What is the CCPA? A Guide to California Privacy Law

What is the CCPA? A Guide to California Privacy Law

Introduction: What is the CCPA?

The California Consumer Privacy Act will come into effect on January 1, 2020. This fact may have a significant impact on your business. 

California is the crown jewel in the United States economy. If it were a standalone country, its $2.7 trillion GDP would be the fifth-largest in the world, sitting ahead of the United Kingdom. Combined with the state’s status as an incubator for tech innovation and consumer culture, California gives outsized importance for all kinds of businesses operating at local, national, and multinational levels.

The CCPA forces enterprises reaching a particular scale to contend. Other states will soon follow suit with similar legislative pieces of their own. California has long been a bellwether for US-wide tech legislation. 

This examines the CCPA piece-by-piece, analyzing business impact, with particular attention given to the consequences for Small-to-Medium Enterprise (SME) ‘s data management, systems, and practices. 

The conclusion should clarify the CCPA is nothing to fear for management and development teams. Teams that are proactive and thoughtful in adapting to CCPA prescriptions will get ahead in successfully achieving compliance. For those that don’t use the appropriate amount of care, the consequences can be severe.

Getting Started: What is the Scope of CCPA?

Reading through the CCPA is quite a different exercise to reading through the GDPR. For context, the GDPR is another major piece of consumer data protection legislation to emerge in recent times. The language of the GDPR is clear and its structure is logical. Contrastly, the grammar of the CCPA is a dense “legalese”. The structure of the Act skips from one area to another without a consistent thread. 

The CCPA is a series of builds or amendments to previously existing pieces of legislation. Compared to the GDPR, which was an attempt to craft a comprehensive data protection policy from scratch. The upshot is that it’s most sensible to analyze the CCPA under topic groupings rather than from top to bottom. The first topic is essential to consider is scope: Whom does the CCPA apply? There’s a host of ways business are subject to CCPA requirements. 

How to Determine If your Business Qualifies

Regardless of the amount of data you collect, do you have gross revenue over $25 million? Then the CCPA applies to you. However, if you’re not operating at that scale and still collect, buy, or sell the personal information of over 50,000 people, households, or devices per year, then the CCPA also applies to you. If a business doesn’t process that amount of personal information, but still earns more than half of yearly revenue (no matter what number) from selling consumers’ data, then the CCPA is applicable. Of course, your company must also have a business presence in the state of California, because that’s as far as the legislation’s power extends.

Personal Data

“Personal Data” is the second scope-related question in the CCPA. Whereas other pieces of data legislation take an umbrella-view of defining what constitutes personal data, the CCPA attempts to spell out in more explicit detail the types of information that count. The list here is extensive and worth comprehensive review, but a pivotal point to realize is that the CCPA covers information that links to households as well as individuals.

In effect, this means that certain information which would not be protected under other pieces of legislation because they can’t be associated with an individual. For example, TV viewing records or non-individual linked purchase behavior data are considered personal data under the CCPA because they are linked to a household.

Digging Deeper: What are the Intentions of the CCPA?

Once you address the question of scope, it’s possible to begin examining the intentions of the California Consumer Privacy Act and, at macro-level, the measures it takes to achieve those intentions. 

Section 2 of the Act explicitly outlines the aim of this piece of legislation – empowering citizens of California to:

  • Know what personal data is organizations are collecting about them
  • Know if/when personal information is sold or disclosed and to whom
  • Say “no” to the sale of their data
  • Access the personal data that an organization has collected about them
  • Obtain equal service and price from companies collecting personal data. 

Right away a development team or project manager tasked with architecting their SME’s data infrastructure should see that these aims if adequately supported by the legislation, carry far-reaching consequences for how businesses build their data management systems. 

The old notion of siloing company data is dead. Data is no longer an organic mass. It is information continuously added and subtracted through interaction with company employees and product consumers. Businesses will face real challenges with being and staying CCPA-compliant. They need flexibility and agility built into the architecture, including collection and storage to retrieval and analysis.

Business Obligations: CCPA’s Impact on the Data Landscape

Given the objectives stated, what are the concrete steps businesses must take to avoid running afoul of the CCPA? Here’s a list a summary of the most important:

Companies must be able to disclose to a requesting consumer the categories and specific pieces of personal information that the business has collected.

