The CCPA: Lessons from GDPR and Relevance for Start-Ups
The California Consumer Privacy Act (CCPA) , signed into law in June, 2018, goes into effect on January 1, 2020 is the first meaningful step to providing a regulatory framework to online privacy rights in the United States. It will impact how all enterprises have to make changes to how they handle personal information. However, unlike the European Union’s General Data Protection Regulation (GDPR) which applies to all organizations irregardless of size, the new California privacy law contains a carve out for small businesses that do not meet certain thresholds specified in California Laws: AB375 and SB1121.
Does CCPA Apply To Your Business?
Section 1798.140 of the CCPA defines a “business” for which the law applies. Basically, the CCPA applies to your company if it:
Collects consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
(B) Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Impact on Start-Ups
Businesses that decide they do not need to comply may find themselves at a strategic disadvantage to other online platforms or may specifically not get their next round of funding or close an enterprise deal until they comply. It is already evident amongst institutional venture firms and F500 enterprise compliance teams that adherence to CCPA is going to become table stakes to do business because of their fiduciary risk (financial penalties, sanctions) on the larger vendor to comply with the statute. If your company works with larger businesses and is considered their service provider, the larger company will need to put in place a contract to govern your relationship with the consumers. This will have the effect that any collection, sale or use of personal information on behalf of your enterprise customer will be prohibited except as necessary to perform the business purpose.
CCPA Details and Comparison to GDPR
Like the GDPR, the CCPA will require you to identify third parties receiving California resident’s data and update your third party contracts as needed. You can accomplish this third party verification with Tugboat Logic’s Vendor Risk Management solution. Our Security Assurance Report template can help you track external data flows to understand the categories of personal data (including employee data) provided to third parties (e.g., cloud service providers, online advertisers, web analytics etc.), and whether those third parties make a commercial use of the information. The CCPA requirement is analogous to an accounting of disclosures under HIPAA.
B. Handling Subject Access Requests under the CCPA
To comply with the CCPA, a prudent course of action would be to take an inventory of your data and begin tracking internal consumer and employee data flows to be able to respond to requests from Californians (e.g., check your CRM, email management, benefits/HR providers, sales leads, and data agreements). Companies should also consider developing a “self-service” tool on websites or apps to enable Californians to access, download and request deletion of their personal information. Similarly, the GDPR affords individuals with the additional rights of correction. If you prepared for the GDPR, individual rights processes can be adapted to Californians. However, you may want to review these procedures to identify any required procedural or operational improvements.
C. Incident Response Requirements under the CCPA
The CCPA includes a private right of action in the event of a data breach. However, prior to filing a claim, a business must first notify the business of the alleged violation (i.e., a breach) and provide the business 30 days to cure the violation. It is unclear how a business would “cure” a breach, but it does highlight the importance of rapid detection, containment, and mitigation. The GDPR’s notification requirements are more rigorous – 72 hours to notify the Data Privacy Authority but with no private right of claim.
D. Pricing Transparency: A New CCPA Requirement
While both the GDPR and CCPA do prohibit businesses from discriminating against individuals who exercise their rights under the law, the CCPA specifically addresses pricing practices. Accordingly for the CCPA, businesses should confirm non-discriminatory practices and develop pricing guidelines that do not discriminate (or otherwise violate the CCPA) and document what portion of the cost relates to the collection and management of personal information.
E. Governance Impact of the CCPA
While the CCPA may not define a role for program governance, like with GDPR you should consider designating a role with responsibility for CCPA compliance to clarify decision-making authority, provide oversight, and ensure sustained maintenance of the compliance program. We recommend this be a combination of a practitioner within your organization, such as an engineering or IT leader combined with an executive sponsor such as a VP of Engineering, Products or Marketing.
Given the similarities in compliance obligations, businesses may wish to consider a role (internal or external) with responsibility for both GDPR and CCPA compliance and ensure your workforce receives updated training on procedures related to the handling of private data – including HR, marketing and sales. New data subject rights requests and incident response requirements under the CCPA will necessitate new, or changes to existing processes. Update your employee awareness training and consider tabletop exercises to train on: responding to CCPA/GDPR data subject rights requests and incident response under all applicable privacy regulations.
Pulling it All Together
Technology companies and enterprises more broadly, have yet another regulatory impetus to implement an Information Security Program in order to sustain customer trust and meet their compliance obligations. Certainly start-ups are in good company in terms of readiness, as a recent study found, only approximately 50+% of enterprises nationwide that collect data from Californians were able to comply with the new regulations. For firms that can’t afford a team of privacy lawyers or CISO, Tugboat Logic has an automated Virtual CISO Platform that demystifies privacy compliance and helps secure your organization.