Correcting these misconceptions could save you thousands in fees

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt out of the sale or sharing of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

1. “We will be compliant once we update our privacy policies.”

A published privacy policy is great marketing for a company. It communicates to customers that you care about their privacy and security.

That being said, merely having a privacy policy is not enough. For a privacy policy to matter, you need to ensure that…

1. The company privacy policy is up to date with what leadership wants. Many companies take a “set it and forget it” approach to their privacy policy. Having an out-of-date privacy policy published means customers are being scared away by privacy policies that do not take the current security climate into account. Having an out-of-date privacy policy published also means employees are not clear on the privacy target at which they should be aiming.
2. The company privacy policy is actually being followed. In many companies, privacy policies are often ignored in favor of creating convenient employee workarounds (i.e. carrying flash drives of customer information around the office.) These workarounds may be convenient for employees, but they expose customer information to a lot of abuse, and the CCPA was written with this in mind.

2. “CCPA is IT’s problem.”

While technology is vital to CCPA compliance, it is not the only component of CCPA compliance. As mentioned above, many employees often create workarounds for their personal workflows that compromise customer information. These workflows are not an IT problem, these are an Operations problem, and so plugging these holes requires participation from Operations. Many customers also contact companies through their helpdesk and social media and provide personal information through these channels; CCPA requires companies to have processes in place to delete these sources of customer information as well. All of the holes in your company must be plugged in order to be CCPA compliant.

3. “We are already adding an Opt Out button on our privacy page.”

There are two misconceptions at play here. The first is that an opt-out button on the privacy page is adequate. It is not. The opt-out button must be on the home page for CCPA compliance. The second is the efficacy of the opt-out button:

• Does the act of “opting out” trigger information removal from multiple systems?
• Does it communicate this request to 3rd party affiliates?
• Does this produce a report about what steps were taken to remove the information & send it back to the requesting party?

To be compliant with CCPA, the opt-out button on your home page must do all these things.

4. “We did this for GDPR two years ago, so we are good!”

While GDPR and CCPA were both passed for similar political reasons and have many similar requirements, they are not the same. Relying on your GDPR compliance for your CCPA compliance will most likely result in your company not being CCPA compliant at all.

DLP Piper deep dives into the differences:

In some respects, however, the CCPA does not go as far as GDPR. Most crucially, the CCPA does not require businesses to have a “legal basis” (a justification set forth in GDPR) for the collection and use of personal information. The CCPA also does not restrict the transfer of personal information outside the US, or require that businesses appoint a data protection officer and conduct impact assessments. In addition, California residents’ right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.

In other respects, the CCPA differs or goes beyond the scope of GDPR:

• The CCPA’s definition of personal information specifically includes household information.
• While both the CCPA and GDPR require detailed privacy notices, the required content of those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA’s requirements.
• Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
• Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
• Finally, the GDPR and CCPA take different approaches to children’s privacy rights. GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment — but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children’s information — not all processing — and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13–15 can provide their own consent.