Businesses must have both a clearly-signposted Method for consumers to lodge a request for information and a streamlined system for disaggregating an individual’s data from their database. They need to deliver it in a timely fashion too. It’s worth noting that a business is obligated to provide this information up to two times in twelve months. Though it may seem self-evident, this means a system is needed to track Information Requests so that one individual doesn’t overly burden the system. 

Consider that even some businesses operating at scale don’t possess a system for request intake nor keep a single-location record of information requests. In this scenario, it’s entirely feasible that a single individual could take up far more valuable staff time than legally necessary through repeated information requests.

These are easy solves when considered upfront but can be challenging if retrofitted only when the problem becomes evident. An additional requirement of this capability is that the delivery of this data must be free and in reasonably consumable form, which means that businesses can’t charge a consumer to receive a record of their data record, and they also can’t present that data in some arcane file format that the consumer will have difficulty decoding. 

All in all, this requirement could lead to significant business impact for companies that are not already up to speed on current best practices for data management.

At or before the point of data collection, businesses are required to inform consumers of the categories of personal information they intend to collect and the purpose for using specific types of personal information.

For any SME operating on “highest common denominator” principles, this will be no surprise. After all, this is already a requirement under GDPR law. It’s reasonable to expect that as the world follows in the footsteps of the CCPA and GDPR, upfront disclosure of data collection will become a standard legal procedure. 

In practice, this can have a range of implications for a company’s customer experience on- and offline, such as:

  • A pop-up box for consent to cookies
  • An opt-in screen before a user enters the purchase funnel 
  • Changes to the purchase experience in physical store locations that are passively collecting data on in-store customer behavior

Under CCPA law, some forms of personal information are protected that can’t be tied directly to an individual. To fully understand how this CCPA requirement could change the way a company does business, an in-depth audit will often be necessary.

Lastly, businesses and marketers collecting information on consumers need to be able to wipe out that information entirely upon request.

Not only that but in many cases, the business must be able to direct related service providers who utilize this info to wipe it also. It does not matter whether the data has been sold as part of a second-party set or shared as part of a service-delivery process; the requirement stands. 

This obligation demonstrates businesses operating under CCPA jurisdiction have no choice but to end antiquated “data-silo” operations. Especially those that made ongoing alterations to a data store difficult and time-consuming. Businesses will have to ensure their partners and data clients have this same capability. They can be held liable for a partner’s failure to remove records from a database.

What are the Costs for Violating CCPA?

Of course, the CCPA couldn’t hope to be a compelling piece of privacy legislation without effective enforcement mechanisms to keep companies honest. What are the consequences for organizations that run afoul of their prescriptions? To put it straight, they can add up quickly.

Penalities

A person, business, or service provider found in violation of the CCPA is subject to a court injunction. They are also liable for a civil penalty of up to $2,500 per unintentional violation and $7,500 per intentional violation. 

The critical thing to remember is that for companies dealing with large amounts of personal data, violations likely won’t number in the tens, hundreds, or even thousands of customers. A systemic violation of CCPA provisions can quickly put a six-digit multiplier on the $2,500 or $7,500 fine. 

Civil Suit

For many SME’s, this could prove a high enough number to sink them entirely. That’s not all. Apart from civil liability, consumers can bring action of up to $750 per incident. Plus, the value of personal damages. A business failing to simply notify their consumers they’re collecting web data can quickly find themselves looking down the barrel of a damaging class-action civil suit.

In essence, the CCPA is a piece of legislation that takes data protection seriously. It has the enforcement clout to make businesses take it seriously too. The bill becomes the law of the land on January 1, 2020. Companies with a footprint in California have approximately six months as of the time of writing to ensure they’re not at risk for severe financial penalties. 

First Steps: How Should Teams Prepare for the New Data Landscape?

Time to take action! What are the steps that teams should take now? Let’s examine some of the critical steps any business can take to prepare.

Conduct a Review of Existing Data Architecture.

If you’re a typical SME preparing for what lies ahead, your first step is to comprehensively review data operations. Prepare data maps, inventories, and other records to catalog. Include all points of collection, storage, retrieval, and exploitation of personal information relating to California-based consumers. Only through this exercise can a business accurately plan for the changes needed to be CCPA-compliant.

Consider more than California-only web/mobile/business models

For companies operating at a global scale, we recommend adopting a highest-common denominator approach to a full data architecture redesign. It future-proofs operations, saving time and money due to decreased need for bespoke solutions based on territory. 

