It isn’t the same thing
Let’s get this out of the way: GDPR compliance does not equal CCPA compliance. There are some similarities between the two laws, but the CCPA has a different focus to GDPR, making compliance different in most respects. This chapter gives a quick overview of the key differences between the two laws.
A few of us won’t have to. (But just a few).
The good news is that not everybody has to comply with the new CCPA law. The bad news is that there are very few companies that will be so lucky. In this chapter, we look at who needs to comply with the CCPA and give you a simple-to-follow flowchart to determine whether you need to do so.
Being a business and selling data
Compliance with the CCPA boils down to two questions, namely:
- Is my operation regarded as a business with activities in California?
- And do my revenue-generating activities include the use of personal data of consumers?
Of course, if you are using personal data to generate revenue, you automatically qualify as a business, which means that it is likely that you are required to comply.
1. Is my operation a business?
In California Civil Code 1798.140, we learn that you are a business if
a) you operate with the aim to generate profits,
b) require personal data as part of your operations, and
c) have any business activity in California.
The implication is that your physical presence is irrelevant; the moment you collect personal information from any Californian resident as part of doing any form of profit-making activity, you are regarded as a business.
2. Do my revenue-generating activities include the use of personal data of consumers?
The CCPA does provide some leeway by adding certain thresholds that would qualify a business for compliance in 1798.140(c)(1):
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Don’t get too excited about these thresholds though. The CCPA uses a broad definition of ‘personal information’.
What is considered personal information?
In 1798.1409(o)(1) we learn that:
Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Are you collecting IP addresses for web analytics? Are you using cookies? Does the information you collect link not just to individuals, but perhaps to households or even single devices? Even though a 50 000 consumer threshold looks like a lot, it only takes 137 unique visitors from California to your website per day to fill up that quota and relates to any identifiers that can link back to a consumer or household.
Then there are the profits on the sales of this information, which is more specific to data brokers who make money by selling personal data. If you earned $100 this year, and $50 of that was generated by selling consumers’ data, you will have to comply.
But even ‘selling’ here isn’t a simple concept.
According to Code 1798.140(t)(1):
‘Sell’, ‘selling’, ‘sale’ or ‘sold’ means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
So, who won’t have to comply?
Code 1798.145 provides some exceptions for compliance, most notably when a business’ activities take place ‘wholly outside of California’ and does not process any personal information of a California resident.
The challenge here, specifically to businesses that operate on the Internet, is to know whether or not a visitor is from California. But if you are running a fish tackle shop in Arkansas where no Californians ever have, or ever will, set foot, and you operate without a website, and don’t collect any personal information, then it is likely that you are not required to comply.
Other exceptions noted in this Code relate mostly to organizations that collect medical and other forms of sensitive personal information, which are already subject to specific privacy laws for their particular contexts.
Broadly speaking...
One might say that the devil is in the details, but in the case of the CCPA the devil is really in the broad definitions. Some businesses may want to find a way to avoid the burden of compliance, but with a number of other similar laws developing in other states, as well as across the globe, it is a safer approach to ensure compliance.
It gets complicated really fast
Compliance projects can get complicated. It requires time and dedication from specific team members across different departments, including legal/compliance, business owners and IT. Due to imminent deadlines for implementation, it typically runs over shorter periods of time.
Managing a complex, high-pressure project is a challenge, and like any challenge, it begins with proper planning. In this chapter, we provide a few tips on planning for your CCPA compliance project.
“You don’t know what you got till it's gone”
Before implementing any changes, you need to know what your data looks like. In this section, we’ll look at the practical steps you’ll need to take to map your data and assess the extent of your CCPA compliance requirements.
Give them what they ask for
The motivation for mapping your data relates to the right the consumer has to ask for disclosure of the data you are collecting, where you are getting it and to whom you are selling it.
Code 1798.110. (a) reads as follows:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
(1) The categories of personal information it has collected about that consumer
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or selling personal information.
