The effective date for the California Consumer Privacy Act is fast approaching, and many businesses need to be ready and prepared to comply with it.

The CCPA has had a colorful process in its development. Originally passed in 2018, it has been amended no less than six times since that time. Also, the California Attorney General has issued its Proposed Rules to implement CCPA, but those are of course subject to further amendment after the comment period ended on December 6.  CCPA becomes effective January 1, 2020 – even though the Attorney General will not have finalized the Rules by then -  so businesses that may be affected by CCPA should immediately begin taking steps to prepare accordingly.

What it Does

The CCPA enables consumers to request businesses to do the following:

·        Provide them with the types and specific pieces of personal information the business has on them;

·        Provide them with the types and specific pieces of personal information the business has sold to third parties;

·        Request the business to delete the personal information the business has on the consumer; and,

·        Provide them with the right to opt-out of the business selling the consumer’s personal information to third parties.

The requirement to provide the consumers with their specific pieces of personal information means a business must provide the consumer with the actual personal information that business possesses on that consumer. This could be concerning since the business will be handing off sensitive data to the requestor who claims to be the consumer. Proper verification of the requestor, therefore, is crucial. Also, the Proposed Rule, as currently written, limits disclosures of the personal information to exclude such things as social security number and driver’s license numbers.

As you would expect, there are also disclosure requirements associated with those consumers’ rights. This includes, before a business collects any personal information from the consumer, disclosing the type of information that business intends to collect from the consumer and how it will be used.

Determine Applicability

The first step is to determine if the CCPA applies to your business. Since the rights afforded under the CCPA apply to residents of California, the business should first determine if it does business with California residents. If so, you should then review the definition of “business,” which includes, but is not limited to, any business that has annual gross revenue that exceeds $25,000,000. There is no guidance in the CCPA or the Proposed Rule as to whether that annual gross revenue amount is intended to mean all-company revenue or just revenue a business generates in the state of California.

Next, consider if your business is collecting personal information from consumers. Personal information includes, but is not limited to, a consumer’s name, unique identifier, email address, account name, and social security number.

Exemptions

If all of the above is in the affirmative, then you determine if any of the exemptions might apply to the business. A significant exemption for the financial services industry concerns the federal Gramm-Leach-Bliley Act (GLBA), whereby the CCPA provides it does not apply to personal information collected pursuant GLBA. Note that this exemption is not drafted as a blanket exemption applicable to financial institutions that are subject to the GLBA, but instead as applicable to the information that is collected pursuant to the GLBA.  This suggests that while much of the information collected by financial services companies may be exempt from CCPA, some businesses may either engage in activities or the collection of other types of information that are not subject to the GLBA, or simply engage with consumers in ways that fall outside of the GLBA.  As such, determining the applicability of this exemption to all of your business’ activities should be of paramount focus.

There are additional exemptions or carve outs as well, such as not limiting a business to comply with federal, state, or local law. All of these exemptions should be reviewed carefully and applied based on your business’ situation.

Operational Preparedness

If it looks like your business may still be required to comply with some or all of the provisions of CCPA, then it should begin to prepare to operationalize the many facets of this law. There are inherent risks that CCPA creates – providing specific personal information to a person purported to be the consumer being one of them – and possible operational challenges that may impede your business’ ability to comply. Therefore, it is a worthy to invest the time to understand the issues and nuances of CCPA, and the possibilities afforded to a business to mitigate the risk to the business and the consumer.

Key Considerations:

·        Find out where your personal information is, what you do with it, and how do you get to it for disclosure purposes. This may require a discussion with various departments in your business, including IT (where is the personal information), Sales (which systems are used to collect personal information), Processing (which vendors do we disclose the info to) and Marketing (which, if any, personal information is sold or shared with third parties).

·        Develop categories under which the personal information falls.

·        Develop and deploy the appropriate disclosures in the appropriate places. In most cases, use of the website and your online privacy policy will address most of the requirements.

·        Set up at least two methods by which consumers can submit their requests. Consider website forms and a toll-free number, but other methods may be required.

·        Set up a department that is ready to receive, track, record and process requests completely and timely. CCPA requires that requests be completed no later than 45 days from receipt of the request (with possible 45-day extension), and the Proposed Rule currently requires that an acknowledgment must be sent to the consumer within 10 days. Consider your current complaint management process as the template since the requirements and diligence required under CCPA appear to be similar.

·        Assess your methodology to verify, within the bounds of the law, that the requestor is in fact the consumer. A business may require acceptable standards of proof that the requestor is the consumer, but it may not be so burdensome that it will step on consumers’ enthusiasm to make request about their personal information. The Proposed Rule currently provides more guidance on factors to consider when verifying a requestor than CCPA itself, but it is not completely prescriptive either.

Indeed, CCPA does not offer the degree of clarity that businesses in the financial services industry are accustomed to when implementing new requirements. Hopefully, the Attorney General will issue a final rule that provides adequate guidance on some of the nuanced issues and grey areas in the statute. In the meantime, it’s time to roll up the sleeves to assess CCPA as applied to your business and, where necessary, to take the key steps to operationalize the requirements based on the best information currently available.

 Garris Horn frequently provides guidance on CCPA matters.  For more information on this interpretive rule, or to discuss related matters, contact Raymond Snytsheuvel directly at (949) 683-7500 or raymond@garrishorn.com.