For companies with a smaller footprint; however, it may be worthwhile to examine building California-specific consumer experiences. Your SME can decide on the best business option by following the previously mentioned systematic audit of current data operations.

Ensure there are available online and offline methods for submitting Data Access Requests

The CCPA requires companies to consider their relationship with consumers. The CCPA mandates a toll-free number dedicated to submitting data access requests, so businesses ensure their intake system isn’t online-only.

Provide a Clear “Do Not Sell My Personal Information” Option on web properties

It’s another non-negotiable requirement of the CCPA. California citizens or those authorized to represent them must be able to designate that their data is not for sale. A user who selects this option can’t suffer a diminished experience if they don’t want their data sold. In contrast, the GDPR does allow companies to alter their experience if customers don’t want their data monetized.

Plan New Systems That Can Perform The Following Functions

  • Verify the identity of individuals who request data access or data deletion
  • Respond to requests for data access or deletion within 45 days
  • Determine the age of a California resident. Companies must obtain parental consent for data collection for users under 13. If they don’t have a way to determine the user’s age, they can be held liable for disregarding this obligation.

Conclusion

If this seems like a significant amount of work, it’s because it is.

Since its inception, the Internet has been a relatively lawless environment regarding consumer protection. Now the days of the Internet as a Wild West are genuinely drawing to a close. Just like in the physical world, businesses that wish to profit must follow the rules or face the consequences. Luckily with the proper foresight and attention, CCPA compliance can be a straightforward exercise that doesn’t break the balance sheet.

Published from our Privacy Magazine – To read more, visit Privacy.dev

GDPR Fully Explained

GDPR Fully Explained

With the European Union’s passage of the General Data Protection Regulation (GDPR), the practice of data regulation moved out of its infancy. GDPR is the first wide-reaching piece of unified data and privacy policy in the world, heavily regulating a plethora of rules that are set to follow in its wake. 

Apart from the occasional headline about FAANG companies tussling with the new legislation, the practical impact of GDPR remains obscure. If you’re a stakeholder in a small-to-medium enterprise (SME), this is a big problem. Unlike Google and Facebook, SMEs are unlikely to have a bottomless legal budget to contest being found in violation of the GDPR. As a result, data compliance over the next five to ten years can quickly become a question of business survival. 

This guide is a starting point for understanding the implications GDPR has for these businesses. Let’s examine the document, chapter by chapter, to summarize its content and analyze the practical consequences for companies seeking compliance. 

1. Understanding the Key Terms

First, The GDPR begins by outlining the scope and subjects of its regulation. Chapter 1 covers Articles 1-4 of the document. 

The two most important points to note from this section are where it applies and to whom. The territory where the GDPR applies to data processing by operating within the EU, even if the actual processing occurs outside the EU. It also applies to organizations based outside the EU that are offering goods and services to individuals inside the EU.

Controllers & Processors

To whom does it correctly apply? The GDPR applies to two parties: Data Controllers and Data Processors

A Controller is a party that determines the purposes and means of personal data processing. For example, a beer company that doesn’t build commercial software but has a website that gathers users’ birth dates is a data controller. The processor is the party that processes or operates on personal data – data on behalf of the controller. 

Continuing our previous example, the entity our hypothetical beer company subcontracts to is a Processor. It’s because they are building the beer brand website. Note that GDPR still binds data controllers even if they are using an independent Processor related to data collection, storage, or processing.

Finally, GDPR seeks to regulate information which constitutes personal data. Personal data is information that must relate to an identifiable individual. Determining whether information “relates” to an individual is an exercise in judgment. One must consider both the content of the information and the purpose of processing such data. For most SME’s, it is advisable to err on the side of caution. Treat any piece of user information, even if pseudonymized, as personal data unless explicitly advised otherwise by appropriate legal counsel.

2. Learning the Core Principles and Business Implications

Second, are the GDPR’s foundational principles, covered in articles 6-11. At the core of the GDPR is the provision that data collection must be lawful, fair, and transparent. Lawful, in this case, has two implications.

First, a business must proactively identify a lawful basis for collecting and processing user data. You cannot “shoot first and ask questions later.” Moreover, it must determine that the consequences of that processing are lawful. If a company has a legal basis for processing user data but uses it to do something illegal, then they violate the GDPR.

