'Most Innovative Startup 2020' by RSA - Watch the pitch video

View More

With the July 1 enforcement date fast approaching, California's Office of the Attorney General (OAG) has finalized the California Consumer Privacy Act (CCPA or the “Act”). Several sections of the finalized Act are critical to compliance with the act to include the following.

1. Be transparent with how your business collections and processes data. A fundamental principle of the Act is the requirement of “...notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.This includes the categories and sources of PII collection and a detailed description of any third-parties to which the business will be sharing this PII.

2. Think carefully on which data sales are worthwhile. Business units may wish to carry out a risk/reward analysis on how sensitive consumers are to the sale of data to certain sectors of third parties. Data collected from consumers may highlight that certain relationships are not financially beneficial to the business/seller.

3. Separate prices based on data disclosure are allowed but show your work. The regulations allow differential pricing based on the data subject’s decision to disclose their data, provided the business offers such incentives related to price or service differences. Furthermore, under CCPA Sec. 999.307(b)(5), the statement must demonstrate how the financial incentive or price difference is reasonably related to the value of the consumer’s data.

4. Rewards programs and incentives are allowed, but show your work. Businesses retain the right under the CCPA to offer financial incentives or price/service differentials if the difference is reasonably related to the value of the data at issue. Once again, documentation is key: “If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference”. Details are available in the text of the legislation. Note that when a business calculates the value of its consumer data, the business must be able to document and substantiate its procedure.

5. Household or joint accounts require extra caution. Businesses not providing password protected household accounts must comply with CCPA Sec. 999.318 before fulfilling a request to access or delete household information. Specifically, these businesses must:

  1. verify that all consumers of the household jointly request access to the specific information;
  2. individually verify the identity, in accordance with Section, 999.325, of each and every household members making the household request;
  3. verify that each member making the request is currently a member of the household.

6. Check the languages in which you do business. Regulations govern the noticing requirements provided to consumers. The most recent changes to the regulations amended the notice requirements to read “be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.’ [emphasis added]. This revised language shows an intent to limit this requirement to languages used by the company in California. Therefore, businesses must review the languages used to engage customers as part of the course of business in California. This review process should include signage at physical locations in the state, including: front desks, elevators, and room heating/cooling system instructions.

7. If you already sell PII (according to the broad CCPA definition of sell), you must now  get expressed customer authorization to continue this practice. The Act dictates that ‘A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer’. Therefore, If a company continues to sell this data to third parties without receiving an affirmative authorization, it will be in violation of the act. However, businesses can re-establish the right to sell by notifying the subject of their new privacy policy and acquiring affirmative authorization in the process.

8. Deidentification is sufficient. The regulations recognize that due to how records systems were constructed, active deletion of personal information may be difficult or impossible. Therefore the deidentification or aggregation of the consumer’s personal information is sufficient to comply with a consumer request to delete under the CCPA.

9. Act quickly on requests to opt out. These requests are both an exception to this rule and the most common request seen under the law. CCPA Sec. 999.315(f) mandates that businesses must comply with such requests in no more than fifteen (15) business days from the date of the request. The narrow window makes streamlined reporting of CCPA requests across business units essential for response-time compliance.

10. You do not have to search everywhere for data. Businesses are not required to search for personal information  if ALL of the following conditions are met:

  • the business does not maintain certain personal information in searchable/accessible format;
  • the business maintains the information solely for compliance purposes;
  • the business neither sells or uses the information for a commercial purpose;
  • and the business describes to the consumer the categories of personal information that went unsearched because they met the above criteria.

Therefore, security data such as security-camera footage would not be covered under these regulations. A hotel receiving an information access request from a guest would not have to search its CCTV  footage for video of the guest, as long as the hotel notified the guest that such security footage went unsearched because it met all other categories of this regulation.

In sum, businesses should focus on transparency with their customers and follow a risk-based approach on how they collect, processes, and disseminate personal information. Bottom line is, customer personal information belongs to the individual, not the business.

Share this

Our Videos

View More
3:00

Data Mapping Automation

Simplify gathering information, dynamically update your data catalog, and automate assessments and reports

Learn More
View More
02:40

An IT Leader’s Perspective on CCPA

Meet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.

Learn More
Most Innovative Startup 2020 SECURITI.ai View More
03:42

RSA Innovation Sandbox 2020: SECURITI.ai

Watch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition

Learn More
CCPA View More
07:10

CCPA Compliance

CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.

Learn More
View More
2:25

Internal Assessment Automation

Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.

Learn More
quinstreet privaci View More
02:44

QuinStreet Case Study

Learn how Quinstreet uses our product to simplify data mapping and automate their workflow to process and respond to CCPA requests.

Learn More

SECURITI.ai Named a Leader in Privacy Management Software by Forrester

View