Small business owners must take steps to safeguard personal Information.
Editor’s note: This is the second part of a two part article. The first part entitled, The Impacts Of CA Consumer Privacy Act (CCPA) covered the Personal Information (PI) Definition and The Eight Consumer Rights on data collection.
Small businesses will have to address eight specific consumer rights, observe restrictions on data monetization models, and update their privacy notices about their data handling practices. The law goes into effect January 1, 2020 and failure to comply could result in penalties that could cumulatively be materially significant. These are the eight corresponding obligations,
The Eight Corresponding Business Obligations
In order to satisfy the above consumer rights, enterprises have a set of corresponding obligations. Upon successful verification of a request, the companies must respond as follows:
1. Obligation to Respond to Abbreviated Disclosure Request:
The business must disclose and deliver the categories and specific pieces of PI collected in the preceding 12 months free of charge within 45 days.
2. Obligation to Respond to Expanded Disclosure Request.
Again, all requested information must be provided free of charge within 45 days of receiving the verifiable request (unless an extension of an additional 45 days is obtained). Disclosure must be in writing and delivered through the consumer’s account if such account already exists, or via postal mail or electronically at the consumer’s option in a readily-usable format that allows the user to transmit this information from one entity to another without hinderance.
3. Obligation to Respond to Request for Information from Businesses that Sell or Disclose PI for a Business Purpose.
The company must create two separate lists covering PI over the past 12 months: PI sold; and PI disclosed for a business purpose. The information must be provided free of charge within 45 days. In addition, businesses must provide two or more designated methods for consumers to submit requests, including a toll-free number and, if the company has a Web site, a Web site address.
4. Obligation to Respond to Opt-Out of the Sale of Data.
Once the request has been verified, the business must stop selling the consumer’s data for at least 12 months. After the opt-out period ends, the consumer must submit another request.
5. Obligation to Respond to Obtain Opt-In Consent for Children.
This applies to children under the age of 13. (GDPR opt-in, by the way, is for children under the age of 16.)
6. Obligation to Respond to Deletion Requests.
The 45-day rule applies here as well, as does the requirement for two or more designated methods for submitting requests.
7. Obligations to Respond to Requests for Access and Portability.
Within 45 days the enterprise must disclose and deliver free of charge the requested information via postal mail or electronically in a readily-usable format. An enterprise is not required to provide PI to a consumer more than twice in a 12-month period.
8. Obligation Not to Discriminate Against Consumers Exercising their CCPA Rights.
While the business must comply with their non-discrimination responsibilities, they are allowed to charge higher prices or rates provided there is a different level or quality delivered. Financial incentives are also acceptable as along as consumers are notified of their existence and clearly described.
Currently the penalties do not kick in until July 2020, which gives enterprises a little more time to become compliant.
By then the CCPA provides an actionable right for any consumer whose non-encrypted PI is subject to an unauthorized access, exfiltration, theft or disclosure as a result of the business’ failure to implement and maintain reasonable security procedures and practices.
Consumers may recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. Additionally, they may seek injunctive or declaratory relief and/or any other relief the court deems proper.
So, for example, if the Facebook breach of last September were of 50 million California residents (vs. global), the firm would have an exposure between $5 billion and $37.5 billion for failing to comply with CCPA only, never mind other privacy regulations that may apply.
Other States Chiming In
California is not the only state working on PI legislation.
Other states have introduced CCPA-derivative legislation, including Hawaii, Maryland, Massachusetts, New Mexico, and Rhode Island. Additionally, states like New York have introduced bills similar to but not replicating CCPA. Washington, on the other hand, is working on a privacy bill modeled after GDPR. On top of this, the federal government is deliberating its own privacy act, which could limit or end state-by-state fragmentation or just be another hurdle for enterprises to reckon with.
No matter how this plays out, businesses will have to comply with a patchwork of privacy regimes – domestically and internationally.
There are still amendments being proposed that could modify the CCPA by the time it takes effect.
Those interested in keeping track of the changes can go to CCPA Amendments Trackerto get the latest information. It is clear that compliance with privacy of PI is going through a major period of flux, which will require firms to address the problem holistically – not legislative action by legislative action.
Furthermore, regardless of what the laws state, the real interpretations of various sections of these laws will not occur until several lawsuits are adjudicated by the courts.
Compliance with the patchwork quilt of privacy laws will not be an inexpensive endeavor. Business and IT executives must understand the business obligations created by CCPA and the other privacy laws and determine the budgetary requirements needed to comply with each of the consumer rights and associated business responsibilities.