Even though the California Consumer Privacy Act (CCPA) is expected to be amended, the primary requirements and consumer rights will likely stay predominantly unchanged.
Waiting for the last minute to think about how to implement the CCPA is not an effective strategy. Significant work may well be required to achieve and maintain compliance, both from a technology and operations standpoint.
Does the CCPA Apply to Your Business?
Companies should first assess whether the CCPA applies to them and their business partners. A company will fall under the purview of the CCPA if it meets at least one of the following thresholds:
- annual gross revenues in excess of $25 million;
- annually buys, receives, shares, or sells the personal information of 50,000 or more California consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling consumers’ personal information.
Additionally, businesses must also analyze whether any exceptions apply to them, such as for medical information governed by the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and Confidentiality of Medical Information Act (CMIA), and personal information governed by the Fair Credit Reporting Act (FCRA) or the Gramm-Leach-Bliley Act (GLBA).
Building an Information Security Framework for Defensible Compliance
Companies are required to take specific steps to comply with the CCPA, including:
- Providing consumers with notice regarding their rights;
- Offering at least two methods to consumers to exercise their access rights; and
- Having appropriate processes in place to comply with consumers’ rights requests.
Many businesses will need to update their policies and processes related to disclosures, including those related to website usage. Organizations will likely also need to hire and train personnel who will be charged with understanding and responding to consumers’ requests. Additionally, companies will want to prepare for how their compliance function can effectively monitor privacy processes and procedures in action.
Notwithstanding mandates that result from anticipated amendments, information security professionals should address the following in preparation for the CCPA.
Data Mapping and Data Inventory
Having precise knowledge of the data the organization collects, stores, and sells is the foundation that will enable a company to comply with the CCPA’s requirements to keep records of:
- Categories of sources from which personal information is collected;
- Categories of third parties with whom the company shares this data; and
- Business purposes for selling the data.
Information security professionals must also implement steps to identify and differentiate data that is for continuous use versus one-time use. The CCPA applies to data that is held for continuous use (including sale of the data) but does not cover data that is used once and not sold.
Personal Information Deidentification
The CCPA excludes from the definition of “personal information” any information collected from the consumer that is subsequently deidentified. Deidentified information is done in such a manner that the information cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer.
Information security professionals can assist senior management in determining whether implementing deidentification steps will be feasible for the business. For example, management should know that deidentification is a process that must be done in accordance with recognized methods and standards. Simply removing a name or other identifier might not be considered sufficient under the law.
Access Request Processes
As noted earlier, the CCPA gives consumers rights related to data access, data deletion, and knowing about sources of data. The information security and information technology teams should work with other business units, such as compliance, legal, and operations to establish processes that can efficiently and effectively address these requests.
Most importantly, companies should note that the right to delete is not absolute. For example, under the law, consumers with a loan cannot demand that all records of who owes the money (i.e., them) be erased. That being said, best practices call for organizations to minimize the consumer-related data they collect and hold and to be prepared to justify (operationally) every element of data that is stored.
Practically Speaking, Will CCPA Become a De Facto National Standard?
While the CCPA directly affects only California consumers, many companies—perhaps most—might find it onerous to maintain separate processes for California residents, especially given that people move to and from the state constantly. CCPA’s privacy-related rights and protections may very well become standards afforded to all consumers nationwide.
If the CCPA applies to your business and you haven’t started planning for compliance, it is imperative that you do so right away to mitigate the risk of hefty fines. However, even if you believe your organization is exempt from the law, now is a good time to consider implementing best practices that can put you ahead of the curve as privacy protections shift to the national stage.
As a final note, since proposed amendments can significantly affect the law’s ultimate mandates, companies should involve qualified legal counsel in their CCPA planning and review compliance processes before the law goes into effect.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Yvette Gabrielian is a senior director in the Cyber Risk practice of Kroll, a division of Duff & Phelps, based in the Los Angeles office. In her current role, she specializes in advisory services related to all aspects of data privacy, information security and breach notification under U.S. and EU laws and regulations.