(4) The categories of third parties with whom the business shares personal information.
(5) The specific pieces of personal information it has collected about that consumer.”
Not only does a map with this profile assist in developing disclosure and deletion processes, but it will also indicate the overall compliance risk your business faces.
CCPA vs GDPR: It’s a matter of scope
The geographic scope of GDPR forced many businesses to take a more blanket approach that would make an initial mapping less practical. Instead, many opted to simply implement the various privacy measures across all their data sets, the geographic origin notwithstanding.
Moreover, the comprehensive nature of GDPR required fundamental changes to systems which would make separate technological standards cumbersome and costly to implement and maintain.
Finally, GDPR compliance surrounds a single data object, namely a ‘data subject’ which is a natural, identifiable person. The CCPA includes both households and devices beyond individuals, which makes data mapping a necessity.
The CCPA is focused solely on Californian consumers and is not prescriptive on how systems must be secured or data should be managed towards data privacy. Instead, it requires specific knowledge of your Californian consumers which makes data mapping more important.
If you haven’t mapped your data for GDPR, this may be a good exercise to understand your greater compliance risk as more regions implement data privacy laws.
Practical steps to take
Identify data objects (residents, households, devices)
The CCPA’s underlying premise is that data on households and devices links back to individual consumers, which makes it personal information by extension.
Consequently, mapping your data will start with mapping the data objects you maintain, specifically individuals, households and devices.
Identify data sources and source categories
Where do you get this data? Typically data can originate from the following, among others:
- Active submission by consumers
- Automated collection by systems (such as web analytics or algorithm-derived data)
- Other forms of observation
- Inferences from existing data
- Acquisition from other businesses or third parties
- Acquisition from public sources (both from government and private sources)
Be as detailed as possible in identifying specific sources that will allow you to identify and map them to categories like the list above.
Map data fields to field categories and identifiers
The CCPA indicates 11 different categories of personal data, including a long list of identifiers that relates to people, households and devices. In this step, map your data fields to these categories and where possible, identifiers.
The categories include:
| Category | Example/Description from Applicable Law |
|---|---|
| Identifiers | Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. |
| Any categories of personal information described in Cal. Civ. Code 1798.80(e) | ‘Personal information’ means any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. ‘Personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. |
| Characteristics of protected classes |
Protected classes include:
|
| Commercial information | ‘Biometric information’ means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. |
| Internet or other electronic network activity information | Including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement. |
| Geolocation data | Longitude, latitude or any other geographic positional information expressed in any format that can be directly associated with a person, household or device, including graphical maps. |
| Audio, electronic, visual, thermal, olfactory, or similar information |
Voice recordings |
| Professional or employment-related information |
Work History |
| Education information |
Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99) |
| Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer |
Reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
Understand Data Flows
Now that you know where the data comes from and what categories it falls into, you can assess where the data is going. This important step clarifies what data is regarded as being ‘sold’ or ‘disclosed’ as defined by the CCPA:
‘Sell’, ‘selling’, ‘sale’ or ‘sold’ means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Typically data will be shared:
- Internally between individuals or departments
- Externally with trusted partners
- Externally with buyers
- Externally with the general public
For example, you will collect personal data on your employees, but you won’t share it with buyers or the general public. If you use a third-party payroll system in the cloud then you are sharing it with a trusted vendor, who in turn has a number of obligations to maintain the privacy of the data.
