Commonly Asked Questions & Responses on Implications of CCPA
CCPA is here, but there are still questions on how it applies

On January 1, 2020, all eyes were on California as the State granted data privacy rights to its resident consumers. The major push behind this was the need to protect the California consumers from unauthorized use of their personal data, which had been collected by many internet-based companies and companies that make it their business to buy/sell consumer data for marketing purposes.

The studies have found that under 25 percent of the companies subject to CCPA were actually ready in some form to process requests from California Consumers with access to their person data held by various organizations.

There are still many confusions on whom CCPA really applies—particularly how it compares to existing data privacy laws applicable to financial and healthcare organizations that are already under strict data privacy and compliance regulations. Add to it, the complex calculations around the thresholds for companies subject to CCPA regulations.

The matter that made the compliance a bit more complex was whether the adoption of GDPR by many large, mostly internet-based companies would make it already compliant under CCPA since a large part of CCPA was adopted from GDPR [with the exception of penalty clauses].

Many Companies subject to CCPA are still non-compliant even after the law first went into effect in January 2020 and later updated with clarifications in July 2020—dubbed as CCPA 2.0. Exposure for penalties are increasing.

Based on our internal research and having worked with many law firms specializing in data privacy, we provided responses to some of the most common questions perplexing organizations subject to the CCPA thresholds. The responses be low are general guidelines and not to be taken as a legal advice as application of CCPA laws may have different intentions for different organizations.

Here are the most commonly asked questions and responses

Does the CCPA apply to everyone?

The CCPA has an extraterritorial reach. It applies to businesses that collect personal information from California consumers and do business in California for profit or for the financial benefit of shareholders in California and meet one of three minimum thresholds, regardless of whether they have an office or any other physical presence in the state or not.

Who can request privacy data from companies?

Any California consumer is a natural person who is in the state other than temporarily, or a person who is out of state who lives in California.In other words, this includes California residents while they are traveling in other states or worldwide.

Does it apply to businesses outside of California?

Yes. You don’t have to have an office, employees, or other presence in California. The CCPA applies to any business that is doing business with Californians, such as from a website. You don’t even have to be in the United States

Does the CCPA apply to B2B?

There is a one-year exemption in place for personal information obtained in business-to-business communications and transactions. Information obtained by a business through a communication or transaction with a California resident who is acting for another business occurring “solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” the other business is exempt until January 1, 2021.

What are the thresholds/requirements of CCPA?

The CCPA has three thresholds businesses must meet in order to fall under the statute. To be within the scope of the statute they must fall under one of the following situations:

Have in excess of $25 million in annual gross revenue or Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or households or Derive 50 percent or more of their annual revenue from selling consumers’ personal information.

As a result, small businesses in large part are exempt from compliance, and businesses do not need to collect information directly from California consumers to be covered. If consumer data is collected on their behalf by a service provider or other third party and the other criteria are satisfied, businesses could fall under the statute.

If the company doesn’t meet those thresholds, does it still need to comply?

It may still need to comply. For example, if a company has a contract with a business covered by the CCPA, that business may have terms requiring the contracted company to be in compliance.

For example, if a large company subject to CCPA shared private information about its consumers with a smaller company not subject to CCPA, the small company still needs to comply with the requests it receives from its large customers. These mostly involve data deletion requests for components that are deemed to be nonbusiness transactions.

What does a small business need to know about CCPA?

There are four main points that small businesses need to be familiar with. They are:

  • Selling consumer data: The CCPA focuses on consumer data and what a business can do with it – particularly if a business sells this data to others. In such a case, businesses must allow consumers to choose not to have their data shared. That means that businesses may need to be able to identify what data can be shared, and what cannot, according to consumers’ privacy choices. Businesses that share consumer data must prominently post a “Do Not Sell My Personal Information” link on their homepage that will direct users to a web page enabling them to opt out.
  • Consumer Data Requests: Businesses are required to identify and provide upon request all collected information about a California consumer, along with all parties the data has been shared with. Businesses are required to give at least two methods for submitting requests, including a phone number and website address if applicable. Consumers also have the right to request the deletion of their data. You have 45 days to comply with data requests.
  • Privacy Policies: Businesses must update their privacy policies (or include a California-specific section) to identify the new rights afforded by the CCPA, identify the categories of personal information that the business has collected, identify commercial reasons for collecting this data, and identify the categories of data sold to others, if any.
  • Minors: Businesses must obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years prior to selling data.

Does the CCPA apply to Financial Institutions?

No, not generally. CCPA does not apply to health providers and insurers already under HIPAA, banks and financial companies covered by the Gramm-Leach-Bliley Act, and credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act.

However, there are circumstances where non-customer information retained for marketing purposes will be subject to CCPA since they are not considered business transactions.

