This article originally appeared in the San Francisco Business Times.
At an October 1st panel hosted by the San Francisco Business Times, President, Pacific Rim, Jason Cieslak joined Jim Snell, partner at law firm Perkins Coie, to discuss the oncoming impact of the California Consumer Privacy Act (CCPA) and the impact it will have on businesses, brands, and legal strategies in 2020 and beyond.
When Will CCPA Take Effect?
Snell: By its terms, on January 1, 2020, just three months away. This is a watershed moment in US privacy history. There has not been a US privacy law to date that is as comprehensive as the CCPA or that applies to as much data as the CCPA does and that gives consumers rights that the CCPA does. Although the law goes into effect in January, the attorney general is not able to enforce the statute until six months after the regulations are finalized, or at least until July 1, 2020, whichever comes sooner.
Collaboration among the AG’s office, privacy proponents, businesses, and legislators has been really invigorating over the last year. There haven’t been as many fixes as we hoped there would be, but it has been a very professionally rewarding experience to be collaborating with so many different stakeholders.
Cieslak: When we consider the importance of CCPA from a consumer standpoint, it’s long overdue. We’ve neglected data and privacy rights for consumers for so many companies that have come out of this state, and it’s about time that California took the lead in the US as far as trying to get this right. But I don’t believe everyone is going to be ready. We aren’t seeing a lot of brands actively talking about CCPA. We see news coverage, but not enough action to make us think that when January 1 comes these brands are not going to suffer some hiccups.
What constitutes personal information?
Snell: Personal information is defined relatively broadly as information that’s reasonably capable of being associated with a consumer whether it’s hard copy, electronic, or collected from other sources. Inferences drawn from personal information to create a profile about a consumer are also defined as personal information. There’s other categories like IP addresses, device identifiers and biometric information. There’s a list of 11 categories of specific types of information that can be personal information if reasonably capable of being associated with someone. So it casts a pretty wide net.
Snell: A business, defined by the statute as a for-profit entity that collects consumers’ personal information and does business in California, is covered by the statute if it has gross revenues above $25 million, derives 50% of its revenue from selling consumers’ personal information, or shares or receives for commercial purposes the personal information of 50,000 or more consumer, devices or households.
There’s still a question about how much of that activity has to take place in California. We’ve noticed that the thresholds, as applied to some businesses, can be relatively low, so I think more businesses have been swept in than originally intended by the statute. Most companies do business in California, and the sale of personal information has been defined to include a transfer for “valuable consideration” or money. So brands are seeking guidance about what valuable consideration means in that context, and whether the CCPA will apply to them.
What can companies learn from the introduction of GDPR last year?
Snell: The big takeaway is that if your business lived through the GDPR, CCPA compliance is going to be easier. But it’s not a one-to-one relationship: You still need to look under the hood and figure out the differences between the two. If you didn’t live through the GDPR, you’re starting from square one, and it’s going to be more difficult.
I also think we may be on the cusp of a potential legal supply and demand problem with CCPA. We saw this with the GDPR where the demand for legal services to help companies comply became really acute a couple months before the GDPR went into effect, and there came a point where outside counsel needed to say, “We’ll talk to you after May 28. We can’t get to you before the GDPR goes into effect.” We haven’t seen that yet with CCPA, but one of the things that keeps me up at night is worrying about the demand for legal services to help comply with CCPA exceeding the supply of outside lawyers who can help do that.
Do you see any unintended consequences of CCPA?
Snell: Generally speaking, you want to be transparent, and you don’t want the consumer to be surprised. But this is an extremely bumpy road that we’ve started to venture down with all of the ambiguity in the CCPA and I think it may indeed have unintended consequences. It’s very expensive to comply with this confusing new law, and I do think that there will be a very real cost to innovation and a higher bar to companies being able to enter markets as CCPA begins. Also, some of the folks that will be impacted by the CCPA are small creators posting videos from their home and making money off an advertising revenue model. The CCPA threatens to stifle the creativity and income that they can generate.
Cieslak: One thing that I look at is ad tech. That’s an industry that most consumers don’t fully understand too well, but it’s been pretty pervasive in California. I also think a lot of start up companies that will have to bump into CCPA if they continue to grow. Once anyone gets over that $25 million in revenue, or one of the other thresholds, they will suddenly have to face an expensive degree of compliance. It seems like bigger companies tripped the wire for privacy regulation, but the impact of CCPA and other regulations will sweep across many different industries. It won’t just hit the big players.
Snell: The CCPA identifies several consumer rights. There’s a right to know what personal information is collected about consumers and how that personal information is used. Consumers will also have the right to request deletion of certain pieces of personal information. Consumers will be able to request that their data not be sold, and there’s a right not to be discriminated against when they exercise those rights. Brands will need to update their privacy policies and notify consumers of these rights, and set up infrastructure to respond to consumer requests to access and delete information.
