By virtue of the COVID-19 pandemic and unrest now gripping our nation, the California Consumer Privacy Act (CCPA) may not be top of mind for those doing business in the Golden State. But it should, as the privacy law’s July 1 enforcement deadline is almost upon us.
Earlier this year, several industry groups petitioned California’s Attorney General to move the deadline to January 1, 2021, in light of the coronavirus and its impact upon businesses nationwide. However, in an April press release, the Attorney General’s office refused to do so, stating that online privacy remained a priority, especially with the increases in people working remotely or homeschooling children. As such, there is no indication that enforcement of the CCPA will be delayed.
As the July 1 deadline approaches, here are a few things to consider when assessing your CCPA compliance.
On June 1, the Attorney General finalized the proposed regulations relating to the CCPA. They contain valuable guidance on many aspects of the privacy law, including how to verify the identity of consumers making CCPA requests, posting privacy policies and “Do Not Sell My Personal Information” links on websites, and how to process CCPA requests from third-party authorized agents.
Sale of PI
The CCPA allows consumers to opt-out of the sale of their personal information. But the meaning of the term “sale” is much broader under the CCPA than most people would think. In fact, for purposes of the CCPA, a “sale” can include any data sharing, whether for money or “other valuable consideration,” including common data-sharing practices you may already have with your vendors. In order to protect yourself, it is critical to have written agreements with vendors that limit what they can do with PI you are sharing, so they can qualify as “service providers” under the CCPA. Without these agreements, if consumers opt-out of the sale of their PI, you may be prohibited from sharing data with non-service provider vendors, resulting in substantial impacts to critical business operations.
Though the CCPA is broad, its exemptions are narrow. Yes, the privacy law exempts PI collected, processed, sold, or disclosed in connection with several federal laws (such as GLBA, HIPAA, and FCRA), but these exemptions likely do not cover other types of PI collected for non-regulatory purposes. For example, information that a consumer provides to obtain an insurance policy (“personally identifiable financial information”) may be exempt under GLBA; however, the exemption would not cover marketing information relating to that same consumer, including leads lists obtained from third parties. Bottom line: if your business intends to rely on an exemption to the CCPA, you should discuss the actual scope of these exemptions with privacy counsel.
Organization is Key
Experts anticipate that businesses will see an increase in CCPA requests in July and August, as the new regulations start being enforced. That said, we are seeing services pop up that will make it easier for consumers to submit CCPA requests (either directly or using the service as an “authorized agent”). In order to efficiently process these requests, businesses should (1) have an outline of where they store PI (read: a data map) and (2) make sure that personnel responsible for CCPA compliance are adequately trained.
No doubt about it, the CCPA is complicated, particularly now, but it does not have to be. Michelman & Robinson’s cybersecurity and data privacy team is available to provide a no-cost consultation to identify and handle any lingering CCPA issues you may have.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.