The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new privacy statute that grants rights to consumers and imposes corresponding obligations on subject businesses. The CCPA defines consumers to mean California residents, and generally defines “business” as for-profit entities that meet certain threshold requirements. Cal. Civ. Code § 1798.140(g) (consumer), (c) (business). The CCPA went into effect on January 1, 2020.
As Julie Brill, Chief Privacy Officer for Microsoft stated in her November 11, 2019 blog post, Microsoft will recognize the core rights of customers, including not only residents in California, but throughout the United States to control their data as stipulated in the CCPA. This follows the decision by Microsoft to extend the rights bestowed by the European Union (EU) General Data Protection Regulation (GDPR) to customers around the world, and not just those who reside in the EU. Microsoft’s approach to privacy begins with the belief that privacy is a fundamental human right, and the extension of rights granted by the CCPA to all customers in the United States is part of their commitment to customer privacy.
This commitment extended to Microsoft enterprise customers includes a commitment to help them understand the new regulation and comply with the obligations laid out in the statute. This includes providing both the tools and guidance customers will need to comply with CCPA. The statue has gone through several revisions since it was originally introduced. We hope this summary of the specifics of the statute as it stands today will help Microsoft’s customers to both understand the key components of the statute and their compliance obligations.
The rights of consumers covered by the CCPA include: (1) an abbreviated right to request that a business make certain disclosures about the personal information they collect (id. § 1798.100); (2) an expanded right to disclosure regarding the personal information the business collects (id. § 1798.110(a)); (3) a right to disclosure regarding the personal information that is sold or disclosed for a business purpose (id. § 1798.115); (4) a right to opt out of sale of personal information (id. § 1798.120); (5) a right to opt in for the sale of a minor’s personal information (id. § 1798.120(c)); (6) a right to deletion of personal information collected (id. § 1798.105); (7) a right to access personal information (id. § 1798.100(d)); and (8) a right to not be discriminated against for exercising any of the rights granted by the CCPA (id. § 1798.125).
Enforcement actions by the Attorney General may be brought six months after the publication of final regulations, or July 1, 2020, whichever is sooner. Id. § 1798.185(c). Civil penalties include injunctions and fines of up to $2,500 per violation and aggravated fines of up to $7,500 per intentional violation. Consumers are also afforded a limited private right of action in situations where their personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” See id. § 1798.150(a)(1).
On October 11, 2019, the governor signed six amendments to the CCPA. Under the amended law, a business may offer financial incentives based on the value of the consumer’s data to the business—not the consumer. Cal. Civ. Code § 1798.125(b)(1). The amendments did not substantively change the CCPA’s basic requirements: the right to notice, access, deletion, opt out, and non-discrimination. For more detail, see here.
A new California privacy ballot initiative, titled The California Privacy Rights Act of 2020 (CPRA), has also been introduced. The initiative would go into effect on January 1, 2021, and would make significant changes to the CCPA, including greater protection for “sensitive personal information” (id. §§ 1798.100(a)(2), 1798.120), and disclosure of “profiling” activities (id. § 1798.110(c)(6)). The original version was submitted on September 25, and since then, two revised versions have been submitted—on October 2 and October 9. The subsequent versions do not make significant changes to the initiative. For more information regarding notable provisions of the initiative, see here.
Adopting procedures to implement the obligations set out in the CCPA will help a company to minimize both business disruption and enforcement risks in connection with CCPA. To help ensure compliance, we recommend that a business have a data subject response program in place due to the prevalence of advertising technology and opt-outs that might be occasioned by the CCPA’s focus on such technology. Specifically, a business should consider a six-phased approach to a comprehensive privacy program compliance:
- Appoint an individual or task force to lead the privacy program;
- Update its data map to include California-specific questions;
- Conduct a gap analysis or risk assessment;
- Conduct a data impact assessment for high-risk processing;
- Begin mitigating risks; and
- Maintain an auditable record.
You can read more about the six-phased approach on the Perkins Coie Privacy Quick Tips Blog.
To take the actions listed above, you need a more structured way to assess your privacy risks and leverage technology to discover, protect, and govern your data more effectively and efficiently. You can learn more about how Microsoft 365 can help you prepare for the CCPA in this e-book: Five tips to help you prepare for the California Consumer Privacy Act. Remember: Compliance does not end with implementation. A business should create an auditable record of compliance, as well as continue to monitor the legal landscape.
Note that this blog includes contributions from Njeri Mutura and Tina Ying from Microsoft.