By Joel Wuesthoff, J.D., CISSP, CIPP/E
The California Consumer Privacy Act is changing the face of consumer data privacy. Here’s what companies should know before this legislation goes into effect at the start of 2020.
Headlines in the past few years have shaken consumers about the security of their personal information. To protect European residents against companies that would misuse their data, the European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018. Following the EU’s lead, California passed its own version: the California Consumer Privacy Act (CCPA).
The CCPA is the strictest data privacy law in U.S. history to date. Even companies that are already GDPR-compliant will need to heighten their data privacy efforts if they handle the data of California residents.
The deadline to implement these changes is fast approaching. The act goes into effect January 1, 2020, and the Attorney General’s Office will begin enforcing it on or before July 1, 2020. The penalty for noncompliance stated in the CCPA is up to “$2,500 per violation or $7,500 per each intentional violation,” although businesses have 30 days after receiving notice from the office of the Attorney General to correct the violation before civil actions will be taken.
But to comply with this new law, businesses first need to understand it. This may not be so easy, as the CCPA has been amended several times, and some ambiguity still remains.
What’s clear about the CCPA
As of press time, the “known knowns” are these: who must comply with it, whom it protects and the rights it gives consumers.
Who must comply with the CCPA? Any company that does business in California that has annual revenues in excess of $25 million, collects the personal data of 50,000 or more consumers, households or devices, and/or derives 50% or more of its annual revenue from selling consumer data, is subject to the CCPA.
Who does the law protect? As the law’s name states, the California Consumer Protection Act safeguards the data of just its own residents. However, the effects of CCPA are being felt across the nation, with Nevada, New York and other states developing similar privacy measures.
What rights does the law give California residents?
- Consumers have a right to know what types of personal information a business collects, receives, sells or discloses. The law also gives them the right to know the purposes of these activities and who else sees their data.
- Consumers can request more information about what personal data a business has about them, as well as get copies of that information.
- Californians can stop a business from selling their personal data and request that it delete their information.
- A business cannot punish or discriminate against consumers for exercising their rights under the CCPA.
The employee exemption of the CCPA
Shortly after the act was signed into law on June 28, 2018, the buzz began about just who are included under the broad definition of “consumer.” For example, can employees, contractors and job applicants ask current and prospective employers about who sees their personal information? Do they have the right to ask that their private data be deleted?
To clarify these and other questions, California legislators have sent a series of CCPA-related amendments to then-governor Jerry Brown and the current governor, Gavin Newsom. Assembly Bill 25, which Gov. Newsom signed on October 11, 2019, specifies that for one year, the act will not cover the personal data of California employees, contractors and job applicants. Also exempt are a business’s owners, directors, officers and medical staff members.
In other words, AB 25 recognizes two separate roles: worker and consumer. An example is a California resident who is employed by Facebook and uses this social media platform on a personal basis. The personal data that Facebook collects while this person browses and clicks will be protected by the CCPA. In contrast, the personnel data that Facebook has regarding the same person as an employee will not receive these protections.
What’s more, AB 25 only kicked the can down the road. As the amendment lasts until January 1, 2021, legislators must take up this issue again during their next session. One of two things is likely to happen: they’ll make the exemptions permanent, or they’ll pass comprehensive legislation on employee privacy.
The value of data under the anti-discrimination provision
AB 25 may have cleared up the consumer/worker matter, but there is still some confusion surrounding exceptions to the anti-discrimination provision, which prohibits businesses from discriminating against consumers for exercising their rights under the CCPA. One of the exceptions states that nothing “prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” But how is value to be determined?
California Attorney General Xavier Becerra offered some clarity in the draft regulations his office issued on October 10, 2019. Article 6 of the regulations states that calculations of that value “shall use and document a reasonable and good faith method.”
As of press time, the proposed regulations are in a phase of public hearings and written comments, which will conclude on December 6, 2019.
Ambiguity about financial incentive programs
The CCPA offers another exception to the anti-discrimination provision that relates to financial incentive programs: Businesses can offer such programs when consumers opt in to share their data. Consumers must also be able to opt out of sharing their data at any time.
However, the law doesn’t explicitly state whether a business can punish customers with financial disincentives for opting out. Businesses can’t discriminate against consumers for exercising their rights under the law, nor may a business maintain coercive incentive programs, but it’s unclear whether opting out of an incentive program is a protected right under the CCPA. It’s also not clear what the definition of “financial incentive” is or what the conditions are under which they may be allowed as compensation.
The takeaway for companies
The past year has seen a flurry of activity as businesses scramble to comply with the CCPA. Some of these steps include strengthening data privacy, training employees and adding appropriate language to websites. Looking ahead, companies will need to monitor data privacy developments very closely to remain compliant with changing legislation.
Joel Wuesthoff is Managing Director of Consulting Solutions for Robert Half Legal. A former practicing attorney, he is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/E) with more than 20 years of legal practice and consulting work in high stakes litigation and government investigations. To learn more about Robert Half Legal’s data privacy consulting services, visit our website.
None of the content in this article should be considered legal advice. As always, consult a lawyer.