On June 28, 2018, the California Consumer Privacy Act (CCPA) was unanimously passed. It is slated to go into effect January 1, 2020, and it is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires businesses within its wide scope to be significantly more transparent about how they collect, use, and disclose personal information. While it is a California law, a business outside of California must also comply if it conducts business with residents (natural persons) of California. 1
As expected, it was recently updated to address some technical issues. After a 2 month period of lobbying, SB 1121 includes 45 amendments which are intended to be technical edits to correct drafting errors while maintaining the substance of CCPA. Additional regulations are expected six months after CCPA’s effective date. We highlight a few of the amendments in SB 1121 here.
One of the amendments clarifies the definition of “Personal Information”, which is still broadly defined. SB 1121 amends the definition of Personal Information to read: “[Personal information includes the following] if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household…” With this change, the list of information that was automatically considered Personal Information has been clarified as potentially being Personal Information. Under the amended definition information that can be used to potentially identify an individual or a household, such as IP address, will now be considered Personal Information if it can be associated with an individual or household. 2
Because CCPA is a new law, there are many questions about its requirements and its applicability in various situations. One common question TrustArc has received about CCPA relates to this definition of Personal Information. For example, our privacy experts have been asked whether public information is considered “Personal Information” pursuant to CCPA. If information is publicly available and it is lawfully made available to the general public from federal, state, or local government records and is used for a purpose that is compatible with the purpose for which the data is maintained is exempted from the Act. “Publicly available” does not include consumer information that is de identified or aggregate consumer information.
As shown in the above example of deciding what is personal information or not, having your privacy team up to speed on the law and its amendments is critical for complying by January 1, 2020.
Another amendment that SB 1121 contains defers the deadline that the attorney general has to draft and adopt the law’s implementing regulations from January 1, 2020, to July 1, 2020. The bill also delays the Attorney General’s ability to bring enforcement actions.
The Attorney General shall not bring an enforcement action under this title until six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.
As businesses review their plans for CCPA compliance and the impact of these amendments, businesses need to continue to move forward with their plans because the substance of CCPA is not expected to change. Similar to GDPR, the path to CCPA compliance requires businesses to have solid knowledge of:
- where their data sits,
- what data they have and
- what is then shared with third parties.
Data inventory and data mapping projects, policy updates and shoring up third party vendor management are all foundational compliance items companies need to be working on now. Using technology to manage these items in the ever changing and complex world of Privacy and Data Governance needs to be a part of that compliance plan.
Team TrustArc is available to help you further review your CCPA readiness and walk you through how our award-winning technology solutions can help your business streamline and manage ongoing compliance with CCPA and other privacy regulations, such as the GDPR. To find out more information on options that meet your business needs, visit https://www.trustarc.com or call 1-888-878-7830.
(1) (c) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(2)“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act specifies that PI includes, but is not limited to: (i) identifiers, such as names, aliases, addresses, and IP addresses; (ii) characteristics of protected classifications under California or federal law; (iii) commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies; (iv) biometric information; (v) Internet or other electronic network activity information, such as browsing history; (vi) geolocation data; (vii) audio, electronic, visual, thermal, olfactory, or similar information; (viii) professional or employment related information; (ix) education information; and finally, (x) any inferences drawn from any of the information identified to create a profile about a consumer.