Doing business in California? Don’t risk data breach.

On June 28, 2018, California’s Governor signed “The California Consumer Privacy Act of 2018” (CCPA) into law. Similar to the EU’s General Data Protection Regulation (GDPR), California businesses and those that do business with California residents will be directly impacted.

In today’s market, data-driven processes means a more customer centric approach. Customer acquisition and retention supported by data collection, measurement, and integration are critical to stay competitive. Data is an essential and powerful tool but it also creates added layers of responsibility. States around the country are beginning to hold companies accountable for how they collect, store and manage their customers’ data.

Events such as the Cambridge Analytica data scandal and an ever-increasing uptick in data breaches within the private and public sectors (5.9 million data records are stolen or lost each day), have prompted states to follow in the footsteps of the EU’s General Data Protection Regulation (GDPR) by passing legislation to protect residents’ privacy rights and taking legal action against companies who don’t comply. Companies who do business with California residents have until January 1, 2020 to prepare themselves. 

Are you prepared?

What is California’s New Data Privacy Law?

Also referred to as AB 375, or the California Consumer Privacy Act (
CCPA),the new law requires that all companies who conduct business with California residents comply with stricter procedures to protect online privacy and to consolidate how companies gather, control, secure, and use California consumer data. Furthermore, the CCPA gives California consumers the right to:

•  Know what type of information is being collected
•  Notification of the enterprise’s intent to sell that information
•  Know who their information is potentially being sold to
•  Decline the sale of personal information (opt-out)
•  Have their personal information deleted from the enterprise’s database
•  Not be denied products or services if they choose to do any of the above actions

A few more definitions you should be aware of include how the CCPA defines consumer, business, and personal information. Per the bill, a consumer is “a natural person who is a California resident.” The definition of “business” is a bit more involved and encompasses all legal entity types, e.g., sole proprietorship, partnership, LLCs, corporations, etc. that “collects consumers’ personal information.”

According to the CCPA, personal information includes:

•  Social Security Numbers
•  Driver’s license or other state-issued ID
•  Financial records, including all financial accounts and debit or credit card numbers
•  Health or medical insurance data
•  Have their personal information deleted from the enterprise’s database
•  Biometric data (e.g., behavior, DNA data, fingerprints, retinal scans, sleep habits, exercise data, etc) 

But this is not an exhaustive list. Make sure to visit the California Legislative Information website for more detailed information.

How to comply with California’s Consumer Privacy Act of 2018

The CCPA goes into full effect on January 1, 2020. If you are already in compliance with the GDPR, then most of your work is already done. Additionally, the CCPA isn’t applicable to information that is collected and processed in compliance with the Health Information Portability and Accountability Act (HIPAA), or “collected, processed, sold, or disclosed” per the Fair Credit Reporting Act (FCRA) the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act. Although the compliance list below isn’t exhaustive, it does give you a succinct overview of the essential steps needed for CCPA conformity.

1. Update Privacy Notices

Like the GDPR, in your privacy notices and policies you’ll need to clearly state which information categories that you intend to collect, process, sell or disclose. You must also include “a clear and conspicuous link” on your homepage that’s entitled “Do Not Sell My Personal Information.”

2. Update or establish a process to categorize and trace your data inventory

You’ll need more categories (or metadata) for your California consumers. This should include classifying the data that you can sell to 3rd parties (for those Californians who’ve opted-in vs. opted-out) as well as tracking the sale of that data. 

Also, you need to include categories that identify the data based on whether it is subject to other federal compliance laws (as stated above), and the length of time since the data was collected (12-months is the current maximum, beyond which exemptions may apply).

3. Create and implement processes for all CCPA defined consumer rights

At any time, California consumers retain the right to opt-out of allowing you to sell their data. The same is true for their information requests and their right to delete any and all personal information that you’ve collected. 

Companies must make available to all customers two or more methods of submitting requests for information such as,  “at minimum, a toll-free telephone number,” and “if the business maintains an Internet Web Site, a Website address.” You will have only 45 days from the date of the consumer’s request to satisfy their demand.

If you haven’t done so already, you’ll need to set up your backend processes to handle filter requests in order to respond to those that you can be held liable for.  You may either need to train existing employees or hire new employees to ensure that requests are promptly processed and accurately classified as valid or out of scope per the CCPA. 

In addition, your data inventory will require perpetual updating and auditing so you have the most recent metadata and all data is appropriately classified and tracked. The penalties for non-compliance can be steep, ranging from $100 up to $7500 per violation. The CCPA only gives you 30 days to fully comply with the new law if you are found to be in violation. The time to prepare is now.

But we have offices in other states. Do I still have to comply with these new regulations?

Exclusions as to which business types must comply do exist, but there is no restriction on where the business is located. This means that if you’re headquartered in New York, and conduct business with California residents, then the CCPA will apply to you. 

Further, as of 2019, 26 U.S. states have enacted private-sector focused data security laws that regulate how personal data must be secured during collection, storage, and disposal. However, all 50 states have some kind of data security or data protection laws, whether sector-specific or comprehensively covering all industries.  Most, if not all, of the laws specifically address protecting their residents and generally do not draw a clear cut line as to whether the laws are only relevant to in-state businesses or include out of state business compliance as well.

Erring on the side of caution and contacting your legal representative(s) is highly recommended to ensure that you’re in compliance with each state’s data protection law.  If you’d like more information on the new law, you can reach out to California’s Office of the Attorney General.