Skip to main content

California Consumer Privacy Act (CCPA)

How to be prepared before 2020?

01

About CCPA

Driven by the continued global rise in consumer data breaches and growing privacy concerns, the State of California recently passed the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA represents the most demanding customer data privacy statute enacted to date at the U.S. state level. Businesses like financial institutions will need to consider existing privacy rules in the U.S. when assessing the potential impact of CCPA.

The CCPA is similar to the recent European Union’s General Data Protection Regulation (“GDPR”) that came into effect in May 2018. While CCPA and GDPR have differences, both laws provide consumers a greater ability to control their personal information. The CCPA also imposes requirements and prohibitions on businesses that collect or sell this information.

Although the CCPA became California state law on September 23, 2018, the Attorney General’s enforcement of the CCPA goes into effect six months after publication of the implementing regulations, or July 1, 2020, whichever comes first. Sia Partners will continue to monitor and report on regulations issued by the Attorney General of California. 

The CCPA is designed to protect California residents’ personal information from the threats of unwanted disclosure, sharing, or sale. A key objective of the CCPA is to prevent situations like the recent event involving Cambridge Analytica gaining access to personal information of approximately 87 million Facebook users without their consent.

Even if the CCPA is California law, it impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as potentially employees or independent contractors. According to experts in a recent article published on Bloomberg BNA, the CCPA will apply to over 500,000 businesses servicing approximately 40 million California residents. This law is the first one of this kind in the US, but other states could follow this trajectory in the new few months and years.

Companies are investing heavily in Digital technologies and Big Data. The volume of personal information collected has been increasing significantly in the last few years and will continue in the upcoming years. Indeed, the collection of personal information has become a significant asset for companies as part of cost reduction, customer journey personalization and broad competitiveness. 

Personal information is used by numerous departments and can be collected through various channels and technologies. 

>> The protection of personal information is paramount and the rights granted to individuals reinforced.

New Consumers' rights

The CCPA will confer new rights upon Californian residents, which have to be notified by businesses to the consumers and addressed in policies. This is going to introduce new cross functional processes through business departments.

Right to Know

The right of Californians to know (a) what personal information is being collected about them and (b) whether their personal information is sold or disclosed and to whom.

Right to Access

The right of Californians to access their personal information held by businesses or their third parties.

Right to Request Deletion

The right of Californians to request businesses to delete their personal information, subject to certain exceptions like the need for the business to comply with legal obligations.

Right to Opt-out, Opt-in

The right of Californians to prohibit the sale of their personal information (“opt-out”) and the need to authorize such a sale for individuals 16 years-old or younger (“opt-in”).

Right to Equal Service and Price

The right of Californians to not be discriminated against when exercising their privacy rights.

Right to Seek Damages

The right of Californians to seek statutory damages from businesses in case of violations. Statutory damages range from $100 to $750 per consumer per incident or actual damages, whichever is greater. 

Business Requirements and Prohibitions

To help enforce these rights, the CCPA imposes requirements and prohibitions on businesses that collect or sell personal information:

  • Disclosure Requirements: Upon receipt of a verifiable consumer request, businesses will be required to disclose:

    • The categories and specific pieces of information that they collect about the consumer

    • The categories of sources from which that information is collected

    • The business purposes for collecting or selling the information; and

    • Categories and identify of third parties with which the information is shared.

  • Deletion Requirements: Upon receipt of a verifiable consumer request, businesses will be required to delete the personal information as long as it does not interfere with the legal obligations of the business.

  • Opt-out Requirements: Businesses will be required to grant a consumer’s verified request to opt-out from the sale of their personal information.

  • Opt-in Requirements: Business will be required to seek affirmative authorization for selling the personal information of consumers under 16 years of age.

  • Discrimination Prohibition: Businesses will be prohibited from discriminating against customers who exercise their personal information-related privacy rights. Businesses will have the ability to offer financial incentives for the collection of personal information.

What do businesses need to do?

Businesses first need to assess the CCPA’s applicability to their operations. Find out by answering our questions.

Once the need to comply with some or all of CCPA sections is confirmed, businesses need to assess whether their existing data privacy and information security policies, procedures and practices are sufficient to meet the CCPA requirements.

Our experience working with clients to establish resilient and sustainable data privacy and information security capabilities that are compliant with regulatory expectations demonstrates that the effort can be organized across the following areas:

The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance. 

02

Are You Impacted by the CCPA?

The CCPA impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as possibly employees or independent contractors.

The CCPA also lists a number of exemptions that need to be considered when determining the act's applicability to a business. These exemptions relate to existing U.S. privacy laws. Subject to certain exemptions discussed below, the following decision tree outlines the initial determination of whether CCPA will impact a business:

*Currently, the CCPA does not specify whether the $25,000,000 threshold represents worldwide or California only annual gross revenue

Exemptions

Even though a business may appear to be covered under the CCPA, there are a number of exemptions that limit the act’s applicability. Covered businesses under existing privacy-related regulations need first to determine the extent to which the CCPA applies.

Entities Covered Under Do Not Have to Comply with the CCPA for Personal Information Falling into the Scope of: ​
1. CCPA Non Public Information (NPI). i.e. Financial Information
2. CFIPA Non Public Information (NPI). i.e. Financial Information
3. HIPAA Protected Health Information (PHI)
4. DDPA Personal Information in connection with a motor vehicle record
5. CMIA Medical Information
6. Common Rule Information collected as part of trial subject

GLBA, CFIPA, or DDPA-regulated entities, however remain impacted by the right of action for consumers to seek statutory damages

HIPAA-regulated entities do not have to comply with CCPA if they are a Health Care Provider, Health Plan or Health Care Clearinghouse defined in the Privacy, Security, and Breach Notification established pursuant to the HIPAA

CMIA-regulated entities do not have to comply with CCPA if they are health care providers, health insurers, and individuals or businesses they contract with that have access to medical information, including IT companies (called contractors).

  • Performing an analysis will help organizations determine the CCPA’s applicability to their business. For instance, a financial institution governed by existing privacy laws, such as the GLBA, will likely have to comply with the CCPA’s new privacy rights for the categories or specific pieces of personal information that are not already covered by existing U.S. privacy laws.

The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance.

 

03

How can Sia Partners help?

Sia Partners has developed documentation, templates, methodologies and tools e.g., gap assessment tool, to assist businesses to comply with the CCPA:

Need more information?

Sia Partners integrates this data in its client database to send you marketing communications (invitations to events, newsletters and new commercial offers).
This data will be kept for 3 years before being deleted and you can withdraw your consent to the processing of your data at any time.
To learn more about the management of your personal data and to exercise your rights, please consult our Data Protection Policy.

CAPTCHA

Your data are used by Sia Partners to process your contact request. Please note that you have rights regarding your personal data. For more information, we invite you to read our data protection policy