CCPA Compliance: Thorny Practical Questions (Almost 1 Month to Go)
This is one of several client alerts in a series counting down to the date when CCPA applies (Almost 1 month to go)
The California Consumer Privacy Act (CCPA) takes effect for businesses January 1, 2020. Don’t wait to implement your compliance as it could require changes to your operations. The CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.
The CCPA implementing regulations are still open for comment through December 6, 2019. Nonetheless, businesses subject to the CCPA are encouraged to do the best they can to implement a compliance program. Here are some of the frequently asked questions from our clients in that regard and possible responses based on what we know about the CCPA at present:
1. Q: Would the CCPA apply to my business if we do not have any offices or employees in California?
A: Yes. Even for-profit companies with no physical operations or employees in California can be subject to the CCPA’s broad-reaching jurisdictional reach. See our prior alert here.
2. Q: The only information my company collects is information we track through our website. Do we have to comply with the CCPA?
A: Very possibly. The broad definition of personal information under the CCPA includes assorted online analytics data. See our prior alert here regarding the expanded scope of what is personal information under the CCPA.
3. Q: Should my business have separate website for California visitors?
A: It depends on viability for your business – can you isolate California consumer data from other customer data in a resource-efficient manner to have a separate website? Doing so is certainly an option from some businesses. Under this approach, a business can isolate for whom it honors consumer requests under CCPA (e.g., right to request information, deletion of certain information, etc.) or allows to opt-out from “sale” of their data. Recall “sale” is very broad and is any transfer of the data for consideration, possibly even implicating a transfer to a service provider, business partner or affiliate.
4. Q: If we opt for a separate website for California visitors, prompt them to access it, and they don’t, what then?
A: You have given them the option to avail themselves of their CCPA rights. If they elect not to, that is their decision. You would want to have a process in place to show or document that making the alternate site available was routine, and anyone from California would have had the option to proceed under the CA-specific website.
5. Q: What are my options as a customer with service providers who refuse to add CCPA-required service provider language to my contracts with them? (Meaning language customer’s personal information provided by customer or collected by the vendor for a customer can only be used to provide services to customer or as otherwise permitted under the CCPA).
A: Keep asking for it. Our clients are seeing many vendors still don’t appreciate what the CCPA requires of them and are having a bit of an “ah-ha” moment when the CCPA is raised with them. Many businesses are only now considering CCPA compliance obligations as the CCPA’s January 1, 2020 effective date looms. A number of service providers are confused about why their customers are asking for CCPA language in their contracts when the service provider isn’t itself a business subject to the CCCPA . Customers are having to explain that they have their own separate obligations to flow down to service providers.
Alternatively, some clients are finding vendors who do appreciate what CCPA requires but will not comply because it would negatively impact their business model monetizing data. In such an instance, clients may be forced to make hard choices to stop doing business with a particular vendor if it would have the effect of having the customer be deemed a data seller and the customer does not want to have this status.
6. Q: Why should my business care if it is a data seller under the CCPA?
A: Some businesses find data seller status acceptable or unavoidable. Other businesses are taking great pains to avoid such status as they believe it casts a negative impression on their business, for example, businesses that market to kids or provide healthcare or financial services may not want to be seen as selling data. Specifically, some businesses are very loath to provide a conspicuous opt-out to selling data on their website. Avoiding data seller status is contingent not only on the business taking appropriate measures within its control, but passing through certain obligations to its vendors.
7. Q: What kinds of challenges are other businesses facing as they implement verification for consumer requests under the CCPA?
A: Companies of all sizes continue to struggle with the risk-adjusted requirements for verified consumer requests. We describe these as “risk-adjusted” because the more sensitive the information in question, the higher the level of verification necessary. Simple when you describe it that way, but is providing four data points rather than two really that much more secure, given how much information about each of us is readily available? A quick and easy approach for determining the level of verification you should require is akin to the Golden Rule. If it were your personal information, at what level would you feel (more) comfortable? Unfortunately, only time will provide us with guidance on what level of rigor will be deemed appropriate even though data was sent to the incorrect requestor.