Informed Consent

The lawfulness principle expands in article 6, listing a myriad of conditions under which data processing can be considered lawful. “Informed Consent” is an essential requirement to be aware of. The principle under which many companies derive a legal basis for collecting data on their users.

Informed consent requires specific and unambiguous conditions. As a practical example, an online form with consent options as an opt-out selected by default violates the GDPR because it’s not unambiguous. The implications of informed consent are significant. 

Development and UX teams must work to structure their online data collection forms in a way that balances clean experience with legal compliance. Organizations can build natural ways for consent to be withdrawn at any time. If users can’t remove consent as quickly as they give it, then it doesn’t meet the GDPR requirements. A typical example of this requirement is the pop-up box requiring users to consent to the use of cookies on a company’s website. Now ubiquitous, these are direct results of GDPR requirements.

Fairness and Transparency

Fairness and transparency are the value-driven counterparts to “lawful.” Under the tenets of the GDPR, an organization must go beyond pure legal compliance, showing they have considered the impact of user data processing and found it justifiable. Orgs need open and honest approaches to data processing. Orgs also need to comply with requests from data subjects regarding their data, or the “right to be informed.”

What does this mean for an SME? It means the lawful, fair, and transparent collection of data doesn’t happen on an ad hoc basis. Organizations collecting user data must proactively examine each category of data they want to collect and evaluate whether it is consistent with the fundamental principles of the GDPR. 

Organizations can ensure systems are in place to signpost (when and how) data is being collected to meet the transparency requirement. They must also receive and respond to requests from their users regarding personal data processing. 

More Core Principles

Compliant development teams are mindful of the following core principles: 

  • Purpose Limitation. You must limit your data collection to data that serves your intended purpose and explain it to the user in plain English.
  • Data minimization. You must keep the data collected to a minimum for serving your intended purpose. You can’t collect data on the “off chance” that it serves your purpose. It must be explicit and necessary for your use.
  • Storage Limitation. There’s a time component to purpose limitation, which requires that organizations must not store personal data for beyond the time needed to complete an intended purpose. This seemingly small requirement has significant implications for business is done. Data can’t just be stored in perpetuity once collected; teams must build systems for the periodic purging of data and the re-obtaining of affirmative consent at regular intervals.

3. Understanding the Rights of the Data Subject

Having outlined the core principles, Articles 12-23 deal specifically with the rights of the data subject. Many of these rights stem directly from the need for lawful, fair, and transparent data collection. As we see in Chapter 3, these considerations take new and significant territory. 

It is fair to say that the rights conferred to the data subject in this section have the most substantial impact. Especially on how SMEs build data infrastructure. Basically, businesses are preparing to liaise with data subjects regarding their data. They make certain kinds of corrective action to the data residing in their systems.

Right to Access

Chapter 3 stipulates that citizens have a right to access their personal data information and see how controllers are processing that data. Practically, Data processors must have mechanisms in place to quickly and comprehensively share an individual’s data with them if they request. Therefore, a business with a massive “data lake” of consumer information violates the GDPR if it can’t efficiently pull and distribute individual records. 

Right to Erasure and Rectification

Chapter 3 confers additional rights on the Data subject, including the all-important Right to Erasure and Right to Rectification. These are safeguards to protect citizens even if their data has been captured lawfully, justly, and transparently. Rectification means that organizations must be able to correct inaccurate information about a data subject at the data subject’s request. Additionally, the Right to Erasure implies that a business must be able to provably delete all data related to a given individual if required to do so by request or otherwise. These conditions point to the need for reliable infrastructure supporting necessary capture and processing capabilities. 

Data Portability

Data Portability is less discussed in most media but equally impactful for individual business and the way they manage data. Article 20 of the GDPR stipulates that controllers must make data available to subjects in a “structured, commonly used, machine-readable format.” What this means for a small business is that if a Subject Access Request (SAR) comes in, the company needs to be able to turn around a response in a directly transferable format quickly. With this in mind, the artifact can’t be a printout or even a PDF. It’s more likely to be a file in CSV or JSON format that’s easily portable and can be opened and interpreted on the average citizen’s computer.

Furthermore, a business consideration that stems from the fluid requirements for data hosting is around building systems that are agile enough to respond to constant updating and extraction of data-sets. Development teams have to think carefully about requirements regarding data schemas and the versioning and specification of those schemas in the case of frequent changes.

