When the California Consumer Privacy Act (CCPA) – sometimes referred to as AB-375 – takes effect on Jan. 1, 2020, it will impose a host of obligations on all but the smallest companies that do business with California residents.
The risks for businesses that don't comply with CCPA are severe: They can be fined up to $7,500 for each individual violation, and in the event of a data breach they can be forced to pay statutory damages of up to $750 per customer per incident, or actual damages – whichever is greater. While these baseline figures may seem small, the total damages from a single incident could add up to a very significant sum.
Strict data privacy laws come to the U.S.
The only organizations that are exempt from CCPA are ones that:
- have gross revenues of less than $25 million;
- and possess personal information about fewer than 50,000 consumers, householders and devices;
- and earn less than half their annual revenue from selling consumers' personal information.
All other companies, charities, and not-for-profit organizations must comply.
CCPA compliance requirements
The goal of CCPA is to allow California residents to know what personal information companies hold about them, and whether that data is sold or disclosed to other organizations. They have the right to tell companies not to sell their personal data, to access the personal data that a company holds about them, and to request that the organization delete the personal information that it holds about that person.
The definition of personal information is broad (but arguably not as broad as the GDPR) and includes names, addresses, IP addresses, biometric information, network information such as browsing histories, search histories, geolocation data and much more – but not information which is publically available.
In order to comply with the Act, organizations have to provide adequate security for the data they hold, provide a "Do Not Sell My Personal Information" link on the front page of their website, provide a way for customers to request access to their data, including a toll-free phone number, and they must update their privacy policies to describe California residents' rights.
Complying with CCPA
So what should companies have done, or be doing now, to prepare for the Jan. 1 CCPA implementation date?
The number one priority should be focusing on the security of the personal information that an organization holds, because of the risk of lawsuits and class actions from consumers following a data breach, according to Shahryar Shaghaghi, a CCPA expert at CohnReznick Advisory, a New York- based professional services and public accounting firm.
"This is the first and most important risk that companies are subject to," Shaghaghi said in an interview with eSecurity Planet. That's because the Office of the Attorney General of California will not impose sanctions for other forms of non-compliance until July 1, 2020, even though CCPA comes into force on Jan. 1, he said.
The Act calls for companies to implement reasonable security measures to protect personal data, so Shaghaghi said companies need to demonstrate that they have taken reasonable steps to achieve this. "That means they must have performed a security risk assessment, identified any security control deficits, and implemented mitigation strategies."
Perhaps the most difficult thing to comply with as far as CCPA is concerned is that customers have the right to know what data an organization holds about them, and to request its deletion. Although that sounds innocuous enough, the reality is very different. That's because companies may have information stored in many different data silos, they may have data stored with third parties with whom they have shared the data, and data may also be stored in the cloud.
"In order to be compliant with CCPA you need to carry out a data mapping exercise so you can see where you get your data from, and where it goes," said Shaghaghi. "And if a customer requests its deletion then you have to respond in a certain amount of time, so you have to be able to understand what data you have and how you delete it."
But this is complicated by the fact that companies are also subject to local requirements, Shaghaghi said. "Entities like the IRS and the FTC all have retention guidelines, and data may be subject to legal holds," he said. "That means that an analysis has to be done before deletion, and you may have to go back to a customer and say that we cannot delete your data as you requested because of X, Y, or Z."
The good news is that companies that have taken steps to comply with GDPR will already have carried out this data mapping exercise, so compliance with CCPA for them will be much easier.
The big difference with GDPR and CCPA comes down to enforcement, according to Shaghaghi. Many organizations in the U.S. think that enforcement action by the EU would be difficult, but if they don't comply with CCPA then they may have local U.S. governments coming after them too.
When it comes to ensuring that data is not sold to other companies when customers withhold permission for that, compliance is complicated by the fact that companies may be sharing or storing data with third parties, including service providers, Shaghaghi warned.
"If you take someone's personal data then you own it, and if you then share it with a third party you are still responsible for it. That means you have to go back through all of your contracts with these companies and see what they are doing with the data and whether they are selling it. If they don't agree not to sell it then you have no option but to terminate your contract with them," he said.
Businesses also need to ensure that they comply with the requirements to ensure that privacy policies are updated and that their website also displays the mandatory links to information allowing customers to opt out of having their data sold. Although this is largely an administrative task, it can be extremely time consuming so companies need to start thinking about that as soon as possible and making plans for compliance if they have not already done so, Shaghaghi said.
'Reasonable efforts' important
Are U.S. companies doing enough to comply with CCPA? Shaghaghi said no company is 100% compliant – and in fact large organizations will probably never be fully compliant, such is the complexity of what would be required. "My view is that your efforts will be viewed as reasonable as long as you can demonstrate proactive measures that you have taken towards compliance," he said. Companies need to think about the balance between the costs of compliance versus the risks of non-compliance, he added.
But companies shouldn't just think about compliance; they should also think about their corporate culture. "If you go through a CCPA compliance process, you will have a more realistic privacy and security policy. And in the end, that will give you an advantage in the market," he concluded.