Privacy rights continue to be a hot topic issue. As the laws and regulations become more stringent and widespread, companies must be prepared to remain compliant moving forward. This means not only making sure that your company is handling data is a compliant fashion, but also making sure your business partners/service providers are as well. While those of us doing international business are familiar with and have developed General Data Protection Regulation (GDPR) compliance within our organizations, we now are creeping up on the California Consumer Privacy Act (CCPA) compliance deadline of January 1, 2020.
As with any legislative deadline, there have been fast-moving changes to the current state of the CCPA. In fact, on Friday, October 11, 2019, the Governor signed five CCPA amendments (AB 25, 874, 1146, 1355, and 1564). The Attorney General also released the proposed draft regulations on October 10, 2019. While we await the public hearings, we can anticipate the draft regulations will likely be enacted on July 1, 2020.
The question now becomes: “What does your business need to know?” Here are five key components of CCPA that all companies doing business in California should be aware of.
If your business sells its consumers’ personal data, it is time to read the proposed regulations thoroughly. There is some great guidance on how to comply with the “opt-out” requirements. Specifically, it is noted a business shall post the notice of right to opt-out on the webpage the consumer is directed to after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or landing page on a mobile app. The proposed regulations even go so far as to give an example of what the opt-out button or logo should look like. This opt-out option needs to be addressed for offline methods of collection as well.
For those of us already GDPR compliant, we are all too familiar with the “right to be forgotten.” With CCPA, consumers have a similar option which is entitled “request to delete.” This allows a consumer the right to request any personal information collected about the consumer to be erased. The business needs to have two methods for placing these types of requests – whether it be email, telephone, interactive webform, or US mail. The proposed regulations indicate that when a business receives a “request to delete,” they must confirm receipt of the request in 10 days and respond within 45 days. The company must also log any “requests to delete.” Some exceptions allow a business to not delete information in certain situations. Those include when the information is necessary to:
- Complete a transaction.
- Provide a good/service the consumer has requested.
- Perform a contract.
- Detect security incidents.
- Protect against “malicious, deceptive, fraudulent, or illegal” activities.
- Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities.
- “Debug to identify and repair errors that impair existing intended functionality.”
- Ensure the exercise of free speech.
- Ensure the business can exercise “another right provided for by law.”
- Comply with a legal obligation.
Businesses may also need to update service-level agreements with any third-party provider where data processing is at issue. CCPA defines the term “sell” in a broad manner that does implicate arrangements where there is an exchange of value between the business and another party for the consumer’s personal information. The Proposed Regulations indicate that Service Providers should not use personal information collected from one business to provide services to another business. Specifically, it is indicated “A Service Provider shall not use personal information received either from a person or entity it services or from a consumer’s direct interaction with the Service Provider to provide services to another person or entity. A Service Provider may, however, combine personal information received from one or more entities to which it is a Service Provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” It also becomes critical that businesses utilizing service providers are contractually addressing the data processing relationship and providing clear instructions on how to respond to a consumer request that is received by a Service Provider on behalf of a business it services.
AB 25 has modified the definition of “consumer” under the CCPA to exclude for one year “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of that business.” As long as an employer is collecting the data of its candidates and employees for purposes solely relating to employment, the CCPA generally does not apply to the collection of that personal information. This exemption will remain in effect only until January 1, 2021. It is anticipated that we will see a separate employee privacy bill proposed prior to the one-year deadline.
TargetCW takes data privacy seriously and believes it is best to take a transparent approach to how we handle personal information. Check out our policies at https://www.tcwprivacy.com/policies.