4. Exploring the Obligations of Controllers and Processors

This chapter of the GDPR is chock-full of information with necessary business implications, and spans 19 articles, making it the lengthiest section of the GDPR. 

Here are the key points to take out if you’re dipping your toes into the data protection waters:

Data Protection by Design and Default

Addressed in Article 25 is a core data management system under GDPR. What it means in principle is that organizations are obligated to take “appropriate” measures when collecting, to store, and processing data. In practice, this means that privacy-by-design engineering is now a vital consideration for any dev team. Depending on the size of your team, a dedicated privacy engineer may or may not be feasible, but in any case, responsibility for privacy considerations must be delegated and prioritized among team members. 

Other measures that may be considered appropriate, taking circumstances into account may be pseudonymization of data, encryption of data, and system routine security checks. With these safeguards in place, the ability to notify relevant parties of a data breaches should be straightforward. However, the GDPR goes far in codifying the obligatory response time for each party. 

Organizations must notify the data subject immediately if there is a breach of their data. They must inform the relevant supervisory authority within 72 hours too. Has your business run a fire-drill to train for data breach response? If not, it should have! At the moment, GDPR’s requirements mean that no time can be lost aligning on the process.

Data Protection Officer

Lastly, Chapter 4 describes the role of a Data Protection Officer (DPO). A DPO is becoming increasingly common among data-dependent businesses. Nevertheless, if your business relies on processing large amounts of data (i.e., online behavior tracking), you’re required to appoint someone to this position. While the exact threshold for an obligatory DPO is still being hashed out via GDPR-related rulings, we recommend that businesses get serious about data management. Proactively recruit for this position.

5. Understanding the Transfer of Data to Third Countries and International Organizations

Chapter five of the GDPR provides additional detail on data transfers when it involves parties outside or above EU jurisdiction. If a business seeks to transfer data to one of these parties, specific steps are taken, then sanctioned under GDPR. Namely, “appropriate safeguards” and vetting of the third-party organization with the relevant EU supervisory authorities. In the absence of a positive green light from those authorities, transfers are permissible if proven that the appropriate safeguards get put in place. 

Chapter 5 states that companies need to follow data protection best practices inside and outside of EU jurisdiction. GDPR ensures all data emanating outward from European-supervised entities gets transferred with due caution and security of data subject rights.

6-11. Understanding the Additional Detail Contained in the Remaining

The structure of the GDPR document outlines most of the key terms, concepts, and prescriptions in the first five chapters. The back half of the regulation paper is less concerned with introducing new ideas and more concerned with firming up processes of compliance, enforcement, and sanctions related to GDPR compliance. Nevertheless, in this part of the document, there are essential points to note due to tangible business impact. 

Establish a Supervisory Authority

Chapter 6 calls for the establishment of at least one supervisory authority in each European Member state. Authorities monitor and enforce GDPR compliance in a given country and businesses in that country submit annual reports proving GDPR compliance. SME’s, therefore, should look to incorporate streamlined reporting capabilities as part of their data operation. Chapter 7 describes in further detail how these supervisory authorities are to cooperate and work together to promote EU-wide GDPR compliance.

Penalities

Chapter 8 of the GDPR breaks down compliance processes and penalties imposed by failing to comply with GDPR rules. We recommend that all critical stakeholders in SME data operations read through these articles in detail. Does your business need more convincing of the unique and financially significant consequences of taking the GDPR lightly? Then remember, GDPR violations can result in fines of up to 4% of the business’s global turnover (per annum). Consequently, this can turn into billions of dollars, as recent GDPR cases involving the FAANG companies have demonstrated. Forewarned, forearmed!

Outstanding Business Items

Finally, Chapters 9-11 results in a final tidy up of outstanding items of business, including some discussion on exceptional data cases and adoption of different member state data measures. Development teams or other SME stakeholders do not need to focus on this part of the document. Especially when they’ll need to work so hard to process and incorporate all of the detailed instruction that has come before.

Conclusion

In conclusion, the GDPR is a significant and wide-ranging piece of legislation that will have a big impact on the business and technology landscape. Though the many implications of the document may seem daunting if you’ve made it to the end of this paper: congratulations. You’re now significantly better informed on the steps you need to take to get data compliant. Now it’s time to round up key players in your business –developers, management, marketing teams, and more – and start to gameplan for the changes that lie ahead.

Published from our Privacy Magazine – To read more, visit Privacy.dev