The right to privacy is regarded around the world as a fundamental human right. In fact, the UN’s Universal Declaration of Human Rights states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. . .” Recent events have shown, though, that many organizations have been consistently & routinely disregarding peoples’ right to privacy.

In response to these events, many governments around the world are enacting new privacy laws. Two of the most notable regulations are the EU’s GDPR and California’s Consumer Privacy Act (CCPA), which apply to two of the largest economies in the world. We’ve discussed GDPR in previous articles, and today we’ll discuss CCPA and its impact on your organization.

ccpaCCPA’s Scope

Definition of Personal Information (PII)

When CCPA goes into effect on 1 Jan 2020, it will become one of the most impactful, general data privacy regulations in the United States. While other regulations, like HIPAA, deal with specific types of PII, CCPA broadly defines PII:

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The bill contains examples of PII, though explicitly states that this list is by no means exhaustive:

  • Contact information (e.g., name, email address, IP address, etc.)
  • Government IDs
  • Commercial information, such as: 
    • Records of personal property
    • Products or services that have been purchased or obtained
    • Purchasing history or tendencies
  • Biometric information
  • Electronic network activity, such as: 
    • Browsing and search history
    • Interactions with a website or advertisement 
  • Location data
  • Professional or employment-related information
  • Inferences drawn from any PII that’s used to create a profile about a consumer, such as a consumer’s:
    • Preferences
    • Characteristics
    • Psychological trends
    • Behavior
    • Attitudes
  • Consumer information that is deidentified or aggregate consumer information. 
  • Information made available from federal, state or local government records is not classified PII

Who the Law Covers

Individuals

CCPA covers the processing of PII of residents of California (“processing” is, essentially, any interaction with personal data). With California being the world’s fifth largest economy (as of May 2018), this regulation will undoubtedly affect many organizations. 

Organizations

Any organization that collects, sells or transfers PII of California residents (referred to hereafter as “individuals”).

CCPA’s Requirements

CCPA specifies five privacy rights individuals have and the standards organizations must follow in order to respect those rights. In this section, we’ll describe CCPA’s specific requirements for each privacy right as well as the Act’s general provisions. The five rights are the:

  1. Right to Disclosure & Understanding
  2. Right to Opt-Out
  3. Right to Opt-In
  4. Right to be Forgotten
  5. Right to the Same Services & Prices

General Requirements

In addition to specific requirements for each right, CCPA has some general requirements as well. Organizations that process California residents’ PII must:

  • For minors (i.e., anyone under the age of 16 years-old):
    • Consent to sell their PII must be obtained prior to any sales
    •  For minors under the age of 13, explicit consent from the minor’s parent/guardian must be obtained
  • Implement and maintain a security program that appropriately protects the types of PII the organization processes
  • Update their online privacy policy to include a California Resident-specific section that contains:
    • A description of the individual’s privacy rights under CCPA
    • At least one method for submitting requests
    • A list of the categories of PII the organization has collected about consumers during the previous 12 months
    • Two separate lists describing how consumers’ PII was:
      • Sold
      • disclosed
    • If no PII has been sold or disclosed in the previous 12 months, disclose this fact
    • Update this privacy policy annually
  • Have a clear and obvious link on their homepage entitled “Do Not Sell My Personal Information” that links to a webpage that enables individuals to opt-out of the sale of their PII
    • Individuals must not be required to create an account in order to direct the organization to not sell their PII
  • Third parties that the organization sells or discloses to may not sell PII they (the third party) have received from the organization unless individuals have:
    • Received explicit notice of the intent to sell their PII
    • Been given an opportunity to opt-out

Cyber_Security_Data_LockThe Right to Disclosure & Understanding

Individuals have a right to know what PII the organization has collected on them and what the organization is doing with that PII. 

Requirements

  1. Organizations that collect PII must disclose to individuals that they have a right to have their PII deleted (i.e., the “right to be forgotten”) 
  2. Organizations must respect individual’s request for information and, upon a verifiable request from an individual, disclose the following to the requesting individual:
    1. The categories and specific pieces of PII that the organization has been collecting about the individual
    2. The categories of sources from where the individual’s PII has been collected
    3. The business purposes for collecting the individual’s PII
    4. If the organization is selling PII, it must disclose:
      1. The business purposes for selling the individual’s PII
      2. The categories of: 
        1. PII that was sold about the individual
        2. Third parties to whom the organization has sold the individual’s PII
      3. The specific third-parties that have received the PII
    5. If the organization is disclosing PII, it must state the categories of:
      1. Third parties to whom the organization has disclosed the individual’s PII
      2. The categories of PII that have been disclosed about the individual
    6. If the organization hasn’t sold or disclosed any PII, it must state this fact 

Exceptions

Organizations are not required to:

  1. Retain any personal information related to a one-time transaction
  2. Reidentify or otherwise link any data that, in the ordinary course of business, is not considered to be PII

In Part II of this CCPA Foundations series, we will explore Enforcement & Fines associated with this new legislation. 

Sources