No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Mitigating the Impact of the CCPA

5 Things to Know About the California Consumer Privacy Act

by Katherine Catlos
October 25, 2019
in Data Privacy, Featured
green padlock under umbrella, concept of web security

With the CCPA going into effect on January 1, Kaufman Dolowich & Voluck partner Katherine Catlos and EC Wise CEO Jack Hakim outline key facts about the California legislation and discuss how companies can mitigate the risk of noncompliance.

with co-author Jack Hakim

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is the most comprehensive privacy law passed in the United States. It’s not just that there are new consumer rights associated with personal information (PI) and more severe penalties, but the definition of PI is very broad. The CCPA defines PI as any “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Cal. Civ. Code §1798.140(o)).

California’s expansive definition of PI includes:

  • Personal identifiers;
  • IP addresses;
  • Biometrics;
  • Commercial information, including records of personal property, products or services purchased, obtained or considered or other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information;
  • Professional or employment-related information; and
  • Any consumer profile inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

Of note, Assembly Bill (AB) 25 clarified that employee data is presently excluded from the CCPA, but this exemption sunsets on January 1, 2021 as privacy advocacy groups, unions and industry-side advocacy groups “duke out” how the CCPA applies to the workplace, employees and independent contractors.

Understanding where PI about California consumers is located throughout your organization, where it flows within the organization and how it is protected will require a significant, dedicated effort.

Here are five things every organization needs to know about the CCPA.

1. New Consumer Rights

Please keep the aforementioned broad definition of PI in mind as you read about these new consumer rights.

For each new consumer right, there is a corresponding obligation/risk-mitigating measure required of covered businesses. Below we describe several key CCPA consumer rights and their reciprocal business obligations.

The Right of Disclosure

A consumer has the right to request that a business that collects a consumer’s PI disclose the categories and specific pieces of personal information the business has collected (Cal. Civ. Code §§1798.100, 1798.110, 1798.115).

A business that collects a consumer’s PI shall, at or before the point of collection, inform consumers as to the categories of PI to be collected and the purposes for which the categories of PI shall be used. A business shall not collect additional categories of personal PI or use PI collected for additional purposes without providing the consumer with notice.

A business shall provide this information to a consumer only upon receipt of a verifiable consumer request.

The 12-Month “Look Back”

Within 45 days of the “verifiable consumer request” for PI, a covered business must provide the categories and the specific pieces of personal information collected, sold and/or disclosed; the categories of sources from where the personal information was collected; the business or commercial purpose for which the personal information was collected; and the categories of third parties with whom the personal information is shared for the 12-month period preceding the request (See Cal. Civ. Code § 1798.130(a)(2)).

The business’s response “may be delivered by mail or electronically; if provided electronically, ‎the information shall be in a portable and, to the extent technically feasible, in a readily useable ‎format that allows the consumer to transmit this information to another entity without ‎hindrance” (See Cal. Civ. Code §1798.100(d)).

This means that your organization should already be maintaining accurate records of consumers’ PI starting from January 1, 2019, since CCPA goes into effect January 1, 2020.

The Right of Deletion

A consumer shall have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer. This is generally known as “the right to be forgotten.” A covered business must delete from its records a consumer’s PI after receiving a verifiable consumer request to do so, and it must have contractual agreements that require any service providers it has shared PI with to do the same (Cal. Civ. §1798.105). There are multiple exceptions provided in the code.

The Right to Opt-out of the Sale of PI

A consumer shall have the right, at any time, to direct a business that sells PI about the consumer to third parties not to sell the consumer’s PI (Cal. Civ. §1798.120).

The Right not to be Discriminated Against

A business shall not discriminate against a consumer because the consumer exercised any of the consumer rights under this title (Cal. Civ. Code §1798.125).

2. Financial Risk

There is significant financial risk for CCPA noncompliance, including:

Fines

Violations can cost between $2,500 and $7,500 per violation per affected individual (Cal. Civ. Code §1798.155). For instance, a California prospect list of 20,000 persons improperly processed or breached can lead to a fine from $50 million to $150 million. The average size of data breaches in the U.S. is over 25,000 records and is quite common.

Private Consumer Actions

The CCPA provides a private right of action for any consumer whose nonencrypted PI is subject to an unauthorized access, exfiltration, theft or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. Affected consumers may recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater (Cal. Civ. Code §1798.150). A class-action suit for statutory damages due to a breach of 20,000 California prospects could be $2 million to $15 million without proving actual damages to the consumers.

