Questions Swirl as California Department of Justice Prepares for CCPA

What is important to the business community with the advent of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020?

At a recent California Consumer Privacy Act rulemaking workshop held by the California Department of Justice (DOJ), the constant refrain from attendees was for the California Attorney General to offer clarity and guidance on the anticipated impact of CCPA.

Several things became clear over the course of the day’s sessions. First, businesses need to think about compliance now and should not hang back.  High-level discussions about operationalizing CCPA should already be taking place within organizations.

Second, industry viewpoints are imperative to the rulemaking process because the California Department of Justice is still determining how the many business use cases that exist may make it difficult, or impossible, for industries to comply. Not knowing all of the possible and potential use cases could make it difficult or impossible for industries to comply.

As an example, businesses with gross annual revenues under $25 million will be exempt. Many start-ups that are in growth mode will not fall under the exemption.  Moreover, the “small business” exception will not apply if a company buys, receives, sells or shares, for commercial purposes, the personal information of 50,000 California residents in a year, nor will it apply if 50 percent or more of the company’s revenues come from selling personal information.

In order to get a better handle on how the CCPA will impact small businesses, the DOJ is currently soliciting feedback or similar use cases from small businesses.

Clarification and guidance were also discussed around Gramm-Leach-Bliley Act (GLBA) regulated entities. The Gramm-Leach-Bliley Act, also known as the Financial Modernization of 1999, is a federal law that requires financial institutions to explain how they share and protect their customer’s data.  The CCPA provides a carve-out for organizations regulated by the Gramm-Leach-Bliley Act, yet there are some ways in which the CCPA will impact GLBA-regulated entities.

First, the CCPA “applies to activities which fall outside the scope of the GLBA.”  Second, consumers can initiate private actions for damages against GLBA-regulated entities in the event of a breach of information, regardless of which act regulated the collection, processing, sale and disclosure of the information.

Questions from GLBA-regulated entities ranged from “What does it mean for an activity to fall outside the scope of the GLBA?” Or, “If GLBA does apply, does the private right go away because of the Supremacy Clause?”

Another hot topic is employee data.  As the law is written, employee data fits into the broad definition with consumers.  Industry viewpoints and use cases were discussed about employers sharing employee data with third-party vendors who develop artificial intelligence (AI) applications.  The AI may be sold, but how will the AI inferences consumed in the algorithms based on consumer data, when sold will the CCPA apply?

The definition of a sale and how it applies broadly for valuable consideration was also a point of contention during workshops.  Will the DOJ provide guidance and SAFE HARBOR for certain types of data sharing?

Other topics in a long list of others were the anti-discrimination requirement and its conflict with financial incentives, the “Do Not Sell My Data” notice requirement along with uniform opt-out, clarity on the consumer verification process and what is required from organizations before enforcement, valid defenses and how to respond to consumers.

Even though the CCPA is still subject to changes and variations, the deadline for determining the impact of the CCPA on your company is fast approaching. And, although the majority of the CCPA will not apply to GLBA-regulated entities, there are still significant implications financial institutions must consider and contemplate before it comes into effect in 2020.

Until further guidance and clarification is provided by the DOJ, the first step organizations should take is to conduct an inventory of the data collected to determine which data will be regulated by the CCPA, and revamp security to avoid breaches which could result in costly damages brought by California citizens.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy