By Tricia Dunlap (Esq. & CIPP/US) and Tess Lynch (J.D. 2019 & CIPP/US)
Start with these four steps to prepare for the CCPA and ensure your Virginia Business is in compliance.
If you’ve read our last blog, you know the California Consumer Privacy Act (CCPA) could impact your business, even if you’re not based in California. Enforcement begins July 1, 2020, so the time to prepare is now. Here are four initiatives your Virginia business can take to ensure compliance with CCPA business requirements and careful handling of consumers’ personal information (“PI”):
Step 1: Begin With Data Mapping.
It’s essential to examine your company’s data collection, storage, and transfer practices. Your data map should identify the type of personal information collected, collection methods, the location and sensitivity of the collected PI, the individuals and entities that have access to collected PI, and whether the nature of data transfers to third parties can be classified as a “sale” under the CCPA. Sales are defined broadly to include any transfer of consumer PI to another business for value. The information collected by the data mapping exercise is essential to understanding your potential liabilities (whether legal or reputational).
Once your map is complete, you may choose to aggregate or deidentify consumer information to minimize CCPA obligations. However, recognize that deidentification is not a guaranteed safe harbor. When you deidentify information, you must simultaneously implement technical methods and safeguards to prevent reidentification. Businesses can use deidentified information so long as the business has implemented technical safeguards prohibiting reidentification, makes no attempt to reidentify the information and extends these safeguard requirements to information recipients. Absent technical safeguards that specifically prohibit reidentification, deidentified data is considered PI and remains subject to CCPA protections.
Step 2: Review and Update Contracts.
This is especially important to meet CCPA business requirements because the CCPA requires businesses to have certain provisions in contracts with “service providers.”
Even if you don’t have to comply with the CCPA, updating contracts to consider data rights and liabilities is a best practice. At this point, most contracts should address underlying liabilities related to sensitive data. In some circumstances, it’s possible to reduce your risk by assigning data-related liabilities to the other party.
For CCPA-compliance, once you’ve mapped your data and examined your current practices, it’s time to start integrating consent procedures. Because CCPA-liability runs upstream, it’s important to ensure that these practices are implemented across all affiliates, subsidiaries, service providers, and third parties that receive PI you collect. Businesses that collect and sell PI to third parties or service providers must execute new contracts that:
- Limit the third party’s use of PI your business collected to specific purposes;
- Set privacy protection standards and notice procedures for noncompliance;
- Allow your business oversight of subsequent PI transfers; and
- Address your business’s ability to remedy the third party’s unauthorized use of PI.
The CCPA does not require consent prior to selling PI – businesses need only integrate the “Do Not Sell” link mentioned below. However, some categories of information, such as children’s personal information and sensitive information, receive more scrutiny. Children’s information has historically received heightened protection requirements and businesses are specifically prohibited from selling the PI of users under the age of 16 without prior consent. Companies can obtain consent either from the children, if they are between the ages of 13 to 16, or from the parents, if under 13.
Consent for all other business purposes is secured when your business provides the consumer with a comprehensive privacy policy or supplemental notice of collection (see below). Upon collection, your business must categorize the PI it collects based on your business purpose for collecting it.
The CCPA limits your business use of their PI to only the scope of that purpose. Should the business or any of the business’s partners use the information for a different purpose, not anticipated in the privacy practice documents, they must obtain explicit consumer consent before doing so. Renewing consent can be complicated when the “source” of the information is not the business itself. Entities utilizing second-hand PI must either directly contact the consumer or have the source obtain consent for them.
Step 3: Update Your Privacy Policy.
Every company needs to routinely review their privacy policy. The only thing worse than having an out-of-date privacy policy is having a policy that doesn’t align with actual practices.
The CCPA requires companies to update privacy policies and include specific CCPA-compliant language. This overhaul requires businesses to inform consumers about the PI collected and the intended use for each category of collected information. At a minimum, the privacy policy should address consumer rights, categories of collection, third party sharing practices, methods for submitting a rights request, and which consumers will be impacted.
Virginia businesses should consider having one universal privacy policy supplemented by additional policies tailored to privacy laws in other states. The data privacy legal landscape is highly dynamic. Using one comprehensive document that attempts to incorporate rapidly evolving privacy laws from all U.S. states will require frequent review and a high level of diligence to ensure it is accurate. Also, one comprehensive document will quickly overwhelm the average consumer with irrelevant, and sometimes conflicting, information.
Notice of Collection
The notice of collection is independent from the Privacy Policy and businesses that collect PI must provide this notice when they begin collecting consumer PI. The CCPA distinguishes between businesses that sell customer information to third parties and affiliates. Because the definition of “a sale” is not limited to monetary consideration, businesses should be wary in disclosing PI in exchange for anything of value. We note that PI transfers directed by consumers and transfers in connection with M&A transactions and bankruptcy are not subject to CCPA’s consent and opt-out requirements.
“Do Not Sell My Personal Information” Link
One distinct deviation from the European Union’s General Data Protection Rule (GDPR) is the CCPA’s requirement that businesses add a “Do Not Sell My Personal Information” link on their homepage. The link must be provided in a clear and conspicuous location and, for one year after the consumer opts-out, businesses cannot request reauthorization to sell that consumer’s PI information. Obviously, managing all these business requirements will require the implementation of new systems and procedures.
To prevent companies from discriminating against California consumers that choose to opt-out, the CCPA restricts any kind of penalizing or discrimination. This includes denying goods or services, charging different rates, or providing a different level of quality of goods or services to the consumer. Businesses may, however, encourage participation through a financial incentive program provided the consumer gives the business prior opt-in consent. Businesses that acquire consumer information for purely internal processing need not implement the “Do Not Sell” link but should explicitly address their practices in their privacy policy.
Step 4: Develop Rights-Requests Procedures.
The CCPA significantly expands the rights of California consumers. Consumers have the right to opt-out of the sale of their personal information and make specific requests regarding disclosure, correction, portability, and deletion. At minimum, the CCPA requires companies to provide a rights-request link on your website and a toll-free number to facilitate these types of requests. Businesses seeking to go above-and-beyond can include an email address, mailing address, implement an online form, or provide other applicable contact information.
California consumers have the right to request specific pieces of their PI from the business including the categories of collected information, the purpose of the collection and use of the information, and whether the information is shared or sold. Additionally, consumers can request that their information be transferred to a different entity or have their PI deleted entirely. The right to deletion extends to personal information related to the consumer making the request.
Businesses should develop processes to verify the identity of users making requests, facilitate consumer requests, and direct service providers to update or delete consumer information in response to consumer requests. A business must designate a reason for denying a rights request and can assert this denial if the information falls into an exempted category. These exemptions include information that is necessary for ongoing transactions, internal business procedures, legal compliance, security incidents, and risk assessments.
We’re here to help your business prepare for the CCPA.
Dunlap Law can help you understand and adapt to the CCPA, Virginia data privacy law, and other data privacy laws nationwide. We closely track data privacy legal developments so you don’t have to. Call for a consultation today or ask Tricia Dunlap to speak to your group.
Dunlap Law is a SWaM-certified law firm in Richmond, Virginia and the only B Corp certified law firm in Virginia or DC. Tricia Dunlap and Tess Lynch hold the Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals. Tricia is also 2020-2021 co-chair of the IAPP’s KnowledgeNet, Richmond Chapter.