On June 28, 2018, California signed into law the California Consumer Privacy Act of 2018, which grants California consumers new rights regarding the collection, use and disclosure of their information. To effectuate these rights, the CCPA requires that companies that collect and use personal information about California residents notify those individuals regarding what information of theirs is collected and how it is disclosed and used, and grant them certain measures of control over that collection and those disclosures and uses. The law goes into effect on January 1, 2020, but remains in flux: We anticipate that, in the coming year, the California legislature may further amend the law and/or the State AG’s office may issue additional regulations.
Among other things, companies will be required to provide California residents with access to the categories of personal information collected about them, the specific pieces of personal information collected about them, the business or commercial purposes for which that information was collected, and the types of companies with whom the personal information was shared. The CCPA also grants consumers a right to delete their information and a right to opt out of future data sales and sharing.
Consumers will also have a private right of action to pursue actual or statutory damages – including as class action plaintiffs – in the event a company suffers a security breach that results in exfiltration, theft, or disclosure of their personal information due to the company’s failure to implement and maintain reasonable security procedures and practices.
We do not expect the CCPA to materially impact our ability to provide your company with the products and services your company uses today to support data-driven marketing programs.
The CCPA requires covered businesses to ensure their service providers only use, retain, and/or disclose the personal information the covered businesses share with their service providers for the specific purpose of performing the services specified in the contracts between the parties.
We recommend starting a process to assess the impact of the law on your operations immediately. As a threshold matter, determine whether your company is covered by the new law. Assuming it is, determine whether any of the statutory exemptions apply. For example, entities covered by HIPAA are exempt with respect to the Personal Health Information (PHI) they collect and use (but may still have obligations related to non-PHI). If your company is covered by the CCPA, start assembling the relevant stakeholders (e.g., legal, privacy, marketing, operations), as soon as possible to discuss necessary changes. Identify and categorize the types of personal information your company collects and discloses, and the ways in which your company uses and discloses that information. Implement written policies and procedures, including technical controls, to ensure compliance and leverage automation as much as possible for honoring consumer access, deletion, and opt-out requests. You will also need to train your employees on their CCPA-related responsibilities.
Not all companies that collect and use personal information of California residents are required to comply with the CCPA. Background material published in connection with the CCPA indicates that the California legislature expected the CCPA to apply to about 25K companies.
Your business is required to comply only if it collects “personal information” about California residents (or engages a business partner to do so on its behalf), determines the purposes or means of processing that information, and either:
- Has annual gross revenues of more than $25 million; or
- Has annually bought or received for commercial purposes personal information on 50,000 California residents; or
- Derives 50% or more of its revenue from selling consumer information.
Note that receiving mailing lists that contain more than 50,000 California resident addresses within a one-year period would almost certainly mean that your company would need to comply with the CCPA.
Assuming the California residents about whom you collect and use personal information are customers (as opposed to employees, applicants, contractors, or B2B contacts), the CCPA requires you to do the following:
- Map the personal information about California customers that you collect and use.
- Design, implement, and document procedures to manage compliance with the broad array of consumer rights established by the CCPA – for example, the right to know what personal information a business collects about you, how the business uses that information, and who it shares that information with; the right to opt out of the sale of that information; and the right to request deletion of that information (subject to certain exceptions).
- Train workforce members on those policies and procedures.
- Make sure you have an adequate data security program in place.
Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information. To facilitate consumers’ exercise of this right, covered businesses must provide a “Do Not Sell My Personal Information” link on the business’s internet homepage to a web page where consumers can opt out of having their personal information sold to third parties.
Additionally, with some exceptions, the CCPA permits consumers to request that covered businesses, and their direct service providers, delete personal information collected about them. Deletion is not required if the covered business needs the personal information to complete the transaction for which it was collected; to comply with a legal obligation, such as a record retention requirement; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality.
Before processing a CCPA consumer request – including a request to opt out or delete – your business is required to “verify” the identity of the consumer making the request. While it may, in certain instances, be possible to verify the consumer’s identity based on the information your company has on file about that individual, in other instances it will be necessary to employ more robust identity verification methods, such as challenge questions developed by ID verification companies that would be hard for someone other than the actual person to answer.
No, there is no CCPA requirement to request follow up contact consent from a consumer who provides contact information via an online form. However, if a consumer opts out of the sale of his or her personal information, the business that received that opt-out request must wait at least 12 months before requesting that the consumer authorize the future sale of his or her information.
The CCPA grants consumers the right to request the deletion of their personal information (subject to certain exceptions), and to opt-out of the sale of that information. The law does not, however, directly mandate the creation of a Do Not Mail file (i.e., a mechanism for consumers to opt out of receiving any future commercial communications). That said, it may be prudent for brands/advertisers to compile and maintain a Do Not Mail file and to share that file with mailing list and print/mail service providers so they can match and remove these names and addresses from future mail campaigns. You may also consider referring the consumer to www.DMAchoice.org where consumers can opt out of direct mail and email lists that are compiled by leading data sources.
MARKETING SERVICES PROVIDERS
The obligations the CCPA imposes directly on Service Providers are limited. However, the CCPA mandates that Businesses include certain provisions in their contracts with Service Providers, and Businesses may push for inclusion of additional CCPA-related provisions, even if not expressly required by the statute. Accordingly, it is essential that Service Providers carefully review – and negotiate – their contracts with CCPA-covered businesses so that they understand and are capable of complying with the obligations those contracts impose.
The regulations enacted as part of the CCPA are primarily between the consumer and the company with whom they do business directly. If the consumer has requested to learn what information is stored about them or to be removed from the database, this is something that – absent a contractual agreement to the contrary – the business with a direct relationship with the consumer needs to do. The consumer should be directed to that business, including providing contact information for the business, if available.
There are two primary categories described by the CCPA:
- Service Providers are organizations to whom a business discloses a consumer’s personal information for a business purpose pursuant to a written contract. For example, if a (B2C) client provided customer names and addresses to a vendor for data hygiene or enhancement, that vendor is a Service Provider.
- Data Brokers are businesses that collect and sell to third-parties the personal information of a consumer with whom the business does not have a personal relationship where “collects” can mean buy, rent, gather, obtain, receive or access personal information by any means. For example, if you buy and resell, rent, or license mailing lists, then you are a Data Broker.
Note that per A.B.1202 Data Brokers are required to register with California’s Attorney General on or before January 31 following each year in which a business meets the definition of a Data Broker and pay a registration fee.
This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between USADATA and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material or any other communications from USADATA or its employees.