— by Lindsey Ullian, Threat Stack Compliance Manager
After GDPR went into effect in May 2018, many companies reassessed their privacy program — implementing more transparency and giving more control of personal information to the consumer. Now, with the CCPA (California Consumer Privacy Act) coming into effect in January 2020, even more companies are buttoning up their data privacy programs. The CCPA is not a guideline — it’s an act, and all companies that fall within its scope must comply. If companies don’t abide by this regulation, they could be looking at fines of up to $7,500 for each intentional violation.
Since both acts are related to data privacy and aim to provide more control and transparency to the consumer, most companies’ first question is, “If I’m GDPR compliant, am I covered for the CCPA?” The following article by Kevin Kish, Privacy Technical Lead at Schellman & Company, will give you a clear picture as to what you may have covered and what you’re lacking within your privacy program — outlining the similarities and differences between the two regulations. And what about companies that haven’t implemented proper GDPR data procedures? Short answer — they’ve got a bigger road ahead. Fortunately, this article details clear steps you can take to comply with the CCPA.
It’s clear by the enactment of the CCPA, shortly after the GDPR, that data privacy regulations are not going to go away anytime soon, so as a top level best practice, companies should aim to be proactive and build a privacy program that aligns with these regulations and allows them to maintain strict CCPA compliance monitoring.
Overview of CCPA
Privacy continues to fill headlines with endless coverage of data misuse by household-name companies, highlighting their unethical data management, collection, and sharing practices. With the frequency of data breaches, impacted consumers are cautiously contemplating whether they can ever safely release their personal information on the internet. Simultaneously, optimistic privacy advocates across the U.S. campaign for reasonable online privacy standards and corporate accountability. With powerful momentum, California’s Consumer Privacy Act (CCPA) was passed on June 28, 2018, with the goal of increasing transparency, access, and control over a consumer’s personal information and handing out considerable penalties to organizations for infringement of the Act’s provisions.
As a result of the Act’s introduction, enterprises must now place particular emphasis on time-sensitive processes necessary for responding to California consumers’ information (access) requests. Rooted within the CCPA’s consumer response requirements are the obligations to provide fair and accurate depictions of data collection, processing, and sharing arrangements over the trailing 12 months. And while enterprises may anticipate full alignment with the CCPA’s requirements before the January 1, 2020 effective date, compliance will require immediate attention to ensure that accurate data registers are in place and contain a years’ worth of data collection, selling, and disclosure activities upon the CCPA go-live date.
This post explains, from a privacy practitioner’s perspective, why enterprises shouldn’t delay the development of scalable data inventories and data mappings to help comply with CCPA’s 1798.130’s requirements for providing requesting consumers with a trailing 12-month snapshot of their data usage.
The Twelve-Month Lookback Period
While the CCPA’s textual requirements detailing the 12-month lookback period may not stand out during a first read through, it is important to highlight where this requirement exists and why it has been included in the Act.
The term “12 months” can be found 15 times within the Act. For purposes of this analysis, we will focus on the requirements described under 1798.130; addressing an enterprise’s obligation to “disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.” As further specified under this section, three specific cases are detailed in which the trailing 12-month period would apply, including:
- Personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in the subdivision.
- Personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in the subdivision.
- Personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in the subdivision.
Like most, you may be wondering why the 12-month period is stipulated at all. For this, we need to examine the fundamentals of the Act, including relevant events that prompted for privacy reform. These reasons center on the concept of reasonable ‘transparency,’ formally defined as “characterized by visibility or accessibility of information especially concerning business practices”. You will find that concepts of ‘transparency’ of data processing activities is commonly called out in other mandatory and/or voluntary privacy legislation (i.e., GDPR, APEC, OECD), and is a critical element of legitimate business relationships. At the same time, consumers most likely do not read an organization’s privacy notice through a pair of legal lenses as most are still not written in a clear and concise format, but do have reasonable expectations around the usage and processing of their data. Because of this, enterprise accountability around data usage has taken the spotlight to avoid deceptive, unfair, or illegal data collection, processing, and sharing arrangements, such as the negligence found under the recent Facebook / Cambridge Analytica case.
