The California Consumer Privacy Act: Impacts and Considerations
The CCPA (California Consumer Privacy Act) is the new kid on the infosec block: GDPR’s younger sibling. It’s been over 18 months since the GDPR (General Data Protection Regulations) was first enforced, unifying data privacy laws throughout Europe and bringing consumers, research participants, and business operators into alignment and equal understanding beneath them. Drafted in 7 days, the CCPA borrows much from its bigger, elder sibling, but there are some notable differences between it and GDPR.
A recent survey by ESET – a global leader in IT security – revealed that 44% of respondents had never heard of the CCPA; less than 12% of those surveyed knew whether the law applies to their business. Those of you who, like me, work in the world of infosec, will be very aware of the CCPA, but those outside of data security most likely won’t be.
What is the CCPA?
The CCPA was enacted in 2018 and came into force on 1st January 2020. It applies to any business that:
Collects, shares, or sells customer data of more than 50,000 people
Has a gross annual revenue of more than $25 million
Earns more than half of its annual revenue from selling consumers’ personal information
Cited as being an American move towards a GDPR-style privacy law, the CCPA offers California residents the chance to have agency over some of their personal information – with ‘some’ being the operative word. Where the GDPR restricts the collection and processing of personal information under specific circumstances, the CCPA operates on an opt-out basis, only allowing Californians to say no to the sale of their data to third parties. Whereas GDPR allows access to all EU personal data processed by a company, the CCPA gives Californians a right to access personal information collected from them in the last 12 months. For, whilst the CCPA is a positive step for U.S. citizens, it is not as comprehensive as European GDPR.
Enforcement penalties under the CCPA, whilst not enforceable until July this year, differ from that of the GDPR; a breach of the EU data law has penalties capped at €20million, or 4% of a business’s global annual revenue (whichever is higher). Enforcement penalties of the CCPA range from up to $2500 per unintentional violation, and $7500 per intentional violation.
The CCPA differs in other ways to what businesses have become used to: it doesn’t require a legal basis for the collection and use of personal data; it doesn’t restrict the transfer of data outside the U.S; it doesn’t call for businesses to appoint a Data Protection Officer, or to conduct impact assessments. There are also no directly imposed security requirements under CCPA, however it does allow for a right of action against businesses that suffer certain data breaches.
What impact will the CCPA have?
Where companies have had to work to improve transparency with regard to data collection, compliance with the CCPA will be made much simpler thanks to procedures meeting the requirements of GDPR. Where there may be some confusion is around the CCPA’s broadening of the term ‘data subject’ and its interpretation of ‘personal information’.
As far as the Californian law is concerned, both the consumer and the household are identifiable entities, and therefore personal information under the CCPA includes IP address, biometric information, device identifiers and location, on top of the usual name, date of birth and email address. Market research companies have got used to what constitutes ‘personally identifiable information’ (PII) under the GDPR, and are now going to have to become conversant with the CCPA’s ‘personal information’:
“anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
The terminology here could prove problematic for businesses, particularly around the terms “reasonably” and “is capable of”. To use an example, if you are using third party data to append to your customer’s information in your database, you might not record the source of this information. If the participant revokes the right to use this information from the third party, you would also no longer have permission to use that data. With this sort of scenario in mind, there is potential that some company databases may need reconfiguring to ensure compliance; guaranteeing the traceability of data, and the accurate recording of its origin.
With regard to the CCPA notion of the ‘household’, more guidance is needed - for example, what if not all members of the household agree on a data access request? Indeed, in reading the CCPA you realise there are a few blurry areas (remember, the Act was written in 7 days). This ‘blurriness’ has been noted, and the CPREA (California Privacy Rights and Enforcement Act) has been drawn-up and tabled for 2020 approval. Whilst this will hopefully bring some clarity, it will have a big impact, adding more stipulations to the Act that will potentially require an amendment to companies’ compliance processes already designed.
All 50 states have enacted data breach notification requirements since the advent of GDPR; more states are expected to follow with privacy laws similar to the CCPA – Vermont and South Carolina have already updated theirs. This will undoubtedly have impact on the industry, particularly as there is no guarantee that all state laws will correspond: you could potentially have to comply with one Act for a participant from California and another for a participant in Maine.
What are we doing about it?
Mutual respect is non-negotiable. At FlexMR we recognise that our participants need to know and believe that we respect their rights and their sensitive data; we can’t rely on the natural responses of research participants if they don’t have trust in our processes or our intentions.
We process all data in compliance with GDPR. Safeguards integrated at the heart of our platform allow us to confidently guarantee compliance with GDPR, and now also permit us to feel certain that we are fully compliant with CCPA. As a company we do not get involved in the sale of data to third parties, meaning a large part of the CCPA as it currently stands does not impact us. For the remainder of the Act, knowledge that we meet stringent GDPR requirements brings assuredness that our policies and processes will also mean CCPA compliance; established practice will simply require amendment to reflect the CCPA’s different terminology and timescales.
As with other regulatory documentation, the CCPA does not furnish us with a rubric approach; the practicality of compliance requirements are not easily gleaned from the statutory language and it is this non-specificity that makes most companies fret. Whilst I would posit that most GDPR-compliant companies will be on the front-foot in preparing for it, it’s worth everyone involved in the MR industry taking the time to evaluate the impact of the CCPA and other new burgeoning data privacy laws on the wholesale collection, management, use, and retention of personal data.
Recognised as an Inspiring Leader in the University of Warwick staff awards, Amy’s experience in governance and data management of medical research enables her to confidently drive our commitment to high standards & information security forward.