What about non-profit organizations? Must they comply with CCPA?

A business that is not for profit, such as a governmental or 501(c)(3) charitable organization, is exempt from the CCPA.

What happens if I don’t comply? Are there fines and penalties?

If data is compromised, CCPA includes a private right of action for consumers with penalties up to $750 per consumer per violation, but only where the business failed to use “reasonable practices and procedures” to avoid the breach.If the data isn’t “sensitive” or PII, is it still subject to the law? The CCPA governs consumer’s rights with regard to various aspects of their “personal information.” Under the law “personal information” is not necessarily restricted to traditional notions of “sensitive information” or “personally identifiable information.”

If the data is anonymized or non-identifiable, does the regulation still apply?

In most cases, the answer is no. The statute says expressly that it does not restrict the use of deidentified data. However, the definition of deidentified data in the statute hinges on—among other things—technical safeguards to prohibit reidentification. As technology capable of reidentifying consumers advances, such safeguards may become elusive.

Do I need to stop sharing/selling/transferring data with other companies?

This is largely an unexplored area. However, the statute is built upon consumers’ rights, not blanket bans. Companies subject to the CCPA need to be able to comply with the requests that the statute empowers consumers to make.

Do I need to permanently delete data from everywhere if asked by a consumer?

With some narrow exceptions, companies subject to the CCPA that receive a verifiable request from a consumer to delete the information that the consumer is entitled to have deleted must comply with the request and delete the consumer’s personal information from the company’s records.

With that said, there are many exemptions in the law and their interpretation by companies that may limit the amount of data to be deleted. For example, business transactions are exempted from deletion under the law. However, some aspects of that may need to be obfuscated.

What steps must a Company take to make it easy for consumers to request data deletion?

A company subject to CCPA must make available two or more designated methods of submitting such requests, including—at minimum—a toll-free number and a website address (for those businesses that maintain a website).

How do I verify a consumer request?

The California Attorney General is tasked with developing regulations to articulate at a later time, but there are many approaches to this—including ready-made solutions by companies, such as LexisNexis, Experian and alike as well as internal data which may be used to validate a consumer’s identity.

Will our privacy policy need to change?

It depends on what is currently in your privacy policy, but the CCPA does have requirements for a privacy policy.

I’m compliant with GDPR, do I need to do anything new for CCPA?

The CCPA and GDPR are similar in many ways, but there are several areas where the CCPA is more specific than those of the GDPR and where the GDPR goes beyond the CCPA. Of course, the CCPA applies to California consumers (individuals and households), where the GDPR applies to European citizens (individuals). If I complied with the GDPR, then have I complied with the CCPA? Likely not. The CCPA requires some additions to your Privacy Policy that may be different from what the GDPR requires. The CCPA also requires certain language on your website if you sell consumer data. Penalties for non-compliance are assessed differently, and there is no private right of action under the GDPR.

How can companies prepare now?

If you have not started the process yet, you are not alone. There are many companies that are still going through the notion. For example, HIPAA was put into effective 20 years ago. There are still companies that will barely pass a HIPAA inspection.

With that said, there are many ways of complying. The important thing to remember is that depending on your CA consumer base and the level of complexity in your IT organization, there may be practical solutions that get your organization to comply quickly. The key intention of the law is to protect CA consumer’s data—not necessarily create additional prohibitive cost burden to businesses.

If your business is small, outsourcing a bulk of the work to come into compliance may make the most sense. Also consider hiring a Data Privacy Officer to oversee compliance.

For most businesses, the greatest fear is the third-party problem. The responsibility for whatever privacy efforts are done by your third-party partners and supply chain – even your customers – are now all on your head. You now have the problem of whether they are in compliance.

Are there any upsides for companies in compliance – besides avoiding fines?

Yes. Companies who make a commitment to compliance are proactively protecting their reputation and strengthening customer trust.

More importantly, you will be teaching your organization on the required accountabilities under the law while you are running the business. You should basically look at this as a way to protect your most important assets—which are your customer’s personal data.

About the Author:

Refik Ongun leads the Data Privacy & Regulatory Compliance Practice at Exavalu. He has worked with many companies on their data privacy requirements and has enabled them with solution design approach with concentrations in GDPR, CCPA, HIPAA, GLBA, APP, PEPIDA and LGPD among others. He has an in-depth understanding the regulations and has worked effectively with inside and outside counsels to minimize non-compliance risk.

Exavalu is your strategic partner on high-impact Digital transformation relevant for your Industry. We’re a unique Business Advisory & Technology Consulting firm run by seasoned Industry veterans that are former executives, CIOs, CXOs, and Consulting Principals. We deliver meaningful change and sustained value aligned with your desired business outcomes leveraging our Industry experience and Solutions capability.