CCPA Is Typical Legislative Overreach, But It Could Affect You Big Time

When legislators get bored they ratify laws to guarantee their future employment. The latest controversial piece of legislation, out of California, no less, is CCPA, or the California Consumer Privacy Act. Per usual the law has sweeping effects and will likely greatly increase the cost of doing business as previous privacy laws have in the EU.

To get smart on the matter Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild, a full service law firm, sat down to walk us through what this could mean for the brick and mortar ecosystem. Odia has advised more than 90 companies on compliance with the EU data protection law, GDPR, and uses her experience and the lessons learned by companies with that compliance to advise companies on the road to compliance with the CCPA. 

For starters, what is CCPA?

CCPA is a comprehensive privacy law that regulates how companies handle information that identifies California residents. The law goes live on January 1, 2020 but the California Attorney General doesn’t start enforcement until July 1, 2020.

What’s the scope of CCPA?

Any for-profit entity doing business in California, that meets one of the following:

• Has a gross revenue greater than $25 million.
• Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

How is CCPA different than other state laws on privacy?

The main difference between CCPA and other US state privacy laws is that CCPA is very broad. Most state privacy laws are focused on specific types of data – think HIPAA for health data, COPPA for data on children, or GLBA/ FCRA for financial data. CCPA on the other hand applies to all types of personal information.

Most people in technology have heard of GDPR in Europe. Is CCPA similar to GDPR?

CCPA does share a number of similarities with GDPR. First, it’s broad and applies to many companies that handle consumer data on California residents, although CCPA was intended to apply to larger companies. Like GDPR, CCPA requires that companies provide California residents with greater transparency about what information they’re collecting and what they’re doing with that data. Under CCPA consumers also have a right to get a copy of the data you have on them, have that data deleted, or opt their data out from any sales of that data.

But CCPA is not the same as GDPR. GDPR applies to non profits, relies on something called a “legal basis” as the reason for handling data and in general relies more on opt-ins than opt-outs regarding data collection. There’s already a November 2020 proposal to make CCPA more similar to GDPR and that would come with additional data restrictions. This is the new ballot initiative by Allistair McTaggart, called CPREA. 

CCPA looks onerous if any business must build mechanisms to comply with data purging. Are there any exceptions to the law?

Under CCPA Section 3, 179.8105(d) there are provisions for exclusions. A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

1. Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
3. Debug to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
6. Engage in public or peer ­reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
8. Comply with a legal obligation.
9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Under GDPR we’ve seen employee names considered Personal Data. How does CCPA view this?

Per a recent amendment (AB25) employee information is mostly outside the scope of CCPA until 2021, but: there are other applicable state laws that might cover employee and payroll data, employees are still entitled to be provided a privacy notice from their employer, and if their information is breached they can sue.

What are some non-obvious parts of CCPA our readers might care to know?

• “Consumer” under CCPA is not consumer, it’s actually “a resident of California” 
• A “sale” under CCPA is defined much more broadly than we are used to thinking about sales.  A sale could include sharing information with a vendor in return for additional data or analytics, and even some sharing of information between a multi-location restaurant and sister company restaurant could be deemed a sale, and you would need opt-out mechanisms.
• “Personal Information” is defined very broadly and include things like cookie information, browsing history, history of visits or purchases at the restaurant and any inferences you might make about this to determine how the individual might behave (e.g. profiling).

What would you tell technology companies like POS providers who have customers in California?

If you’re a technology company and you provide services to companies that are subject to CCPA, you should seriously think about CCPA too because, in order for them to use your services, you would need to show them that you can help them comply with their obligations under CCPA. You would want to build this support into your software.

We were skeptical any consumer would actually use CCPA to have their information deleted. After all, we’re talking about a rising generation that openly circulates pictures of their genitals on school chat forums. Odia shared some fascinating information on this matter from the EU and GDPR – one company has seen over seven million deletion requests since GDPR was enacted 18 months ago. This company doesn’t see all deletion requests either, but it could mean that more than 2% of all EU citizens are opting out of data collection.

As with every law written by non-business people there are lots of gray areas. For example, what happens when a California resident travels to New York City and makes an online order during a business trip? Is the ordering company, POS company, and merchant supposed to know the consumer is a California resident and build in the corresponding opt-out mechanisms? The only way they’d know this is (… wait for it… ) if they had access and rights to the personal data to append the customer to begin with.

Irony.

Our two major concerns are one, when will other states follow Europe and now California down this rabbit hole, and two, what does this mean in the global context of competition? AI will become integral to any country’s economic output, and what happens if US companies are starved of the data to compete? You think China is going to suddenly exalt human rights and enact privacy laws of CCPA magnitude?

Per usual the consumer is left paying the bill for the regulatory shenanigans. But just because we think it’s shenanigans doesn’t mean some state legislator won’t use your company as a case study for their next political run. So make sure you’re in compliance or find a good attorney that can help you navigate this maze wisely, including finding reasons to qualify your business practices as an exemption.

Odia can be reached at okagan [at] foxrothschild.com.