There are also some potential threats to brands that are baked into the statute. One piece that I worry about is the right to request information. These requests have to be verifiable, but the term “verifiable” isn’t well defined in the statute. One of the issues I raised with the attorney general is that we should expect scammers may try to abuse these personal information requests. So we’ve asked the attorney general to provide regulations and safe harbors so a company can say, “If I get information in this sort of way, that’s a safe harbor,” or, “If I can’t verify somebody’s identity, I don’t need to turn their information over,” so that companies and consumer data aren’t at risk.
Who advocates for the consumer under CCPA, and what happens if companies fail to comply?
Snell: The attorney general of California will have the ability to enforce the statute against violations. There’s also a limited private right of action for individual consumers to bring claims related to certain categories of data breaches where a consumer can show reasonable security wasn’t put in place by a business. So there is an ability for consumers in those instances to file private litigation, but otherwise the AG is the one in charge of enforcing the statute.
Cieslak: One of the areas I hope that California invests in is consumer education. It’s incumbent on the state to have some sort of role in educating consumers of the new rights and powers they have. If they are not proactive in doing so, a lot of consumers could miss rights and powers now available to them, and what I think is the real intent behind CCPA. Changing consumer behavior is hard. We have to process a million and one things every day. Nobody wants to carve out time to deal with brands on a one-to-one basis to see what data they are collecting. So, it’s important for the state to be proactive to find ways to empower consumers and educate them about their rights and what this new law means.
What opportunities could CCPA represent for brands?
Cieslak: My hope is that brands will recognize the opportunity to do more than just send an email that says “We’ve updated our terms and services.” Organizations have an opportunity to take a consumer advocacy approach to this as opposed to one in which they are trying to conceal the information they’ve been gathering. When a user says that they want to review or delete their data, for example, who will that request go to?
They could be cut out of the ecosystem right there, or they could be directed to customer retention. They need to reach someone who can tell them why their data is being collected, and what experiences the brand is using that data to create. It’s experiences and interactions like this that define how we think about brands. When you walk into a Starbucks, when you walk into an Apple store, when you buy something on Amazon, millions of dollars are invested in creating that exact moment of your brand experience. If brands look at CCPA with an eye towards “How do we use this compliance as a means of changing our experience for the better?” versus “How do we comply?” they will gain and retain the trust of their customers and users.
How can brands best communicate how CCPA will change their customer experience?
Cieslak: Brands need to deliver a sense of clarity in a moment where people feel like they don’t understand the choices and rights they’re being presented with. It’s very difficult for large corporations to make complex subjects simple. So how a brand introduces this to its users may determine whether consumers trust them with continued use of their personal information. Is the message simple? Is it clear? Do I feel empowered? These are the questions that brands ought to be considering relative to compliance. A lot of consumers are going to find themselves in the cross hairs, choosing how much information to share and delete, and how brands choose to handle CCPA compliance is going to matter. If they take the time to invest in delivering those moments in an educational way, some brands stand to benefit from CCPA. In contrast, the brands that are just looking to sweep it under the rug, though, will do so at their own peril. n
What you need to do to get ready for CCPA
Map your data
It’s critical for CCPA compliance to understand what data your organization is taking in, where it’s going and who it’s being shared with. If you don’t know where your data is, it makes it difficult to chart CCPA compliance steps.
Create infrastructure to manage data and data contracts
Consumer information requests, deletion requests, and “do not sell my information” requests all require infrastructure to manage the personal data that you collect. Build it in-house if you have the time, or hire an outside team with software building expertise to help.
Consider alternative business models and California only sites
Companies who find data management to be too expensive could move away from selling or collecting personal information in order to avoid CCPA compliance issues. Alternatively, creating California-only websites could compartmentalize the regulation’s impact on your company.
Provide methods for submitting data access requests
These will be requirements under the law, so that consumers can see what data is being collected and sold.
Provide clear and conspicuous “do not sell my personal information” options
Consumers will be allowed to request this under the CCPA, and making it easy for consumers to do so is the best way to avoid CCPA violations for businesses who sell information.
Fund and implement identify verification for personal information requests
One threat facing companies under CCPA is fake information requests made by scammers. Simple, hard to falsify identify verification and security measures can help combat this threat.
Decide whether to comply only in California, or everywhere you operate
CCPA is likely to impact regulations in other states, if not inspire federal legislation. Creating broader privacy infrastructure could minimize the cost of updating.
Secure legal assistance if you need it
In the run-up to GDPR, the sudden rush for legal assistance tied up so much of the legal community that companies found themselves without advice as the regulation was implemented. If you need assistance, it’s best to secure it as soon as possible.