Brand Reputation

Reports of data breaches and ill-advised privacy practices often lead to a steady erosion of consumer trust and loyalty for many businesses, putting business reputation at risk.  Since it can take years to regain consumer confidence, it opens the door for competitors to fill the space.

3. Getting Compliant Takes Teamwork and Stakeholder Buy-In

The CCPA imposes legal and technical challenges requiring data mapping to understand where all PI and the metadata reside (i.e., category, business uses), where data flows within an organization, creating mechanisms to enable consumers to make disclosure, opt-out and deletion requests, training and potentially hiring new employees to respond to consumer requests, the adoption of new policies and procedures, review of third-party agreements, security practices and operational capabilities that can scale to satisfy large numbers of simultaneous consumer requests (class-action suits) on their new rights.

Although many of these tasks should be augmented with automation technologies, knowledgeable resources are still needed, and there are tasks that will require human intervention and judgments.

Data discovery and mapping of PI can be a significant undertaking, especially when businesses must decide how PI could be deleted, the uses of said PI and the impact of the categorization of business uses on the rights and the exceptions that exist within the CCPA. For instance, if the PI is needed to carry out the services under contract – for debugging, etc. – it does not need to be deleted under a right to delete (Cal. Civ. Code §1798.105(d)(1), (3)).

4. There is a Lot You Can Do to Reduce Your Risk Under the CCPA

Understanding your PI will allow you to determine what can fall under an exemption to the CCPA, what data you need to encrypt and redact and what should be deleted – thereby resulting in policy changes that will reduce your risks. Most defenses to a CCPA claim will require you to understand how to best categorize and use your data. You do not want to be doing data discovery, classification, mapping and life cycle planning in the middle of responding to customer requests. Redoing service provider and third-party contracts can ensure you can be compliant and, where appropriate, to transfer the risks to those parties.

Expect more private action class-action suits than prosecutions from the Attorney General’s office. Compliance with the CCPA will add yet another dimension to reduce the risk of breach. Mitigating the scale and scope of breaches should be a key focus.

5. Yes, You Probably Need to be CCPA Compliant

If you are a for-profit business that collects and processes PI of California residents, households or devices (regardless of the state or country of that business), you will have to comply with the CCPA if you meet just one of the following three criteria:

  • Generate annual gross revenue of over $25 million,
  • Receive or share data of over 50,000 California residents annually or
  • Derive at least 50 percent of annual revenue by selling California residents’ PI (new PI definition which is quite broad) (Cal. Civ. Code §1798.140(c)).

It’s not hard to meet this criteria. You will fall within the CCPA if your organization:

  • Uses cookies or tracks IP addresses on a website and have an average of 137 unique California consumers a day (50,000 a year);
  • Has a phone app that captures location or other PI data;
  • Reaches out to prospects and customers from lists where the lists in total are greater than 50,000 during a year; or
  • Any combination above that gets you to 50,000.

Summary

Noncompliance can be expensive, and not starting and having a plan will increase your risk and costs dramatically. Preparation can meaningfully reduce risk for businesses covered by the CCPA. There is a lot you can and must do. At the very least, understand what PI under CCPA you have, know your present risks and develop the path to reducing – if not eliminating – those risks.


Tags: California Consumer Privacy Act (CCPA)Reputation Risk
Previous Post

Engaging Social Media is More Effective Risk Management

Next Post

What Does “Business Ethics” Mean?

Katherine Catlos

Katherine Catlos

Katherine Catlos Esq., CIPP/US, CIPM is a partner in the San Francisco office of Kaufman Dolowich & Voluck LLP, where she handles employment law and privacy law matters. She is also the firm’s Chief Diversity & Inclusion Officer.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

parametric insurance esg

Exploring Parametric Insurance as an ESG Authentication Tool

by Nir Kossovsky and Denise Williamee
November 9, 2022

Parametric insurance, which has long been popular in disaster recovery, is gaining steam as a proxy for proving the effectiveness...

trade secrets

Inside Job: How Businesses Can Protect Valuable Trade Secrets

by María Amelia Calaf
October 5, 2022

A relatively new law (the Defend Trade Secrets Act) aims to give businesses a legal framework to fight against theft...

Next Post
businessman facing wall with arrows pointing left and right

What Does “Business Ethics” Mean?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT