Enjoy our rendition of 'Twas the Night Before Christmas Earnings.
What does the CCPA have to do with my IR website?
As mentioned above, the CCPA governs how organizations use personal information of California residents, even if the organization itself is not located in California.
Since your IR website collects personal information from website visitors, shareholders, or investors in California, such as names, email addresses, job titles, IP addresses, cookie identifiers, search history, or log information, you may likely have to comply with the CCPA and its many obligations.
The California Attorney General can fine organizations $2,500 to $7,500 for violations of the CCPA.
Further, California residents have a private right of action in the case of data breaches. In other words, California residents (and plaintiffs’ attorneys) can file civil lawsuits, including class actions, for statutory damages between $100–$750 per consumer per incident or actual damages, whichever is higher. That means you may be liable for data breaches, even if there is no real harm. To make matters worse, California accounts for approximately 50% of all class actions lawsuits in the United States.
What is the CCPA?
The CCPA is the California Consumer Privacy Act (the “CCPA”), which passed on September 23, 2018, and goes into effect on January 1, 2020. However, personal information collected since January 1, 2019 is also within scope of the CCPA.
The CCPA governs how organizations collect, use, store, or otherwise process the personal information of “consumers,” regardless of the organization’s location.
The CCPA defines the term “consumer” as any California resident, including those that are B2B contacts, investors, or shareholders. We will use the term “consumer” and “California resident” interchangeably herein.
For example, if a company in Minnesota collects the personal information of California residents, the CCPA may apply to that company, even though it is located outside of California.
Who is responsible for CCPA compliance?
The CCPA applies to three types of entities: (1) “businesses,” (2) “service providers,” and (3) “third parties.” Each term is defined within the CCPA and discussed below.
Businesses have the vast majority of obligations under the CCPA.
- That has annual gross revenues of over twenty-five million dollars ($25,000,000).
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in conjunction, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
You may think you don’t “sell” any personal information.
However, “sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
So, it’s very broadly worded! For example, if your website uses retargeting or other advertising cookies or pixel tags on California consumers, this is likely considered a “sale” under the CCPA.
Finally, if you satisfy the above definition of “business,” the entities that you control (or control you) are also considered businesses, provided that they share common branding with you (i.e., shared name, servicemark, or trademark).
2. Service providers
The CCPA also applies to “service providers.” Put another way, even if you don’t fit the definition of “business,” the CCPA applies to you if you are a vendor that provides services to businesses.
A “service provider” is any entity, wherever located, that processes personal information on behalf of a business for a “business purpose.”
Like with the GDPR, a written contract must be entered into between businesses and service providers. This contract must expressly state that the service provider:
- Processes the personal information for a “business purpose”;
- Will not retain, use, or disclose the personal data for any purpose other than for the specific purpose of performing the services specified in the contract;
- Will only use the personal information within the “direct business relationship” with the business;
- Will not “sell” the personal data; and
- “Certifies” that it understands its contractual restrictions and will comply with them.
So, whether you’re considered a “business” or “service provider” under the CCPA, you should make sure the data processing addendums you created for the GDPR are updated accordingly. If you weren’t subject to the GDPR, you should put together appropriate amendments in your Master Services Agreement or Terms of Service that account for the CCPA.
3. Third party
A “third party” is any entity, wherever located, that is not:
- A business that collects personal information from consumers;
- A service provider; or
- Any other recipient of personal information that has contractual restrictions similar to those between businesses and service providers.
The definition of “third party” is unclear in practice and adds more complexity to an already demanding statute.
However, a “third party” has a special restriction: it cannot “sell” personal information that was sold to it by a business unless the consumer has received an explicit notice and a chance to opt out of a sale (more on this below).
What do I need to do for my IR website to be CCPA compliant?
If you’re a business, you have numerous obligations under the CCPA relating to your IR website. You have to:
1. Understand your data flows.
A core goal of the CCPA is to bring transparency to the consumer about the personal information collected and disclosed about her.
In order to comply with the CCPA, businesses need to know the sources from which they collected their personal information and to whom they disclosed that personal information, including to any vendors or other organizations.
