The California Consumer Privacy Act Part II - What Does It Mean And What Do You Do Next?

In my last post, I covered which creative professionals and online businesses may be caught up by the CCPA - even if they aren’t based in California. If you do fall under the CCPA (or even just want to be prepared in case you later fall under the CCPA), you’ll need to be prepared to do a number of things come 2020.

WHAT DO CONSUMERS GET?

So what exactly do you now need to be provide consumers whose information you’ve captured? A lot, actually:

Disclosure: First, consumers have the right to ask you for a report disclosing the categories of information you’ve collected about that consumer; the sources of the information; the purpose for collecting or selling the information; the categories of third parties with which you share their information; and the specific pieces of personal information you’ve collected.

Of course, giving out personal information can actually create a risk of privacy breach, so you’ll need to comply with the Attorney General’s guidance on responding to these requests. As an example, social security and bank account numbers shouldn’t be given out even if requested, and reasonable steps need to be taken to verify a consumer’s identify before providing the report. At the same time, you’re on the clock – in most cases you’ll need to acknowledge the request within 10 days, and provide the report within 45 days.

Collection: Going forward, you’ll need to inform consumers at or before the point of collection what categories of personal information you’re collecting, and why. Sure, if you’re asking for an email address to add someone to a newsletter, this may seem rather obvious. But if you’re planning on doing anything else with that email address in the future, you need to disclose it now. And there are plenty of non-obvious ways you may be collecting information without the consumer (or even you) knowing about it. For example, some DIY website providers automatically set your website to collect cookies and other information for analytics. You may need to modify your site and update your privacy policy to comply.

Deletion: In most cases, a consumer can now order you to delete all or part of their personal information which you’ve collected. And if you offer the option to delete just part of their data, the option to delete all information must be “more prominently presented.” Deleting data becomes especially complicated when the information you’ve collected may apply to multiple people (like a household), or when minors are involved.

Opt-Out: You can no longer sell consumer data that is subject to the CCPA unless you provide notice to your consumers, and a prominent option to opt out. Specifically, you must have a "Do Not Sell My Personal Information" link on your website’s homepage that leads to a page or form which enables a consumer to opt out of the sale of their information.

Privacy Policy Requirements: Your privacy policy (and, implicitly, this means you need to have one), must include all of the following information:

  • A list of consumers’ rights under the CCPA, including their right to opt out of the sale of personal information and another link to the "Do Not Sell My Personal Information" page or form.

  • The methods consumers can use to submit a request for the report mentioned above; and

  • A list of all of the categories of personal information that you have collected, sold or disclosed to a third party in the preceding 12 months.

Plus, you have to update this last item (and thus update your policy) every 12 months. No more setting and forgetting this document.

Anti-Discrimination: You cannot “discriminate” against any consumer who exercises their rights under the CCPA – for example, by refusing to deal with customers who exercise their opt out rights, or charging customers for requesting their report. However, you can offer customers discounts if they allow you to sell their data, provided that the discount is reasonably related to the value of their data.

Liability for Data Breaches: Last but certainly not least, the CCPA also creates new liability if you suffer a data breach and didn’t take reasonable steps to prevent it. Unlike the rest of the CCPA, which is enforced by the California Attorney General, this is a private cause of action – meaning that consumers themselves can sue you. Even if they can’t prove the theft caused any damage, they can recover statutory damages between $100 and $750 per consumer per incident (so imagine what happens if you lose 50,000 consumers’ information in one hack). And if they can prove actual damages, they can recover those damages instead.

The good news is that the law doesn’t create a strict liability – you just need to take “reasonable” steps to protect your consumers’ data. But if you’ve been storing your consumer’s personal information on unencrypted servers, leaving it available on your phone without a passcode, or just ignoring the possibility of being hacked altogether because you’re a small business, you’re running a huge risk. Also, unlike the recent privacy laws passed in Europe, the CCPA is not limited to online and electronic data, or to sensitive data like social security numbers. Someone swiping a paper list of your customers’ names or telephone numbers from your home or office is enough to create liability. 

WHAT DO I DO NEXT?

First, you should take a hard look at your business and see if the CCPA applies to you – or could potentially apply to you in the coming years as your business wildly succeeds and grows (I’m pretty positive for a lawyer).

If it does (or could), it is essential that you have a firm understanding of the personal information you already control and what you are collecting going forward. Everything else depends on you knowing what you have and where it is kept – you can’t provide a consumer their report or delete their data if you don’t know where it is. Likewise, if you’re storing “personal information” in multiple places (e.g., names and telephone numbers in one database, email addresses in a different database, cookies with your web provider, and a spreadsheet with God-knows-what on an old hard drive), you need a plan for consolidating and tracking all of it.

You’ll also need to set up a protocol for responding to requests and generating reports – doing it ad hoc every time will overwhelm you (imagine getting 50,000 requests at once). And you’ll need to contact your website developer or IT department to implement the required notices, opt out links and options on your website.

Now would also be a good time to update your privacy policy (you have one, right?) to make sure it actually reflects your business and practices. If you’re using a form policy you found on the Internet years ago and never paid much attention to, you really need to spend some time on it now.

Finally, if in doubt, ask for help — attorneys are still getting their arms around the new law themselves, but your attorney should be able to point you in the right direction. There are also plenty of vendors who are gearing up to assist businesses with auditing their security, updating their privacy policies and protocols, and putting together a plan for compliance.