The California Consumer Privacy Act (CCPA) does not mention anywhere in the statute that a data map must be performed or that vendors must be categorized. Yet, as we work with organizations that are preparing to implement CCPA compliance measures by the end of this year, we hear these common refrains when we recommend that businesses perform a data map and categorize vendors as part of their planning: How will an organization satisfy a consumer’s request to disclose all personal information collected, sold or shared in the previous 12 months as required under Section 1798.130 without a data map? Who will be responsible for responding to consumer requests without vendor categorization?
Coping with this important step in CCPA preparation requires an understanding of underlying technologies and how vendors interact with consumer data provided to them, whether it be for data analytics or targeted advertising. Technical understanding will inform as to where consumer data is located throughout the enterprise along with the category into which vendors are placed and whether “do not sell” requirements apply to them.
One of the first questions asked on assessments is if the organization has a data map and understands where consumer data is sent internally and externally to the organization. An organization that is subject to the rules and complexity of privacy protection regulations must have a data map to understand where consumer data is sent. If one does not exist, a comprehensive review must be undertaken.
What is a data map?
Network administrators are familiar with the concept of creating network diagrams and maps to show network flows and traffic. Similarly, a data map exercise involves determining which people, processes, or technologies within the organization collect, use, store or otherwise interact/handle consumer data. An automated tool or manual mapping are example ways to identify and provide an accurate picture of what data the organization holds, where it is, and whether the data requires certain protections. Knowledge gathered from data mapping will identify specific data points, while also inventorying and tracking the way data is collected and flowed throughout the organization. Moreover, data mapping also serves as the initial building block to operationalize data processes.
Under the European Union’s General Data Protection Regulation (GDPR), a data map fulfills Article 30’s obligation that controllers “maintain a record of processing activities under its responsibility.” Information captured in the data map includes, but is not limited to:
- The type of consumer data collected/used
- How consumer data is processed
- Vendors with whom consumer data is shared and for what purposes
- Lawful basis for processing (under GDPR Article 6)
- International transfers and the conditions for transfer
- Retention periods.
How does a data map assist with compliance under the CCPA?
With the 12 month look-back provision, consumers will have the right to access their personal information dating back to January 1, 2019, considering the consumer requests on January 1, 2020. Meaning, businesses should have already begun record-keeping that coincides with the look back date. Even though not statutorily required, it is virtually impossible to adhere to this requirement without some record-keeping protocols in place.
Along with tracking consumer data and giving consumers access to their personal information, upon a valid request, a business must provide the following under the CCPA:
- The categories of personal information collected about that specific consumer
- The categories of sources from which the personal information is collected
- The specific pieces of personal information collected about that consumer
- The business and commercial purpose(s) for collecting or selling personal information
- The categories of third parties with which the business “shares” personal information
- For personal information that is sold, the categories of the consumer’s personal information sold to what categories of third parties and the categories of the consumer’s personal information sold to each applicable third party
- For personal information that is disclosed for a business purpose, the categories of the consumer’s personal information that were disclosed.
Therefore, even though a data map is not statutorily required under the CCPA, similar to GDPR compliance, a data map coupled with an inventory register, will assist with the CCPA’s look-back provision. When combined with an organization’s internal consumer rights processes, a data map can complement and complete the consumer disclosure and response handling process.
Under the CCPA, is the contracted vendor that interacts with consumer data considered a service provider or a third party? What qualifies as a service provider or third party? Where it gets legally tricky, because of the all-encompassing definition of “selling” data under the CCPA, who will be responsible for satisfying the rights of consumers?
Under the CCPA, if vendors or external parties are not categorized as either a “third-party” or “service provider,” an organization will not know how to respond when it comes to “opt outs” or “deletion” requests as examples.
Should the organization add the “opt out” feature to their website or direct consumers to the vendor or external party’s site? Also, how will an organization list the categories of personal information that it sells/discloses to each category of vendors to consumers if the vendor type is unknown, or if the category of vendors is also unknown?
For those who are familiar with the General Data Protection Regulation (GDPR), minor parallels can be drawn between “controller” under GDPR and a “business” under the CCPA, along with similarities between “processor” under the GDPR and “service provider” under the CCPA. The similarities should be taken lightly, yet do assist in designing an efficient and effective overarching privacy and governance program.
For instance, under the GDPR, a processor acts on behalf of the controller. Akin to a processor, a service provider under the CCPA is an entity that processes personal information on behalf of a business pursuant to a written contract.
A vendor or entity that does not qualify as a service provider under the CCPA is categorized as a “third party” when:
- No written contract exists between the business and the vendor
- A contract exists, but it allows the vendor to retain personal information beyond termination
- A contract exists, but it allows the vendor to use personal information (in any form) for its purpose
- A contract exists, but it allows the vendor to make decisions about the disclosure of personal information.
With the above service provider disqualifications, businesses should conduct due diligence across all personal information arrangements collected, shared, and disclosed to determine vendor categorization. This will assist entities with satisfying privacy rules prescribed based on vendor relationships. It is assumed that copycat GDPR and CCPA regulations will have similar vendor requirements. With a firm understanding of the differing statutes, governance privacy programs can be designed to address the myriad of compliance obligations via identifying and categorizing external vendors, defining the contractual relationship, and implementing processes that streamline compliance.
On the regulatory front, an even bigger issue can arise by running afoul of the Federal Trade Commission’s (FTC) deceptive trade practices provision. Enforcement can occur if, for example, the opt-out feature on an organization’s website does not work as expected. Whereby the organization does not honor a circumstance in which the consumer has opted out, and the incomplete opt-out can be grounds for deceptive trade enforcement by the FTC. This scenario provides organizations with an even stronger reason to streamline privacy requirements into technical business realities.
Business processes and protocols differ amongst organizations. Engineering privacy into the enterprise versus bolting it on afterward, also known as privacy by design, is imperative when it comes to data mapping and vendor categories. Privacy practitioners agree that privacy regulations will not go away and will only progress.
In sum, map data flows across the organization. Create a data processing register and manage relationships among vendors to aid in operationalizing privacy governance. If possible, take into consideration different regulatory perspectives that span cybersecurity and business to address current and prospective privacy compliance obligations.