Downloads
Source: Bigstock
The new CA privacy law, California Consumer Privacy Act (CCPA), will bring unprecedented changes to the data collection landscape. As of now, the exact scope of those changes remains unclear because we are waiting for the California Attorney General to issue regulations implementing that law.
In addition, amendments have been enacted and further amendments proposed. It is therefore confusing to know what to do since some of the provisions of CCPA will change but a wait and see approach is a mistake. We know that various aspects of the law are not going to change and, frankly, there are many other comprehensive state laws pending as well as federal legislative proposals so there is no question that we need to take actions now to react to this new privacy paradigm.
CCPA goes into effect on January 20, 2020 and actual enforcement will probably commence on July 1, 2020. However, it is important to recognize that under CCPA there are look-back provisions that might require that you have a thorough understanding of your data practices way before the law goes into effect.
To determine if you fall within the reach of the law and actions you must take if you do, you can read my attached summary which provides some more detail but even if you do not feel that you are a covered business, I would still recommend implementing some of the measures referenced below. Taking these actions will give your business a leg up when confronting any privacy law that does affect your business.
The more detailed summary is attached to this article.
So, what should you be doing?
1. Review and track your data collection practices.
Understand the scope of the personal information you and your service providers collect, use and share by data mapping the lifecycle of that data. CCPA will require that you document and notify consumers of your data collection practices at or before you collect personal information. “Personal Information” is broadly defined to include, among other things, any information that is capable of being associated with a particular California consumer or household. This includes preferences and inferences drawn to create a profile about a consumer and will undoubtedly encompass most information that is relied upon by entities engaging in the advertising ecosystem.
Unless you are a publisher or platform with a direct relationship with the consumer, you may not have an opportunity to provide notice “at or before” collection. If that is the case, consider whether DAA’s Ad Choices Icon, the IAB’s TCF Framework or some other consent manager or industry symbol can be used to provide notice to consumers.
2. Maintain records of data processing activities.
Under CCPA, a California consumer is entitled to request that a business provide information relating to the processing of that consumer’s personal information within the year preceding the request in a readily usable format. This “look back” essentially means that businesses should be keeping records and have processes in place to organize and manage consumer data well before the effective date of the law.
3. Understand the importance of the data you collect.
Until a business has a thorough knowledge of its data flow it is impossible to know what gaps exist between the law and its practices. It is critical to understand the importance of the data you collect and how dependent your business model is to that data. Identifying operational challenges posed by the law will enable you to mitigate risk and achieve compliance.
CCPA has certain notice requirements including a “Do Not Sell My Personal Information” link that goes directly to an opt-out mechanism. But the definition of “sale” as explained in the attached memo is far broader than the word connotes. This notice will therefore suggest a business is actively “selling” personal information even if the business is only sharing personal information to garner information to better customize or market its products and services. Where the button is included, there may be higher rates of opt-out and less access to personal information. Evaluate the impact restricted access to personal information will have on your business model and start making necessary adjustments before it impacts your bottom line.
4. Know the value of the data you collect.
CCPA limits incentives and penalties tied to the exercise of privacy rights. Businesses cannot discriminate against a consumer because the consumer exercised any of the consumer’s rights under CCPA and consumers have the right to equal services and equal pricing. A business can charge a consumer a different price or provide a different level of goods or services under limited circumstances and only if that difference is reasonably related to the value of the consumer’s data. Therefore, knowing the value of your data is critical to determine if any of the options under CCPA can work with your business model.
5. Assess third party relationships.
One of the major requirements under CCPA is to provide consumers with the opportunity to opt-out of the “sale” of their personal information. CCPA also requires an opt-in consent for personal information attributable to anyone under 16 years of age. Thankfully, businesses are provided with a safe harbor for non-compliance by their service providers if certain controls with the service providers have been put in place. Therefore, consider all third parties you work with and review those contracts, including when you are the recipient of data as a data processor. Some of you might be familiar with data privacy amendments which were ubiquitous when GDPR came into law. Similarly, CCPA will require that contracts with your service providers address compliance with CCPA and therefore amendments to your service provider contracts might have to be produced to mitigate risk and put proper protections and procedures in place.
6. Review external privacy policies and other consumer disclosures.
CCPA requires certain disclosures be made to consumers. Review your user interface to determine where and how notice can be provided and update any missing disclosures and commitments required under CCPA. Privacy policies must now, among other things, specify categories of personal information collected, sold or disclosed and the business or commercial purposes for that collection, sale or disclosure. This will require wholesale changes to many privacy policies currently in place. In addition, CCPA requires that privacy policies be updated at least every 12 months.
THE TIME TO ACT IS NOW.
