INSIGHT: So the CCPA Is Ambiguous—Now What?

The California Consumer Privacy Act (CCPA) takes effect in less than six months and is still riddled with confusion and ambiguities. Organizations seeking to comply with the new privacy law are left in the dark trying to understand not only the intent behind certain CCPA provisions, but also how to comply.

Some pending amendments may alleviate some of the obvious operational concerns (e.g., whether the CCPA applies to employment related information), but organizations are facing other issues from a compliance perspective, which likely will not be addressed through amendment prior to the Jan. 1, 2020, effective date.

Moreover, California’s attorney general has yet to issue the implementing regulations. It would be unwise, however, for organizations to delay compliance efforts until the regulations are issued. This is especially true since the regulations are not likely to address all of the ambiguities and issues hidden in the CCPA.

Therefore, organizations need to find an alternative path to address the CCPA’s more subtle issues, which only begin to surface once companies take a deep dive into operationalizing its requirements.

The Unsurfaced Issues

The list below highlights a few issues confronted by organizations that have started their CCPA compliance efforts. These issues, imprudently, are often overlooked by those who take a 30,000-foot view approach to the CCPA.

(1) Can an entity qualify as both a “business” and a “third party” under the CCPA?

At first glance, the definition of “third party” appears to exclude businesses. However, the definition appears to support the possibility that the same entity can act as a business in one instance, but a third party in other circumstances. Despite the ambiguity, businesses need to reach a conclusion on this issue since whether an entity qualifies as a business, a third party, or both will directly impact its obligations are under the CCPA.

(2) What obligations does the CCPA impose on third parties?

Section 1798.115(d) prohibits third parties from selling a consumer’s personal information that has been sold to the third party by a business, “unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.” Whether this section requires the third party, or the business that sold the data to the third party, to provide the required notice and opt out is an issue many organizations are debating. Even if the latter, third parties should still consider what steps they need to take to ensure compliance with this section.

(3) If an organization is acting as a vendor to a non-regulated entity (e.g., a governmental agency), is the organization subject to the CCPA with respect to vendor activities?

The CCPA applies primarily to “businesses,” as that term is defined by the CCPA. Because an organization can only qualify as a “business” if it is a for-profit legal entity, the CCPA likely does not apply to nonprofit and most governmental entities (“Non-Regulated Entities”).

The issue, however, is whether an organization acting for or on behalf of a Non-Regulated Entity could otherwise qualify as a “business” under the CCPA solely in connection with its activities for the Non-Regulated Entity. If so, it may be possible for the CCPA to indirectly regulate entities that were initially considered outside the scope of the CCPA.

(4) Which entities qualify as “service providers” under the CCPA?

The CCPA defines “service provider,” in part, as an entity that “processes information on behalf of a business.” How broadly or narrowly “processes information” is interpreted will drastically impact which entities qualify as service providers under the CCPA.

(5) What obligations, if any, does the CCPA impose on service providers?

Although the CCPA defines certain requirements that businesses must impose on service providers (e.g., businesses are required to direct their service providers to delete consumers’ personal information upon receipt of a request), whether service providers are directly required to comply is a question that many organizations are reviewing.

(6) Does the CCPA apply to personal information of deceased individuals?

Unlike the European Union’s General Data Protection Regulations (GDPR), which expressly provides that it does not, the CCPA is silent. Therefore, whether businesses are required to honor consumer requests submitted on behalf of deceased individuals is a question that remains unanswered.

The Unsurfaced Approach

Where the CCPA is unclear on its own requirements, organizations may be able to reasonably rely on other privacy laws for guidance and use them as a tool to leverage instruction. Although the enactment of the CCPA sent shockwaves across the United States, for those familiar with privacy legislation, the CCPA should come as no surprise. Indeed, much of the CCPA is based on the Fair Information Practice Principles, which have formed the basis of many privacy laws in the United States (e.g., Gramm-Leach-Bliley Act; the Fair Credit Reporting Act).

Because the CCPA is based on the same core principles as these other privacy laws, organizations would be doing themselves a disfavor if they did not consider how other privacy laws—especially those that share the same core foundation as the CCPA—have been interpreted and enforced in the past.

By tackling the CCPA using this approach, many of the challenges organizations face today become less obscure, and organizations are enabled to make compliance decisions that are informed, well-reasoned, and still in line with their business goals.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Ron Raether leads the Cybersecurity, Information Governance and Privacy practice group at Troutman Sanders, and is a partner in the firm’s Financial Services Litigation group. He is known as the interpreter between businesses and information technology, and has assisted companies in navigating federal and state privacy laws for over 20 years.

Sadia Mirza, an attorney at Troutman Sanders LLP, focuses her practice on cybersecurity and privacy issues and compliance across the financial services industry. She is a knowledgeable transactional counsel with experience in-house, positioning her to interact effectively with business, compliance, legal and information security departments.