Since enterprises complying with requirements of the EU’s GDPR will already have a baseline data processing register, a formal review should occur to validate the effectiveness of the current documentation in accordance with the CCPA. Where no prior preparation has taken place, management should immediately organize a cross-functional team to identify all points of data collection, data sharing activities, and any cases for disclosure.
Poor or no planning for building and maintaining data registers also has its own associated risks. While organizations may consider an ad hoc approach for managing consumer (or data subject) requests with little preparation, the enterprise exposes itself to real legal action by CA’s Attorney General (AG) and consumers alike.
Key Definitions From the Lookback
Equally important to the formal consumer response processes is having a strong understanding of the personal data processing environment. In accordance with the 12-month lookback and for purposes of exposing the necessary personal information required in a consumer response, the following terms should be clearly understood to ensure that an accurate facilitation of consumer inquiries takes place in accordance with the Act:
Disclosing for Business Purposes
Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
The use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.
Too late to start preparing?
The CCPA will be effective on January 1, 2020. Vigilant organizations should be prepared to provide consumers with details regarding the previous year’s data collection, sales, or disclosure activities on that date (i.e., from January 1, 2019).
Additionally, enterprises should be aware of the dates for which California’s AG can enforce the CCPA. Specifically, the Act states that “The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” As stated, enforcement is dependent on the AG’s final publication of the Act, which hinges on the AG’s timeline for issuing adoption and implementation guidance to the Act’s requirements.
Am I covered by GDPR’s Record of Processing Activities?
Let’s take a look at the specific requirements between the two pieces of legislation to identify what can be leveraged:
|a.||the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;||
Yes, where personal information is collected and/or disclosed to parent companies, subsidiaries, or partner organizations.
Relevant Sections: 1798.140(d)
|b.||the purposes of the processing;||
Yes, where it describes the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes.
Relevant Sections: 1798.140(e), 1798.140(t), 1798.140(d)
|c.||a description of the categories of data subjects and of the categories of personal data;||
Yes, where it is accurate, maintained, and captures all categories of personal information for at least 12 months.
Relevant Sections: 1798.140(e), 1798.140(t), 1798.140(d)
|d.||the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;||
Yes, where it describes all instances where the personal data categories have been sold or disclosed for business purposes.
Relevant Sections: 1798.140(t), 1798.140(d)
|e.||where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;||While useful for interrelated CCPA/GDPR areas, they are not specifically required for a CCPA verified consumer response.|
|f.||where possible, the envisaged time limits for erasure of the different categories of data;|
|g.||where possible, a general description of the technical and organizational security measures referred to in Article 32(1).|
While the GDPR’s record of processing activities requirement can be leveraged to aid in the preparation for the CCPA 12-month lookback requirement, the CCPA and GDPR are inherently different due to scope. An analysis should be performed on the existing documentation before considering this obligation fulfilled.
The CCPA mandates that organizations provide consumers with an accurate look-back at the data that was collected, sold, or disclosed during the business relationship or service delivery. Organizations should avoid the temptation to rely solely on existing processes resulting from the GDPR without further analysis or not preparing at all. Prior to the effective date in January 2020, businesses should take the opportunity to develop a comprehensive data inventory to ensure that all relevant personal information assets are identified in accordance with CCPA’s new requirements. At the same time, it’s important that this process be able to scale with business operations to ensure both internal and external visibility and consistency while data collection, sharing, and sales operations change. Due to the increased focus on data privacy and the implications of the regulatory environment, early preparation will pay off in the form of a well-trusting customer base and, through the intrinsic, marketplace advantage offered to those who establish themselves as a reputable, privacy-conscious business partner.