8. Q: What does the right to non-discrimination mean under the CCPA?
Exemptions and Exceptions
9. Q: My business is a covered entity or business associate subject to HIPAA, do we still have to comply with the CCPA?
A: Maybe. Although the CCPA includes exemptions for medical information or protected health information (PHI) collected by a covered entity or business associate and treated in accordance with HIPAA (and also exempts covered entities that maintain PHI), some covered entities and business associates may also process or maintain personal information that falls outside of HIPAA that is subject to the CCPA. See our prior alert here.
10. Q: My business is subject to the Gramm-Leach-Bliley Act (GLBA), are we exempt from the CCPA?
A: Yes, for certain personal information subject to the GLBA, but not all personal information will be subject to the GLBA. Data not within the GLBA exemption could still be subject to the CCPA. Many businesses in financial services will find they have to comply with both the GLBA and the CCPA, and that sometimes there may be a conflict between the two, such as when a consumer requests that their personal information be deleted.
11. Q: Employee personal information is exempt from the CCPA until 2021, so my business doesn’t have to take any actions with regard to employee, job applicant, and similar data right?
A: No. As amended, certain requirements of the CCPA will not apply to the personal information of employees (including job applicants) until 2021. However, businesses must still meet the notice requirements that will be effective January 1, 2020, requiring employers to provide notice to employees and job applicants at or before the point of data collection. Employers should also note that employees and job applicants can still bring a private cause of action for the business’s failure to implement reasonable security procedures and practices if the violation results in a data breach of the employees’ personal information. Employers should also consider the operational impact of treating all employee data as in-scope for the CCPA, including contracts and arrangements with service providers for outsourced activities.
12. Q: Does the CCPA require changes to existing contracts?
A: If you are a business subject to the CCPA and do not want to be a data seller under the CCPA, then yes, you will need to amend contracts to add appropriate “service provider” language to the contract. If you are a service provider serving businesses subject to the CCPA, you can expect to receive requests from your customers described under the immediately preceding sentence. Also, where you yourself wear both hats, you may find you need to make both downstream and upstream changes to your agreements to comply with the CCPA.
13. Q: Are businesses required to add a “Do Not Sell” button to websites if they do not “sell” any personal information as defined by the CCPA?
In contrast, a business that sells personal information must disclose that fact, along with the categories of recipients to whom the information was sold in the last 12 months and provide notice to consumers of the right to opt out of the sale. The business must provide at least two methods for consumers to opt out of the sale of their personal information, one of which must include a clear link or button on the home page of its website or mobile application that says “Do Not Sell My Personal Information” or “Do Not Sell My Info” and takes users to a form or page instructing them on the required details of the opt out process.
14. Q: Do consumers have a private right of action to sue my company for non-compliance with the CCPA?
A. Consumers have a private right of action under the CCPA only in case of a business’s security breach or other data exposure incident. While only the California Attorney General has the right to otherwise enforce the non-data breach provisions of the CCPA to obtain statutory damages based on affected consumers, it is still possible for a plaintiff to undertake an “unfair and deceptive trade practices” law suit against a company that the consumer feels has harmed the consumer by taking actions that violate this law. This is not a direct action under the CCPA, but it is one way that the obligations imposed by the CCPA may see their way into court.
15. Q: Don’t I have until July, 2020 to comply with the CCPA when the California Attorney General would start enforcing the CCPA?
A: The CCPA regulations are open for public comment until December 6, 2019, with a final version expected in the spring of 2020. Pending these revisions, the Attorney General’s office can begin enforcement six months after the final regulations are in place, or by July 1, 2020. The Attorney General acknowledged, at the press conference announcing the proposed regulations, that there will likely be an enforcement delay closer to the July 1, 2020 deadline. However, he also warned businesses that the law goes into effect January 1, 2020 and that businesses need to get into compliance by then. He proceeded to pose this hypothetical “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered by saying, “Look, I don’t think so. The law is the law.”
The CCPA is a complex legal structure, with legislation, amendments to the legislation, and draft regulations to keep in mind. This alert is not intended to exhaust the various CCPA questions businesses are asking or substitute for a thorough analysis of how the CCPA affects your business in the specific context of your business.