A Step-by-Step Guide to the California Consumer Privacy Act

California made headlines this year with the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.) which officially went into effect on January 1, 2020. Many companies across the United States have been driving towards CCPA compliance, assessing data practices and network infrastructures to determine how and to what extent the company is required to comply with the regulation.

Many companies still are grappling with the requirements of the CCPA, and taking advantage of the California Attorney General’s six month delay in enforcement actions. The Attorney General is set to start enforcement of the CCPA on July 1, 2020. Similar to the European Union’s General Data Protection Regulation (GDPR), the California legislature built in somewhat of a grace-period for companies to come into compliance with the CCPA.  

Regardless of where you sit on the spectrum of CCPA preparation, here is a helpful breakdown of key components to consider in the next few months before the Attorney General’s office may come knocking on your door. 


Are You Impacted by the CCPA?


The first question every business should be asking is: do we even need to comply with the CCPA? The CCPA does not impact all businesses. A company is impacted if it does business, for profit, in California and meets one out of the three jurisdictional triggers in the regulation:

  • Has gross revenues exceeding twenty-five (25) million dollars; 
  • Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices; or 
  • “[D]erives 50 percent or more of its annual revenues from selling consumers’ personal information.”

Cal. Civ. Code § 1798.140(c). A key component in understanding whether an entity qualifies as “business” impacted by the CCPA is whether or not the business handles “consumer” “personal information.”  “Personal information” is defined broadly as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o). 

If an entity does not (1) operate for profit in California or (2) operates for profit in California but does not trigger any of the three triggers above, then it may not be impacted by the CCPA. 

How else could a company be triggered? 

An entity could be considered a “service provider,” defined as a business “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract . . . .” Cal. Civ. Code § 1798.140(v). As a service provider, an entity, who is otherwise not impacted by the CCPA, may be contractually required to comply with the CCPA by virtue of the services it provides to its clients. The real answer is that whether or not the CCPA is impacting your organization is not just a 1-2-3. It requires the appropriate legal analysis. 


Ok, our entity is impacted by the CCPA. Now what?


After the necessary sighing and disgruntlement has passed, it is time to get to work on understanding the company’s risks and exposures. At XPAN, we call this the “Assessment Phase.” The goal of an assessment is multifold: 

  • First, the entity needs to identify its current information governance practices. This takes the form of understanding data flows, reviewing current compliance documentation, and revealing formal and informal processes impacting data and the network. 
  • Second, the entity needs to understand its role in the data transactions with its clients. What data do you have access to? What have you contractually agreed to do as it relates to privacy and security? 
  • Third, the entity should explore the matrix of third-party providers/suppliers that it currently uses to support its business. Which of those third-parties have access to information? 

The answers to these questions, when mapped directly to the requirements of the CCPA, will both enlighten the company as to its current information governance practices, and identity areas that need to be addressed. 

Additionally, the goal should be to identify priorities. Yes, all components of privacy and security are important. But, resource limitations and real-life business needs require that the various privacy and security requirements need to be prioritized to ensure that high risk exposures are addressed before moving on to lower risk areas of the entity’s compliance gaps.  In other words, prioritizing high risk areas in favor of lower risk areas is both appropriate and necessary. 


We know our gaps in compliance. How do we address them?


With your assessment fresh in your mind, you should be using those results to develop what XPAN calls, a “Remediation Plan.” This Remediation Plan should include the following core aspects:

  • The core stakeholders at the company who will help to remediate security and privacy concerns. At a minimum, this should include legal, marketing, technology, and human resources. And, all of these departments need to have buy-in to the project. If the group fights the project, your efforts will go nowhere. At XPAN, we often find that we educate just as much as we provide legal services since many people need to understand the true legal landscape of privacy and security before being able to support the why of spending time remediating risks. 
  • An actionable plan to work through gaps in the entity’s CCPA compliance. This first requires an understanding of the CCPA’s requirements, which derive from both the legislation and the pending Attorney General’s regulations which gives more guidance as to the how of the CCPA. Second, the entity needs to map the various requirements to existing controls currently used by the organization across all the departments. The better the company can organize the overall remediation plan, the better it will be able to meet compliance deliverables in a timely fashion and within budget. If this is a new area for the company, or the company is already spread thin, this is a great place to use outside resources. The cost of those outside resources will result in exponential savings to the company by running a more streamlined project overall. 
  • Finally, a Remediation Plan should include metrics that can be used to demonstrate progress and identify areas that could use additional resources or guidance. In a perfect world, the teams will embrace, with open arms, these privacy and security changes. But, often, we see companies struggling to understand how this compliance will function on a day-to-day basis. Creating metrics will help teams see the progress, even while they are in the weeds of remediation.

With a Remediation Plan, the key is organization and documentation. If you are just starting down the CCPA journey (or the privacy and security journey generally), it is likely that remediation is going to take time. And, your business is going to continue on throughout this process. By creating this Plan, a company can create a reasonable position to defend any government investigation or private lawsuit that may arise during the remediation process.   


This seems expensive and time consuming. Why does it matter?


Yes, privacy and security take time. Often, we are talking about a cultural change and not just procedural or technology changes. Further, security and privacy impact the entire organization. At XPAN, we work with almost every business unit at our clients because all access systems and process data — so they all impact the organization’s security and privacy compliance. 

But, we often get asked: what are the odds that my company is going to be liable or be investigated by the California Attorney General?  It is important to understand that liability under the CCPA can come from multiple different angles:

  • The Attorney General can bring an investigation to confirm compliance with the CCPA. A company will have thirty (30) days to cure any non-compliance with the CCPA. However, if it continues to violate the CCPA, a business can be subject to fines of up to $2,500 for each violation or $7,500 for each intentional violation. Cal. Civ. Code § 1798.155(b). 
  • In the event of a breach that results in the “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s personal information, a consumer may bring a private cause of action against the company for damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Cal. Civ. Code § 1798.150(a). 
  • Under contracts and agreements between businesses and service providers, each entity can be held liable for a breach of contract in the event of non-compliance with the CCPA.  This will heavily depend on how contracts are drafted and negotiated, but remains an exposures for companies under the CCPA.

When making the global decisions around privacy and security, it is important to understand your entity’s entire risk profile, and understand what risk you can transfer (via contracts or insurance) and risks that you cannot transfer. The goal is to mitigate risk.  Security and privacy are not a zero-sum game. If you are using a computer to run your business, you need to engage in a conversation around privacy and security.

Under CCPA, the time is quickly running out to have that conversation before the enforcement deadline. As of July 1, 2020, it will be fair game for the Attorney General to come knocking on your door. Waiting until that moment to address CCPA is a dangerous (and potentially expensive) gamble.  Work with your internal teams and bring in external resources like XPAN to develop a workable plan to move closer towards compliance in a way that meets your legal requirements and resources. Because, in security and privacy, luck favors the prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.