With less than two weeks to go before enforcement of the California Consumer Privacy Act (CCPA) begins on July 1, 2020, Protiviti and Robert Half Legal held a webinar that took a look at what the first 100 days of CCPA have been like for companies subject to the recent privacy law. We explored the most critical compliance challenges facing companies that are still ramping up their CCPA privacy programs, including notice requirements, handling downstream data recipients, and navigating the complexities of responding to consumer privacy rights requests. Here are discussions and answers to the most frequently asked questions that we received during the webinar.
Q: How does our company prove that we do not “sell” personal information?
There are several ways to prove a business does not sell personal information, but the most straightforward is to ensure that all transfers of personal information externally are only made to properly classified service providers. Do not overlook the possibility of selling personal information via third-party marketing cookies.
The concept of “sale” of personal information has resulted in considerable confusion and pushback from many companies subject to the CCPA, most notably companies involved in the Adtech space.
Sec. 1798.140(t) defines “sale” of personal information as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration” (emphasis added). The bolded portion of the definition expands the traditional concept of sale beyond what most would typically assume – an exchange of data for cash. Lacking additional guidance from the Attorney General, companies are taking a very risk-averse and expansive approach to this section of the law, and treating all transfers of personal information to outside entities in exchange for any benefit (e.g., enhanced insight into potential customers) by default as a potential sale, unless the alternative can be supported.
There are several ways a business can demonstrate that a transfer of personal information is not a sale. These include, but are not limited to:
- The transfer is made to a properly classified service provider through service agreement or contract management.
- The transfer to a third party does not result in a direct benefit to the business (e.g., the transfer of personal information is to law enforcement for fraud investigation purposes).
- The transfer is made to a third party upon specific request by the consumer, provided the third party does not sell the personal information.
- The transfer is made to a third party for the purpose of alerting the third party that the consumer has opted out of sale of his/her personal information (e.g., sending an email opt-out list to a third party).
- The transfer is made to a third party as part of a merger, acquisition, bankruptcy, or other transfer of control of some or all the business’ assets.
Q: If we are subject to HIPAA or GLBA privacy requirements, can we ignore CCPA compliance requirements?
No. Compliance with HIPAA or the data privacy provisions of the Gramm-Leach-Bliley Act (GLBA) likely provides a solid foundation, but it wouldn’t be prudent to completely ignore CCPA. Companies should carefully assess the scope of the HIPAA and GLBA carveout. The CCPA contains an entire section of carveouts that apply to many already highly regulated industries (Sec. 1798.145).
Sec. 1798.145(c) specifically applies to HIPAA-covered entities, business associates, and any entity that processes protected health information (PHI) and/or medical information covered by California’s Confidentiality of Medical Information Act (CMIA). Additionally, the section extends the carveout to any patient information that may not be covered by HIPAA but that is nonetheless maintained “in the same manner as medical information or protected health information” covered under HIPAA and CMIA.
It is important to note these carveouts do not apply at the entity level to exempt all personal information that a covered entity may handle. A healthcare provider may nonetheless face CCPA compliance requirements for personal information not covered by HIPAA (for example, personal information used for marketing purposes, cookie data, call center data that is not PHI, email addresses, etc.). Thus, it is important to avoid falling for the assumption that a company is entirely exempt from CCPA simply because it is subject to HIPAA.
Sec. 1798.145(e) specifically applies to GLBA-covered entities where CCPA falls out of scope for personal information collected under the GLBA. However, certain exemptions do apply. Those include data GLBA entities generate from marketing, advertising or experience information not tied to financial product or services. Any personal information related to accessing consumer accounts through a website or mobile app, including cookies, would be exempt from CCPA applicability as this type of data falls under the GLBA provisions. The context of data determines whether the personal information falls under the CCPA or is exempt. The best approach is to gather this information through a data mapping assessment across systems in scope for personal information to determine whether it is covered under GLBA and CCPA. Additionally, it is important to remember that GLBA only applies to consumer accounts so personal information collected within commercial accounts would not have this carveout.
Q: How strictly must companies monitor their downstream data recipients?
Initial and ongoing vendor due diligence is strongly implied, if not required, by the CCPA. The CCPA does not contain the detailed downstream data recipient monitoring and compliance requirements that the GDPR does in Articles 28 and 29. However, the CCPA does include the requirement that businesses enter into written agreements with their service providers that sets out the purpose(s) of the processing and restricts what the service providers can do with the personal information shared (Sec. 1978.140(v)).
Liability for a service provider’s actions is addressed in Sec. 1798.145(j), which appears to provide a liability escape hatch for businesses whose service providers violate the provisions of CCPA, as long as the business had no “actual knowledge, or reason to believe, that the service provider” intended to commit a violation “at the time of disclosing the personal information” to the service provider. While many businesses may interpret this provision as requiring due diligence only at the procurement and contracting phase of the relationship, this may be an erroneous interpretation. Any business that discloses personal information to a service provider or third party should incorporate data privacy risk assessment criteria within their annual or periodic third-party risk due diligence process above and beyond the procurement and contract phases of the relationship.
Beyond the text of the CCPA, companies should note that the draft Attorney General regulations permit service providers that receive CCPA privacy rights requests to either respond on behalf of the business or reject the request. If businesses do not want their service providers responding to privacy rights requests on their behalf without any oversight this will need to be included in the service contract.
Q: Are there any exemptions to a consumer’s right to delete if a company still needs to use the consumer’s personal information?
Yes, there are several broad exemptions to the right to delete. This right is not absolute.
Businesses that are facing, or are expecting to face, a significant number of CCPA privacy rights requests are well advised to familiarize themselves with the nine exemptions to deletion contained in Sec. 1798.105(d). Most notably, businesses are not required to delete personal information following a request if that information is still needed to provide a product or service requested by the consumer (Sec. 1798.105(d)(1)). Beyond that, exemptions exist:
- To allow for free speech (e.g., media outlets do not need to remove personal information from published articles following a request);
- To allow for the detection and prevention of security incidents and fraudulent or illegal activity (e.g., businesses may not need to remove personal information from server logs or visitor records); and
- For solely internal uses of the personal information that would be reasonably expected given the consumer’s relationship with the business (e.g., maintaining a record of the consumer’s service requests to enable quicker troubleshooting support in the future).
Q: What is the California Privacy Rights Act? Could it replace the CCPA?
The California Privacy Rights Act (CPRA) is a proposed ballot initiative. If it passes, the CPRA would not replace the CCPA, but modify and expand it, creating new privacy rights for people and additional compliance obligations for businesses.
In California, citizens can propose and vote on new laws via ballot referendum. Just as state legislators drafted and enacted legislation such as the CCPA, so too can California citizens create new laws. One such proposal presumably heading for the ballot this November is the California Privacy Rights Act (CPRA).
Drafted by many of the CCPA’s original authors, the CPRA aims to clarify and expand the CCPA, to “further protect consumers’ rights, including the constitutional right of privacy.” (CPRA § 3).
Some of the law’s proposed changes include creating new categories of personal data, expanding a company’s liability for data breaches, and enhancing privacy rights for children. The CPRA would also create a state agency to enforce data protection laws. Independent data protection agencies are common in the European Union, but would be the first of this kind in the U.S.
If it passes this November, the CPRA would take effect on January 1, 2023.
Interested in learning more about CCPA enforcement? Our webinar, CCPA Compliance: The First 100 days, is now available on-demand.