Organizations covered under the California Consumer Privacy Act (CCPA) have less than six months to become fully compliant with the law that goes into effect Jan. 1, 2020. Mike Vanderbilt, privacy director at Baker Tilly, noted at a June webinar that, just like other data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR), the CCPA “establishes a high-level framework that organizations must comply with and provides certain rights to the individuals that it's designed to protect.”

What is the CCPA?

The CCPA was enacted in June 2018 and the state legislature has already amended it more than once even before it goes into effect. The CCPA – which in some respects is modelled after the GDPR -- provides consumers with the right to:

• Know what personal information is being collected about them
• Know whether their personal information is sold or disclosed and to whom
• Say no to the sale of personal information
• Be forgotten or to have data erased
• Access their personal information

Vanderbilt noted that the law has a one-year look-back, meaning that all data that organizations are processing in 2019 will be covered when the CCPA goes into effect in January 2020. He said, “Data is no longer the sole property of the company that holds it. With the CCPA and the other privacy regulations out there, individuals have a real say in how their data can be used.”

Application and penalties

The CCPA applies to all for-profit businesses – whether or not they have a physical footprint in the state – that process the personal data of California residents and meet one of the following thresholds:

• Has annual gross revenue of $25 million or more
• Obtains personal data or personal information of 50,000 or more California residents, households, or devices, annually, or
• Gets 50 percent or more of its annual revenue comes from the selling of personal data of California residents

Any person, business or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation. Unintentional violations that are not fixed within 30 days could see penalties of up to $2,500 per incident. Vanderbilt said, “You don't want to be in a situation where you're collecting very sensitive data and you're not treating it as though it's very sensitive data.”

What’s unique about the CCPA?

Vanderbilt highlighted a few things that stand out about the CCPA:

• The law covers not just individuals but also households, an acknowledgement that personal data is often connected to the IP addresses associated with certain devices that are used by more than one person.
• “Consumers” covered by the law may include not only state residents but also residents of other states who visit California temporarily.
• “De-identified data” and certain data covered by federal laws, such as health information related to HIPAA, is not covered by the CCPA.

Obstacles

Organizations identify several obstacles on their journey towards CCPA compliance, including:

• Lack of time to prepare/lack of bandwidth
• Complexity of the law
• Lack of budget
• Lack of expertise
• Lack of internal support

Vanderbilt said that in order for organizations to comply successfully with the CCPA they need to get buy-in at all levels of the organization. “We can't have the finger pointing,” he said. “All components and all departments of the organization need to align. Privacy is here and it is only going to become more stringent, so we need to address these items.”

What organizations should do now

Vanderbilt highlighted a few things that organizations should do in 2019 prior to the CCPA going into effect next year:

1. Perform a readiness assessment against applicable regulations and address any gaps.
2. Make sure to have a process in place to accept, track, and remediate complaints and incidents.
3. Consider whether certain activities can still be accomplished without collecting sensitive data.
4. Start assigning a dollar value, at least in penalties, to what a breach might cost the company.
5. Establish when in your organization is it acceptable to collect, store, and otherwise process personal data.
6. Adopt privacy principles similar to those included in the GDPR: transparency, lawful basis for processing, purpose limitations, data minimization, data subject rights, training and awareness, security of processing, governance and accountability, incident reporting, vendor management, privacy by design, data classification, and records of processing

Vanderbilt said organizations need to make sure they have access to appropriate expertise necessary to become CCPA compliant. “You need to make sure that you have governance and accountability in place to ensure you not only meet that compliance, but that you stay compliant, especially as the CCPA changes and evolves”.

Conclusion

A majority of participants at the webinar noted that their organizations had done little or no work to prepare for the CCPA. In addition, Vanderbilt noted that since the California legislature has amended the CCPA more than once since enactment, “We are not exactly sure what it's going to look like in January when it goes into effect, and we're also not really sure what enforcement's going to look like.”

California and Nevada are the only two states that have passed data privacy laws, although 14 other states are considering them. Vanderbilt said it is more likely that organizations will have to adjust to several different state privacy laws before the federal government ever passes a laws as comprehensive as the CCPA or GDPR.

He concluded, “The important thing to do is simply keep trudging down that path, document what you're doing, document your assumptions, and keep moving forward.”

The webinar recording and slide deck are available here.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.