Patrick Walsh
Originally published at blog.ironcorelabs.com.

CCPA: What You Need to Know

The California Consumer Privacy Act takes effect on January 1st, 2020. But it has provisions that reach back to January 1st, 2019. If you’re a software developer or work for a software company, it’s reasonably likely that CCPA is going to impact your roadmap, your website, and existing or planned features in the near future.

DISCLAIMER: This is not legal advice and does not substitute for it. We are not lawyers.

Background

The California Consumer Privacy Act (aka CCPA or AB 375) of 2018 shot through the California legislature in seven days. It was going to be on the November ballot, and legislators feared it would become law without any opportunity for stakeholders (lobbyists and such) to weigh in and help shape it. The sponsors of the initiative agreed to take it off the ballot if the legislature would pass the bill within a deadline, which they did. In the process, they watered parts down, such as eliminating monetary rewards for whistle-blowers.

Does it even matter?

This law doesn’t apply to all businesses. It’s primarily targeted at large tech companies and data brokers. Where it does apply, it’s possible and maybe even likely that the law will be preempted or watered down before it goes into effect.

CCPA is under attack on many fronts. First, the state legislature is actively amending it. Large tech companies like Facebook, who spent $200,000 to try to stop the law (despite publicly declaring to be in favor of it), are influencing these amendments. They are also trying to get the California Attorney General, who has rule making and interpretation powers, to issue rules that undercut core principles and penalties. For example, one fight is over the interpretation of the term “violation,” which is the unit size of most of the penalties. The original bill writers intended this to count per-person per-event, but there is lobbying underway to instead make this just be per event.

Large tech companies and data brokers are also undercutting the bill at the national level. Lobbyists are pushing the U.S. Congress to enact a privacy law that preempts the California one. Even in a divided Washington, there’s broad support for federal tech regulation and privacy protections. There’s a chance they enact a law before January 1st, 2020, which is when the California law is scheduled to take effect, and that the Federal law expressly preempts the California one, as most of the lobbyists want.

Despite the uncertainties, work towards CCPA compliance should start now. Specifically, all sales of personal information must be disclosed going back 12 months once the law takes effect, which means disclosures will go back to January 1st, 2019.

So does it matter? It does. This is a landmark law that at the least will influence future legislation. Anyone that bets this law will be radically watered down or preempted is likely underestimating the current privacy backlash or overestimating bipartisan cooperation. It could happen, but that’s far from certain.

What does it do?

Although CCPA has been described as GDPR-light, it is in no way light on requirements or penalties. CCPA is focused on these core principles:

  • Transparency: consumers get to know what data is collected and for what purpose(s). If the data is sold or shared, they will know the details of what and to whom. Consumers even get to know if a company has sold data to anyone in the last 12 months regardless of whether the practice has since stopped.
  • Control: consumers get the right to opt-out (or opt-in for minors) of the sale of their data. Consumers also have the right to see their data, the right to have it erased, and, perhaps most significantly, the right to privately sue for damages if a company gets breached (side note: a pending amendment would also give consumers the right to privately sue for privacy failures).
  • Data security: companies are liable for both fines and civil suits (individual or in classes) for any personal information that they fail to protect from hackers or other misuses (i.e., internal employees looking at data without a business purpose for doing so).

It’s worth noting that according to two of the original drafters, Ashkan Soltani and Alastair Mactaggart, the data security provisions of CCPA were added in response to the Equifax breach.

Equifax reserved about $2 per affected person to pay for the fallout from their breach (around $300m). Worse still than the relatively small dollar amount, Equifax has positioned itself to make money off the breach by offering their own credit monitoring service to affected customers. CCPA makes this sort of thing a much more material event for companies like Equifax.

What are the penalties?

If a company does not adhere to the consumer rights in the bill, they can be fined $2,500 per violation, which the writers of the law intended to be per person per incident. There are provisions for this to be adjusted down in some cases and at the discretion of the Attorney General.

If the violations are found to be willful, like if executives intentionally decided not to disclose a sale of data, then the penalty can be up to $7,500 per violation. A company that intentionally sells the data of 50,000 consumers and willfully fails to disclose that fact would face up to a $375 million fine.

If a business is breached, a private right of action is given to consumers to sue for the greater of actual damages or an amount between $100 and $750 per record. In the case of the Equifax breach, where 148 million consumers (56% of American adults) were impacted, a theoretical class action suit would result in damage awards between $14.8 billion and $111 billion — except, in practice, only California residents could bring suit. Even so, with 40 million residents, 31 million adults, and assuming only 56% of those were impacted, Equifax would face between $1.7 billion and $13.1 billion in damages. This is quite a bit more than the $300 million they set aside.

What businesses are impacted?

The law is generally aimed at two classes of businesses:

  • Data brokers: companies that either make a majority of their revenue by selling personal information of consumers or that trade (obtain, sell, or barter) more than 50,000 records per year.
  • Medium and large companies: companies with greater than $25 million in annual gross revenues.

That means that the vast majority of small businesses, including most tech startups, are unaffected.

Conclusion

CCPA’s most significant contribution will be a massive increase in transparency of data collection and behind-the-scenes flows of that data. Consumers don’t have to give over their data unless absolutely required for the service, which means things like giving up an email address before getting access to a white paper will no longer be lawful. And buying credit monitoring services will no longer be sufficient to stop liability for data breaches. Most importantly, the law is likely to spread well beyond residents of California and to change many practices in the tech industry. Compliance initiatives should start immediately.

Note: A good privacy platform, such as IronCore’s developer-focused data control solution, can help companies meet many of the CCPA obligations and other compliance needs as well.

Dive Deeper

This blog barely scratches the surface, but we dove quite a bit deeper in our analysis. We break out the consumer rights, business obligations, exemptions, and likely impact in our 13-page white paper (and you’ve already read the first 5 pages). Dive deeper here:

CCPA White Paper