Privacy and data security are serious concerns for many startups. They understand that end users, consumers, partners, and investors are now concerned like never before about how data is collected, used, stored, and transferred. A bad data event quickly turns into a bad news story, can turn off users, discourage investors, and bring regulatory scrutiny and enforcement.
Recently, California passed the California Consumer Privacy Act (“CCPA”), currently the nation’s leading state law regarding consumer privacy. The CCPA will become effective January 1, 2020. Companies that need to comply will have less than eight months to come up with a compliance plan and revise their business model, if necessary.
1. Will the CCPA apply? If you have more than 137 unique visits to your website every day, then yes.
Broadly speaking the CCPA will apply to companies that are for-profit entities that direct the collection and processing of the personal information of California residents, and also meet one of three criteria: (1) annual gross revenues over $25 million, (2) 50% of revenue derived from selling personal consumer information, and (3) buying, receiving, and/or sharing personal information relating to 50,000 consumers.
Of these three scenarios, the most likely to apply is the third. The definition of personal information is extremely broad. It includes any information that identifies, or could reasonably be linked to, directly or indirectly, a particular consumer. Examples include everything from IP address to purchasing history, internet activity to geolocation data. Thus, a business that has a website and receives 137 unique visitors a day, or around 50,000 a year, and collects the visitor IP addresses, would fall under the CCPA.
2. Examine and understand your existing data flows involving personal information. Look for ways that your entity is collecting information — for example, websites and apps. Consider who you are providing personal data to, and who you are getting it from.
Complying with the CCPA and modifying any business practices that are not CCPA compliant will require understanding how the business is currently using personal information as defined by the CCPA. You will need to work with internal stakeholders to see where personal information is being collected, used, stored, and transferred. For example, your entity may have a website that collects personal information, which is then transferred to a third-party cloud services provider, but also accessed via an analytics provider, and then shared with a company partner.
The CCPA puts different requirements on businesses, service providers, and third parties. Businesses collect personal information (or have someone else do it) and determine the purpose for doing so. Service providers process personal information for someone else. Third parties are entities that receive personal information from another entity, and are not themselves businesses or service providers based on that transfer.
You cannot comply with the CCPA if you do not understand how personal data flows into and out of your organization.
3. Understand the rights CCPA grants to consumers, and how you will support those rights based on your information architecture.
The CCPA grants consumers, which are effectively any California residents from which you have collected personal data, important new rights. Below is a brief overview of these rights; compliance will require an understanding of how these apply to the entity based on its business model. Additionally, entities will need to update their privacy policies to be CCPA compliant.
- Right to know/access personal information collected about the consumer, the company’s business purpose for collecting and/or selling the personal information, and the categories of third parties to whom the company has provided the personal information.
- Right to deletion of personal information collected from the consumer if an exception does not apply. Service providers must be able to act on a request made by a consumer to the business.
- Right to opt out of sale of personal information to third parties. Companies cannot sell the personal information of those under the age of 16 without express authorization. This includes putting a clear and conspicuous “Do Not Sell My Personal Information” link on the company’s website, as provided by the CCPA.
- Right to be free from discrimination by business based on a consumer exercising his or her rights under the CCPA. This means that if a consumer decides to opt out of the sale of his or her personal information, the business may not charge different rates because of it, but may incentivize collection, sale, or deletion of personal information on an opt-in basis if certain requirements are met.
Most likely, after reviewing your data flows and information architecture, you will have significant work to do to support these rights. As we can see from this brief overview, this effort will require a combined understanding of the business goals, information technology architecture, and legal requirements of CCPA.
If you have any questions about how the CCPA could affect your entity, please do not hesitate to contact the team at Mintz.