What is the CCPA?
On June 28, 2018, the California legislature passed the California Consumer Privacy Act of 2018 (CCPA), which aims to strengthen consumer privacy rights and data protection. Under the law, California residents have the right to know what information is collected, sold, or disclosed, the right to access their information, and the right to request deletion of their information.
The CCPA is subject to revision prior to the 2020 enactment date. While the foundational elements of the regulation are not likely to change, additional guidance and specificity regarding the intent of the regulation is expected. California has historically been a leader and driver of privacy regulation, leading many to speculate that this regulation could serve as a framework for continued privacy regulation across the U.S.
CCPA vs. the GDPR
Many organizations have invested significantly over the last two years implementing the European Union’s General Data Protection Regulation (GDPR). How similar is the CCPA to the GDPR?
The foundational elements of the regulations are similar, including the right to deletion and the right to access data. Therefore, companies should be able to leverage aspects of their existing privacy programs, such as privacy policies, trainings, records of processing, consent management procedures and data subject rights procedures, to comply with the CCPA. However, there are key differences.
Key elements of the CCPA
- New rights – the CCPA provides CA residents with the right to:
- Access personal information (PI);
- Know what PI is being collected;
- Request deletion;
- Know whether PI is sold or disclosed and to whom
- Opt-out of PI sale to third parties; and,
- Equal goods or services and equal price (whether consent to share PI is given or not).
Q: If a company has implemented a GDPR program, how much additional work will be needed to comply with the CCPA?
- Website and privacy policies – Businesses must update their online privacy policies with information regarding opting out and what information is collected, sold, or disclosed. Website homepages must include certain links for consumers to exercise certain rights.
- Private cause of action – Individuals now have the ability to raise a cause of action against businesses for a business’s alleged failure to “implement and maintain reasonable procedures and practices” that result in a data breach, with penalties ranging from $100 to $750 per violation.
- Individual requests – Individuals have the right to make requests regarding their PI. Companies must respond to verifiable individuals’ access requests within 45 days and can only extend past the deadline in limited circumstances.
- Third parties – Third parties that purchase information from businesses are not permitted to resell the information without express consent.
- Scope – The scope is broad and has the potential to affect many organizations across the US and globally that do business in the state of California, whether they have a physical presence or are virtually marketing to CA consumers.
- Exemptions: Data that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), and Children’s Internet Protection Act (CIPA) is exempt from CCPA’s requirements. This information is also exempt from CCPA’s private right of action provision.
- Health Information: HIPAA-covered entities and providers of health care governed by the Confidentiality of Medical Information Act are exempt from the CCPA “to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information [PHI].” Additionally, PHI governed by HIPAA and HITECH collected by covered entities and business associates is also exempted. Lastly, information collected as part of a clinical trial that is subject to the Common Rule is also exempt from the CCPA.
Many of the foundational elements of a GDPR program can be leveraged to comply with CCPA. Companies that implemented GDPR programs across the enterprise will be able to leverage more than those that limited the scope of the program to the EU. However, there are unique differences between the regulations and it will be important for organizations to perform a gap assessment.
Q: Should companies start right now or wait, as changes to the CCPA are anticipated prior to July 1, 2020?
While additional clarification and guidance are expected, significant changes to the core of the regulation are not. Companies should start by inventorying personal data, performing a gap assessment and developing a roadmap to compliance.
Q: Does the CCPA apply to both customers and employees in CA?
The CCPA applies to California residents, impacting both customer and employee information.
Q: Who should lead CCPA compliance within a company?
CCPA compliance should be led by the privacy office, with significant involvement from the business (operations, sales, marketing), Legal, IT, and information security.
Q: What are the penalties for non-compliance?
The law provides a private right of action and statutory damages to residents whose non-encrypted or non-redacted PI is subject to unauthorized access, theft, or disclosure. Consumers are able to recover between $100 and $750 per violation. Additionally, the California Attorney General (AG) is responsible for enforcing all other provisions of the CCPA. Civil penalties in an AG-initiated matter can range from $2,500 at minimum, and up to $7,500 for each intentional violation.
Where to begin?
While the law is subject to revision, companies should begin preparing a roadmap to compliance. First, companies need to understand what personal information they are collecting related to California residents, as well as associated data owners, systems, and third parties involved. This data inventory will serve as the foundation for CCPA compliance.
Once the data in scope is understood, companies should perform an assessment of the CCPA and their existing privacy programs to identify gaps. Gaps should be prioritized based on risk, aligned to projects and put on a roadmap to achieve compliance by July 1, 2020.
As companies progress through the compliance journey, they should continue to monitor any changes or revisions to the CCPA and adjust the roadmap projects accordingly.
Grant Thornton can help
Our team of privacy and data protection specialists can help you. Navigating the increasingly complex privacy regulatory environment is challenging. Our team of privacy, information security and compliance experts can help align your privacy program with core business objectives to drive growth, not to slow it due to compliance requirements.
National Managing Principal
Risk Advisory Services
+1 703 847 7580
Cyber Risk Services
+1 312 602 8940
Cyber Risk Services
+1 415 318 2240
Cyber Risk Services
+1 703 847 7529