With the July 1 enforcement date fast approaching, California's Office of the Attorney General (OAG) has finalized the California Consumer Privacy Act (CCPA or the “Act”). Several sections of the finalized Act are critical to compliance with the act to include the following.
1. Be transparent with how your business collections and processes data.
A fundamental principle of the Act is the requirement of “...notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used. This includes the categories and sources of PII collection and a detailed description of any third-parties to which the business will be sharing this Personally Identifiable Information (PII).
2. Think carefully on which data sales are worthwhile.
Business units may wish to carry out a risk/reward analysis on how sensitive consumers are to the sale of data to certain sectors of third parties. Data collected from consumers may highlight that certain relationships are not financially beneficial to the business/seller.
3. Separate prices based on data disclosure are allowed but show your work.
The regulations allow differential pricing based on the data subject’s decision to disclose their data, provided the business offers such incentives related to price or service differences. Furthermore, under CCPA Sec. 999.307(b)(5), the statement must demonstrate how the financial incentive or price difference is reasonably related to the value of the consumer’s data.
4. Rewards programs and incentives are allowed, but show your work.
Businesses retain the right under the CCPA to offer financial incentives or price/service differentials if the difference is reasonably related to the value of the data at issue. Once again, documentation is key: “If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference”. Details are available in the text of the legislation. Note that when a business calculates the value of its consumer data, the business must be able to document and substantiate its procedure.
5. Household or joint accounts require extra caution.
Businesses not providing password protected household accounts must comply with CCPA Sec. 999.318 before fulfilling a request to access or delete household information. Specifically, these businesses must:
- verify that all consumers of the household jointly request access to the specific information;
- individually verify the identity, in accordance with Section, 999.325, of each and every household members making the household request;
- verify that each member making the request is currently a member of the household.
6. Check the languages in which you do business.
Regulations govern the noticing requirements provided to consumers. The most recent changes to the regulations amended the notice requirements to read “be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.’ [emphasis added]. This revised language shows an intent to limit this requirement to languages used by the company in California. Therefore, businesses must review the languages used to engage customers as part of the course of business in California. This review process should include signage at physical locations in the state, including front desks, elevators, and room heating/cooling system instructions.
7. If you already sell PII (according to the broad CCPA definition of sell), you must now get expressed customer authorization to continue this practice.
The Act dictates that ‘A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer’. Therefore, If a company continues to sell this data to third parties without receiving affirmative authorization, it will be in violation of the act. However, businesses can re-establish the right to sell by notifying the subject of their new privacy policy and acquiring affirmative authorization in the process.
8. Deidentification is sufficient.
The regulations recognize that due to how records systems were constructed, active deletion of personal information may be difficult or impossible. Therefore the deidentification or aggregation of the consumer’s personal information is sufficient to comply with a consumer request to delete under the CCPA.
9. Act quickly on requests to opt-out.
These requests are both an exception to this rule and the most common request seen under the law. CCPA Sec. 999.315(f) mandates that businesses must comply with such requests in no more than fifteen (15) business days from the date of the request. The narrow window makes streamlined reporting of CCPA requests across business units essential for response-time compliance.
10. You do not have to search everywhere for data.
Businesses are not required to search for personal information if ALL of the following conditions are met:
- the business does not maintain certain personal information in searchable/accessible format;
- the business maintains the information solely for compliance purposes;
- the business neither sells or uses the information for a commercial purpose;
- and the business describes to the consumer the categories of personal information that went unsearched because they met the above criteria.
Therefore, security data such as security-camera footage would not be covered under these regulations. A hotel receiving an information access request from a guest would not have to search its CCTV footage for video of the guest, as long as the hotel notified the guest that such security footage went unsearched because it met all other categories of this regulation.
In sum, businesses should focus on transparency with their customers and follow a risk-based approach on how they collect, processes, and disseminate personal information. The bottom line is, customer personal information belongs to the individual, not the business.