Your end goal is to generate two lists using the categories in the previous step, one with categories that are sold, and one with categories that are disclosed, but not sold, for example:
| Object | Object Description | Category | Status | Recipient | Recipient Category |
|---|---|---|---|---|---|
| Object: Consumer | Object Description: Website Visitor | Category: Internet or other electronic network activity information | Status: Disclosed | Recipient: Google Analytics | Recipient Category: Web Analytics |
| Object: Household | Object Description: Customer Address | Category: Geolocation data | Status: Sold | Recipient: GeoRus | Recipient Category: Client |
| Object: Consumer | Object Description: Employee | Category: Biometric information | Status: Disclosed | Recipient: BioAccess Systems | Recipient Category: Security Vendor |
| Object: Device | Object Description: IP Address | Category: Internet or other electronic network activity information | Status: Disclosed (internal use only) | Recipient: Hubspot | Recipient Category: CRM |
Filter for the age of consumers
Consumer age is important for all pieces of privacy legislation, but specifically so for the CCPA.
In Code 1798.120(c) the issue of age is dealt with as follows:
a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt-in.
The important implication here is that by ignoring age, and then selling consumer data that may contain children under the age of 16, you are by default contravening the law and may face maximum penalties.
For this reason, when preparing for CCPA compliance you will need a clear classification of your consumer data by age. When filtering for age you will initially have the following brackets:
- Older than 16: consumers in this age bracket have the right to opt out of having their data sold
- Between 13 and 16: consumers in this age bracket must opt into having their information sold
- Below 13: consumers in this age bracket will require a parent or guardian to opt them into having their data sold
- Unknown: if you have age-related data, consumers in this bracket needs to be excluded from any sales until you can confirm their age
Important note: When it comes to age verification it is better to err on the side of caution. Section 1798.100(d) notes that data gathered for a one-time transaction, or data that wouldn’t under normal operating circumstances be maintained, is not required by the CCPA. The possible implication here is that should one not normally maintain age-related information, the CCPA wouldn’t require it. However, the fact that the law emphasizes age verification means that it should be seen as data that must be maintained for the sake of compliance.
Filter for Californian residents (consumers)
With a fully mapped data set, the final step is to filter for Californian residents. Outside of the borders of California, your data might contain website visitors or customers who reside in California.
Filtering for consumers from California can be on the basis of any address records, or on the basis of geolocation or IP location.
Important note regarding employee data: At this time there are still debates as to the extent to which employee data will be subject to the CCPA. Without any amendments, the law extends fully to employees, however, a recently proposed amendment (AB25) will restrict the way in which employee data is managed under the CCPA. Regardless of whether employee data is subject to the CCPA, it is good practice to ensure maximum privacy protection for this type of data.
Your first line of defense
Love them or hate them, legal documents are critical when it comes to compliance. This is one of the first places regulators will look, and they act as a guide to ensure further compliance. More importantly, should your business ever be challenged in court for non-compliance, your legal documents will play an important role in your defense.
What’s in a name?
The CCPA in its current format is a broad-strokes type of law. Instead of providing detailed definitions for terms, the authors decided to rather apply a single term across a broad range of functions or activities.
A core right given to consumers by the CCPA is that of opting out of the sale of their data, and due to the broad definition for the term ‘sell’, the requirement to review all the processes related thereto is a priority.
Time to do something
With your data properly mapped out and the data sales processes clearly identified, you can implement updated consumer data processes. This is the first practical step towards measurable compliance which means that this part of the project should get adequate attention.
In this chapter we will look at the major consumer processes required by the CCPA, and what it will take to implement them.
Systems are process tools
Whenever a process changes, the system must follow, otherwise you would never achieve the expected results. So in that way a system is a reflection of the process, or a process tool. In this chapter we look at the fundamental changes that a system needs to improve compliance.
Data privacy is a conversation...
The general attitude to private information used to be the same as any other piece of data found on the internet: if you found it, you can keep it. The complete freedom of sharing information is what makes the internet great, but it is a double-edged sword, as this freedom comes at the risk of the individual.
CCPA compliance on SAP is double the complexity
The power of SAP is its incredible flexibility on enterprise scale. In an ironic twist, the flexibility that SAP provides is also its Achilles heel: to be more flexible, SAP requires complexity. With a myriad of data tables interlinked in a nearly endless number of possible ways, trying to implement even basic compliance can be a tough job.
