It’s coming up soon – on January 1, 2020 the California Consumer Protection Act of 2018 (CCPA) goes into effect. As AB-375, the CCPA skipped the usual drawn-out process of going on a ballot and got signed quickly by Governor Jerry Brown in June 2018 with additional amendments in September 2018 and October 2019. This has led to some vague language in the law with additional clarity promised in mid-2020. For now, it covers all data collected for the previous 12 months (January 1, 2019).
Want to read the whole thing for yourself? Here it is (it’s not so bad).
This bill grants any consumer within the State of California “a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared” (AB 375). In short, consumers now have the rights to (1) know what data is being collected, (2) more easily opt-out of data collection, (3) request deletion of their data and have it deleted, (4) know whether and to whom the data may be sold, (4) sue both as an individual and class-action if sensitive data is lost/not encrypted, and (5) not be discriminated against for requesting these rights.
Any business that collects consumers’ personal data is required to meet the CCPA starting January 1, 2020 if at least one of these criteria is met (Cal. Civ. Code § 1798.140):
- The annual revenue is $25 million or more
- The business buys or sells the personal information on 50,000 or more consumers/households
- Derive 50% or more of revenue by selling personal information to third-parties
It does not matter if you are a private or public business, for-profit or non-profit – any business collecting data about consumers currently within the State of California (including visitors), that meet the above minimum criteria must comply. Even if the business is located outside of California, it must comply if it collects the personal data of anyone within the State. Some businesses may be exempt for meeting equivalent regulations such as HIPPA (Health Insurance Portability and Accountability Act of 1996) or GLBA (Gramm-Leach-Bliley Act or Financial Services Modernization Act of 1999). Please check with your legal counsel if you have any questions about exemptions for your business – this is merely an overview.
So you meet the requirements – what does your business have to do now?
- Obtain parental or guardian consent for minors under 13 years old or the affirmative consent of minors between 13 and 16 years old to collect that consumer’s data (Cal. Civ. Code § 1798.120).
- Offer two or more methods for submitting requests for information – at minimum this includes a toll-free phone number and a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on the business’ website allowing the individual or an authorized person to opt-out (Cal. Civ. Code § 1798.130 & 1798.135).
- Update privacy policies with new information including a description of these rights (Cal. Civ. Code § 1798.135(a)(2)).
- Respect those who have opted-out and wait 12 months before requesting that the consumer make a new decision on opting in or out 1798.135(a)(5)).
- Respond to verified customer requests for data, free of charge, within 45 days, with some extension possible (Cal. Civ. Code § 1798.130).
The definition of sensitive consumer data is much broader under the CCPA than similar regulations. It’s easier just to quote it directly:
“(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. (Cal. Civ. Code § 1798.140).”
It’s a lot to keep track of and to implement, now with only days to go. As we get more information as this is implemented, definitions, requirements, and penalties will adjust. The best thing your business can do is to make sure that the data you have collected for the last 12 months, and what is consented to going forward, is properly safe. Losing unencrypted sensitive data is just one of the violations that can happen under the CCPA. The violation penalties differ because they can be assessed and imposed by the California Attorney General (Cal. Civ. Code § 1798.155) or through consumer litigation (Cal. Civ. Code § 1798.150). Arbitration clauses are prohibited with the CCPA so it’s the business’ burden to protect the data. While some of the monetary amounts may not seem like much to the largest corporations, at the class-action size it can become a noticeable penalty to the large corporation and a big dent in the pocket of a small business.
Talk with your legal and IT teams to get a basic analysis done of what encryption and information security policies you already have in place. Even if it seems adequate to meet minimum guidelines, it will benefit your business more to upgrade systems and invest in new technology to protect this data.
If you’re looking for the easiest, fastest, and lowest cost way to encrypt your data (and all your other business’ files), Active Cypher is here to help with Active Cypher File Fortress. We are available through the Azure Marketplace, allowing quick and easy integration with Active Directory and a low cost per user per month.
This is just an overview and do not take this as legal advice. We advise that you contact your legal counsel for additional questions and clarification. Please review the CCPA directly.