Effective January 1, 2020, the California Consumer Privacy Act provides CA residents with more control over how their personal data is used and distributed and requires qualifying companies to maintain more stringent guidelines on how personal data is collected and processed. Overall, the CCPA gives California residents the right to request information about their personal data that a company is collecting, how the information will be utilized, and with whom the information will be shared. The law also requires qualifying companies to provide and delete all personal information of a consumer at their request. Lastly, CCPA allows California consumers to opt-out of the sale of their information to third-parties moving forward.
While being compliant with GDPR is helpful when preparing for CCPA, there are some distinct differences to be aware of:
There are additional underlying differences that ultimately make it challenging to align GDPR compliant companies with CCPA, creating additional barriers, and dollars spent, to bring companies up to speed.
If you are a for-profit company doing business in California, you are required to be compliant with CCPA if you:
Although effective starting January 1, 2020, the law won’t be enforced until July 1, 2020, which gives noncompliant businesses more time to analyze and determine the impact on their companies. Some words of caution, the law does contain a lookback window for any personal data collected on CA residents since January 1, 2019, which means that personal information from 2019 could be requested by California consumers, making the process of becoming compliant more challenging.
There are a myriad of ways a company can be determined to be noncompliant under CCPA.
This extensive list of compliance breaches further emphasizes the complexity of the new law and the dangers of violating it.
Overall, if your company is in the scope of the CCPA and you are collecting consumer data for resale, then you can continue the sales or sharing of data as long as the consumer has not opted out. Should the consumer request that their data be deleted, you will need to ensure not only that the data is removed internally, but also deleted from data partners, which can cause a huge mess if records are not clearly tagged and maintained or if they are not properly tracked when sold between parties.
If you utilize programmatic advertising, the determination on how to treat the consumer’s personal data if they are to opt-out is not explicitly clear. However, since programmatic advertising utilizes personal data to increase the value of an impression, bids themselves would appear to fall under the scope of CCPA. Which could mean that if the consumer has chosen to opt-out then you will be required to remove their personal data from future ad calls.
Additionally, things aren’t black and white if your company is required to be compliant with CCPA and are not reselling data. Although nothing may change with regards to your business process since you aren’t reselling data, a consumer will still have the right to request and delete their personal data and, should there be a data breach that stems from a lack of reasonable data security measures, that consumer will also have the right to sue for data misuse. There are also numerous areas under the law that require judgement in interpretation. For instance, if you as an adtech company collect first party data to enhance user experience, it’s possible that your collection would fall under the “business purpose” category and your customers would not be able to opt out. But if a customer opts out and you’ve shared their personal information with data partners, you’ll likely have to pull their data from the partner’s site.
The California law appears to be the first of many future personal data privacy regulations in the United States. States including Nevada, Maine, Massachusetts, Maryland and New York have either passed their own privacy laws, which take effect later in 2020, or have privacy legislation that is currently being proposed. There is even a federal bill currently being introduced that is fashioned after the CCPA. These strict standards are changing, and will continue to change, the way we’re doing business in the US.
Becoming CCPA Compliant is all about having the right tools and information to inform your internal processes and procedures. Withum’s cybersecurity services team has vast experience in providing appropriate due diligence and remediating businesses suffering from some of the largest and most highly publicized data breaches and operations to date, across all industries. We have the “know-how” on what auditors look for, a diverse group of individuals from many educational and industry backgrounds and the technical expertise to assess your current infrastructure, inform your decision-making and ensure your business is on track to responding to customer requests and avoiding violations.
From reviewing your business website and ensuring it is CCPA Compliant, e.g. cookies, opt-out(s), contact information, internal processes and procedures on handling incoming requests to acting as your vDPO (Virtual Data Privacy Officer) and ensuring end-to-end data security and prompt resolution of requests, Withum’s cybersecurity team is here to support your business while you focus on the day-to-day.
Does your company fall under the scope of CCPA? If so, Withum can connect you with legal advisors who can assist your business with ensuring you are compliant with the CCPA and other future privacy regulations.