When it comes to the internet, the online collection, use, and disclosure of personal data has become the rule, rather than the exception. Personal data is being collected and used by online providers in a myriad of ways, and for companies in the United States, such practices have been subject to only limited disclosures of their data collection and usage practices. Times, however, are changing. In 2016, the European Union adopted the General Data Protection Regulation that fundamentally updated data privacy practices in the EU (as I have written about most recently here and here). The United States, unfortunately, has yet to enact such comprehensive legislation federally. The states, however, may be forcing change, and California is relating the change with the California Consumer Privacy Act (CCPA). CCPA compliance, however, is not without its pitfalls, and it’s easier to slip into these traps than you may think.
By now, most of you have heard about the CCPA. Enacted in California in 2018, the CCPA created a plethora of enumerated consumer rights regarding access to and control over California residents’ personal information as collected by businesses covered by the law. More specifically, the CCPA gives California residents the right to (i) know what personal information is being collected, used, shared, or sold about them, (ii) know whether and to whom their personal information is sold or otherwise disclosed, (iii) access and review their personal information, (iv) opt-out of the sale of their personal information, and (v) non-discrimination in the level of service and pricing despite exercising any of their privacy rights. Such responsibilities under the CCPA, however, only apply to those businesses that meet one or more of the following criteria: (a) gross annual revenues in excess of $25 million; (b) buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; and/or (c) derive 50 percent or more of annual revenues from selling consumers’ personal information.
The reach of the CCPA cannot be underestimated — businesses outside of California are not necessarily outside the scope of the CCPA. More specifically, to the extent a business collects the personal information of California residents and meets the any of the requirements set forth above requirements, it is likely subject to the CCPA requirements. Why? Because the focus of the statue is to protect the rights of California residents. Although a California statute, the extent of its reach becomes clear — for example, a business based in New Jersey that does business online with California residents and otherwise meets any of the business qualification elements set forth above will need to comply with the CCPA. Given the size of California’s economy (which has been ranked as fifth-largest in the world) and the extent of business contacts to that state, some could argue that the CCPA operates as a de facto federal law. Moreover, the CCPA also confers a private right of action to affected consumers against companies that violate the law, providing for statutory damages between $100 and $750 or more if such damage can be proven (all in addition to any declaratory or injunctive relief). In sum, the reach of the CCPA is extensive.
Given the scope and reach of the CCPA, it comes as no surprise that most companies in the United States that do business with California residents and meet any of the qualification criteria are scrambling to comply. Such compliance, however, is not an easy proposition — care must be taken to address the nature of disclosures as well as the architecture necessary to respond to requests from consumers to know, delete, and opt-out within specific timeframes. This has led to a ton of questions regarding the fit of existing practices as well as the changes otherwise necessary for a business to comply with the CCPA. Although there is precious little guidance given the statute only became effective on January 1, 2020, the potential pitfalls that need to be navigated for CCPA compliance are far easier to identify. Here are three of the biggest issues to traverse regarding CCPA compliance that will require your company (or client) to tread carefully:
Being GDPR Compliant Does NOT Mean Your Company Is CCPA Compliant. It may come as a surprise to some, but GDPR compliance does not guarantee CCPA compliance. In fact, your company (or client) may have additional obligations under the CCPA. For example, the CCPA definition for “personal information” is actually more expansive than the GDPR. This difference alone may impact the data mapping that was performed under GDPR compliance efforts and whether additional qualifying data under CCPA is properly inventoried so the appropriate disclosures can be given. GDPR compliance is definitely a good thing, but simply does not guarantee CCPA compliance.
Compliance Favors The Turtle, Not The Hare. Given the scope of the CCPA, it’s easy to get caught up with moving as quickly as possible toward compliance. Although it’s good to grab the CCPA bull by the horns, ensuring the proper steps are being taken to achieve compliance is extremely important. The CCPA cannot be enforced by the California Attorney General until July 1, 2020, so at least there is time to achieve compliance without the threat of an enforcement action in California. That said, the dragging of feet is not an option either — determine where your client (or company) currently stands with regard to the CCPA-defined “personal information” it collects, how such information is collected, stored, handled, and disclosed and whether current policies meet those requirements. Be methodical. Remember: Slow and steady wins the (compliance) race.
Right To Be Forgotten Does Not Mean Forget Your Policy. This point is worth stressing — too many companies fail to recognize that data privacy is an ongoing process. Once the policies implemented by your company (or client) have been updated to address CCPA requirements, those policies must not be set in stone. The CCPA may give the consumer the right to delete personal information held by businesses (or their service providers), but this “right to be forgotten” does not extend to the privacy policies of your company (or client). Revisit these policies on a regular basis to update them based upon guidance from enforcement actions, newly promulgated regulations or potential modifications to the statute.
Of course, the foregoing pitfalls aren’t the only ones, but are illustrative of the point that companies need to be methodically proactive in their CCPA compliance. The CCPA is forcing qualifying companies to take stock of consumer personal information in different ways than they may have previously done. Such companies need to address and update their personal information handling practices, but should do so carefully. There is a lot to consider regarding CCPA compliance, and any other approach may be a risky move. So take heed: it will be far easier (and less costly) to avoid these pitfalls than help your company (or client) to climb out of them.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.
Jordan Rothman is a partner of The Rothman Law Firm, a full-service New York and New Jersey law firm. He is also the founder of Student Debt Diaries, a website discussing how he paid off his student loans. You can reach Jordan through email at jordan@rothmanlawyer.com.
Kathryn Rubino is a Senior Editor at Above the Law, and host of 
