presents challenges for organizations in this latter category that businesses need to face head-on or run the risk of failing to meet CCPA compliance and face fines and penalties.
Chapter 1 provided an overview of the rights CCPA provides California consumers and conditions that determine if CCPA applies to a particular business. In the brief below, we shift focus to key obligations business leaders need to understand to help their organizations prepare to comply with CCPA. Please note, the outline below is not a complete list of CCPA obligations, but is a good high-level list to help leadership teams think about the wide-ranging touch points and data systems in-scope across their business landscape. Key business obligations and accountability related to CCPA include:
Obligation to … Post a “Do not sell my personal information” link on the business website homepage. Link should be easy to see, access, and allow a consumer to opt-out of the sale for their personal information. Note: (Cal. Civ. Code § 1798.135)
Obligation to … Make two or more designated methods available for a consumer to submit requests for information required to be disclosed. Specific examples cited include business website homepage (if the business maintains an internet website), and including, at a minimum, a toll-free telephone number a consumer can call. Note: (Cal. Civ. Code § 1798.130(a)(1))
Obligation to … Implement procedures to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes. Note: (Cal. Civ. Code § 1798.120(d))
Obligation to … Update privacy policies with newly required information, including a description of California residents’ rights. Note: (Cal. Civ. Code § 1798.135(a)(2))
Obligation to … Avoid requesting opt-in consent for 12 months after a California resident opts out. Note: (Cal. Civ. Code § 1798.135(a)(5))
Obligation to … Implement and maintain reasonable security procedures and practices appropriate to protect personal information. Note: (Cal. Civ. Code § 1798.150(a))
Worth noting, any consumer’s personal information subject to unauthorized access, theft or disclosure as a result of a business’ violation to implement and maintain ‘reasonable security procedures & practices’, may pursue civil actions and penalties.
For CCPA purposes, “business” is defined to include numerous business entities such as: a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners.
Nonprofits will generally not fall into this definition, except in situations where a non-profit is owned or controlled by a for-profit business that is subject-to CCPA. In which case, if the business itself is required to comply with the CCPA, then the nonprofit would also need to comply.
Organizations undecided about whether or not they should take steps to prepare or comply with CCPA should review their business insurance coverage and consider the ramifications of noncompliance but are later-determined to be subject to the law.
Of concern to all businesses facing CCPA compliance – any company that violates CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General.
Worth noting, aspects of CCPA describe violations at the individual consumer level. Said specifically, each consumer record failing CCPA compliance, equals a violation. Businesses discovered to have violated a CCPA obligation are provided 30 days after receiving written notice of noncompliance to cure the infraction, before facing liability.
Different from GDPR, CCPA provides consumers a private right of action for individual citizens. This entitlement becomes applicable when a covered business does not meet its duty to implement and maintain reasonable safeguards. This defect includes failing to protect nonencrypted or nonredacted personal information from:
That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer, per incident or actual damages, whichever is greater.