- The categories of personal information you have collected, sold, or otherwise disclosed about that consumer within the preceding 12 months;
- The categories of sources from which the personal data is collected;
- The business or commercial purpose for collecting or selling personal information;
- The categories of third parties with whom the business shares personal information;
- The specific pieces of personal information the business has collected about that consumer; and
- A description of a consumer’s right to access, delete, or opt out of the “sale” of that consumer’s personal information (and how that consumer can request the business to carry out these rights); and
- A description of any “financial incentive” programs.
As mentioned above, there is a 12-month “lookback” period for the CCPA. In other words, personal information you collected 12 months ago is still within scope of the CCPA.
3. Provide “access” rights to your personal information.
Consumers can request access to the personal information you’ve collected, sold, or otherwise disclosed about them, pursuant to a “verifiable consumer request.”
First, where you have sold or disclosed personal information, you must provide two separate lists to the consumer requesting access:
- The first list must contain (a) the categories of third parties that were sold personal information and (b) the categories of personal information sold to such third parties within the preceding 12 months.
- The second list must contain (a) the categories of third parties that the business disclosed personal information to for a “business purpose” and (b) the categories of personal information disclosed to those third parties for a “business purpose” within the preceding 12 months.
Second, where a consumer requests the right of access, you must provide the specific pieces of personal information in a portable format and, to the extent technically feasible, in a “readily useable format” that allows the consumer to transmit this information to another entity without hindrance.
This is similar to the right of portability under the GDPR; businesses can consider providing the personal information in .csv or JSON or another format that may be considered “portable.”
“The CCPA will be preempted by federal law so I don’t need to worry about it.”You should not expect a federal law to save you. It is still very early in the process for a federal privacy bill. Further, while many proposals for a federal law have been introduced to Congress, there is much disagreement over what the scope of such law could be, especially with respect to federal preemption. In fact, the topic of federal preemption is avoided in most proposals.
“I am a B2B company and so CCPA does not apply to me.”This is untrue—the CCPA protects the personal information of all “consumers.” However, “consumer” is defined as any California resident. This includes those that are B2B contacts, shareholders, and investors.
“My company is not in California, nor are any companies I use, and so I am not subject to CCPA.”The CCPA is agnostic as to where companies are located, so long as they process personal information of California residents.
“My website is not TLS/SSL compliant but that doesn’t mean I’m not in compliance with CCPA.”The CCPA does not mandate specific security controls. However, it requires “reasonable security procedures and practices.” TLS/SSL compliance is an industry standard, and it will be difficult to defend that you have “reasonable security procedures and practices” if you are not TLS/SSL compliant.
“Small businesses are exempt from the CCPA.”This is untrue. If you are a business that sells or collects the personal information of consumers, households, or devices, you may be subject to the CCPA, even if you don’t generate large amounts of revenue. Further, if you are a service provider to these businesses, you are subject to the CCPA. Finally, even if you are neither of the above, you may still be considered a “third party” under the CCPA.
“Certain industries are completely exempt from CCPA, like financial services or healthcare.”Industries aren’t exempt from the CCPA—specific categories of data covered by certain laws are exempted (e.g., protected health information under HIPAA or nonpublic personal information under GLBA).
The CCPA is the most comprehensive U.S. state privacy law to date, and the time to act is now. While the CCPA was clearly inspired by the GDPR, the CCPA is a very different law with unique and complex requirements.
At some point, the California Attorney General is expected to release regulatory guidance to clarify certain distinct provisions. However, since this guidance is expected to only cover certain limited aspects of the CCPA, companies should take steps now to begin navigating its many nuanced obligations and to avoid costly class actions and enforcement actions. In addition, don’t forget the 12-month lookback—what you are doing today may come into play next year.
This White Paper has been prepared by Equisolve to provide information on recent regulations and developments of interest to our readers. It is not intended to provide legal advice for a specific situation. Equisolve assumes no responsibility to update the White Paper based upon events subsequent to the date of its publication, such as new legislation, regulations, and judicial decisions. You should consult with counsel to determine applicable legal requirements in a specific fact situation.