Preparing Your Business for the the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a recent law enacted by the state of California that will go into effect on January 1, 2020. It is intended to strengthen privacy protections for California residents. It's often compared to the European Union's General Data Protection Regulation (GDPR) but does not have the scope that the GDPR does. For instance, it does not create a broad new set of information security requirements.
The law generally applies to larger businesses and are certain benchmarks that a business has to meet before it's subject to the law. It is important to analyze these benchmarks carefully to see if the business meets them. Companies developing or buying artificial intelligence systems or robots may be covered.
CCPA does, however, have some privacy protections reminiscent of GDPR. For example, a California resident can ask a business that collects his or her personal information to provide access to personal information being collected. In particular, the business must disclose the categories and actual pieces of personal information collected. CCPA also gives California residents the right to ask a business to delete personal information being collected about them, with some exceptions, as well as the right to opt out of the sale of personal information by that business to someone else.
When is it Time To Comply?
CCPA doesn’t come into effect until January 1, 2020. You may be tempted, from a corporate standpoint to defer work on compliance until that point. The problem with that is, if your company is handling personal information, you will need to go through a process to understand what kind of personal information you have. You need to understand how it's being used, how it flows through your company, who it’s shared with, how long it’s retained, and how it is archived or deleted. Doing this due diligence will take time. If you wait until January 1st to start on the process of CCPA compliance, you will be out of compliance as soon as January 1st rolls around. It makes business sense to proactively look at the California Consumer Privacy Act right now to figure out what it is you need to do to comply and start that planning process now.
Look-Back Clause
In addition, CCPA says covered businesses have to disclose to consumers upon request information about personal information that has been collected about them in the 12 months before the request; that's called a look-back clause. Companies disclosing information once CCPA takes effect need to have had records of personal information being kept about individuals starting from January 1, 2019. In other words, some of the information being collected today might be something that has to be disclosed to a consumer next year when the law goes into effect. Consequently, businesses covered by CCPA should be creating records management procedures to manage personal information today so they can make the required disclosures next year.
GDPR and CCPA
Many companies may need to comply with both GDPR and CCPA, especially if they're collecting personal information about both European and California residents. They don't exactly align with each other, so they need to be examined and accounted for individually. Companies that find it easier to provide a single level of protection across their entire customer base will still need to incorporate elements from both if they plan to sell into both territories. It’s possible to incorporate a singular plan that covers both; it just requires proper research and planning to do so. That said, GDPR is broader than CCPA. GDPR has security protections, for example, and talks about data protection officers and exporting personal data from one country to another. It’s very important to delve into the contents of both to understand the big picture of compliance.
Special Considerations for AI, Robotics, and CCPA
Companies need to understand that they may be subject to CCPA if they're collecting “personal information” (California law uses this term) from or about residents. “Personal information” is very broadly defined in the law. The definition starts with a broad catch-all, saying that personal information is information that identifies or relates to a particular California resident or household. The legislature also provided a long list of examples, including:
The typical identifiers we use to tie personal information to individuals, such as name, address, email address, phone number, social security number, or driver’s license number.
IP addresses.
Race, national origin, religion, and other protected classifications under federal or California state law.
Biometric information, such as facial recognition information, fingerprints, and iris scan information.
Geolocation data.
Audio, electronic, visual, thermal, olfactory (smell), or similar information, such as sound files, photos, and videos.
Professional or employment-related information.
Behavior and preference information.
Covered businesses collecting such personal information need to provide privacy rights to California residents, even if that business is located outside of California.
This broad definition of personal information should concern manufacturers and developers or AI systems and robots, as well as their customers, because of the huge quantities of data they may be collecting and the broad variety of that data. For instance, AI developers may need the data for training their neural networks. AI companies using facial recognition are collecting covered biometric information. AI systems that sort through resumes to assist recruitment are collecting employment-related information.
AdTech AI companies may use identifiers to direct marketing messages. They may also, collect and review geolocation data and look at IP addresses to determine location. In addition, they may be analyzing behaviors and preferences.
Likewise, companies selling or buying robots may be collecting video or audio data about people near the robot. Robots with cameras and microphones are capable of collecting such data. These companies may not even be aware of the data being collected by their robots.
California Data Laws: More Than Just Privacy
One of the things that other legal professionals may not talk about is the interrelationship between the California Consumer Privacy Act and older laws in the state of California. There are previously passed laws in the state of California that protect the security of information in specific categories. For example, California law requires security protections for sensitive personal information, such as driver's license information, social security numbers, and payment or financial information. And when a security breach compromises these categories of personal information, the business sustaining the breach must notify affected California residents.
In other words, CCPA works within an existing framework of California laws that already deal with privacy - digital and otherwise. CCPA adds additional privacy rights to existing California laws regarding security. Therefore, when businesses collecting personal information look at CCPA in view of previous California laws, California law begins to resemble GDPR when it comes to end-user protections of sensitive personal information.
How SVLG Can Ensure Your Compliance
SVLG helps clients by assisting them in identifying which laws apply to their specific situation. We work with a client’s data protection team to understand their compliance objectives based on what their business does and the kinds of personal information they handle. We help create privacy and security policies and procedures in a privacy program to document how the client collects, protects, stores, uses, and shares (as applicable) personal information in compliance with the law. Once compliance needs and business objectives are clear, we can help a client manage a privacy and security program. Day to day, we can draft contracts that cover data protection when the client is selling its products or services, or obtaining products or services from vendors. We can also help negotiate those contracts on an ongoing basis with customers and vendors. We are often negotiating privacy or security exhibits that are part of larger agreements. Also, our firm can help to reduce the legal risk associated with data protection. Should a data breach occur, we can assist in any investigation, incident response, and the mitigation of harm from a breach, as well.