Devin Conn

28 January 2020

What is the California Consumer Privacy Act and how will it affect your business? Part 2

With the CCPA now enacted, although enforcement doesn’t start until July 1, customers are waking up and starting to ask questions about it. In part 1 of this series, my colleague Ryan Easley wrote about which businesses will need to comply with it and the penalties for non-compliance.

In this post, I want to talk about the rights consumers have over their personal information under the CCPA, and just what that information is (it’s a lot more than you might think).

What rights does the CCPA grant to California consumers?

Currently, it’s pretty much a free-for-all when it comes to personal data. Outside specific sectors like health and finance, businesses can generally do what they want with data, when they want to, how they want to. The CCPA introduces limits on this by giving consumers in California seven key rights:

• The right to know what personal information is collected, used, shared or sold about them, including both the categories and specific pieces of data. This includes the right to request all the data a business has collected about them over the last 12 months. (And, yes, that does mean customers can request what data was collected about them from 2019 as well.)
• The right to be informed at or before the point information is collected what is being collected and the purposes it will be used for.
• The right to deletion of their data on request, with an obligation on businesses and their service providers to delete a consumer’s personal information from their records in all but a small number of circumstances.
• The right to opt-out of their personal information being sold to third parties, with business required to provide notice to consumers if they plan to do so.
• The right to opt-in to the sale of personal information of consumers under the age of 16, with affirmative authorization required from the parent or guardian of a child under 13, or a child aged 13 to 16. It’s the ‘affirmative authorization’ phrase that’s the key here because unchecking a box will no longer be enough.
• The right to non-discrimination in terms of price or level of service when consumers exercise their rights under the CCPA.
• The right to sue or bring a class action lawsuit if unencrypted sensitive date is disclosed or lost, for whatever reason.

What constitutes ‘personal information’?

The CCPA talks about personal information and to make it absolutely clear, it lists what it is. While it includes the usual suspects like names, addresses, social security numbers, and credit card details, it casts the net a lot wider – wider even than the GDPR which it has been compared to.

First, it describes personal information as: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Note the word ‘reasonably’. That was actually added in an amendment to the draft of the Act and further strengthens the rights of consumers not the interests of businesses.

The CCPA then lists ten different types of personal information, ranging from mailing addresses to passport numbers, race and religion to political affiliation and marital status, purchasing history to biometric information, and internet browsing history to geolocation.

While it doesn’t include publicly available information from federal, state or local government records, it also adds inferences drawn from any of the information listed used to create consumer profiles about their preferences, predispositions and behavior.

All of which pretty much means that if your business holds any kind of consumer information, it’s almost certainly covered by the CCPA.

What are the take-aways?

There’s one big take-away from the rights consumers now have and the information that is protected by the CCPA, and it comes in the form of two questions.

First, if a customer called you right now, could you tell them what information you have about them, including both the categories and the specific pieces of data?

Second, if they asked for all of the information about them to be deleted, are you confident your business is capable of doing it?

I ask because we’re all accustomed to (and I include Redgate here as well – we also need to follow the CCPA) gathering and sharing information in lots of different places for different purposes. The details of one customer can be in multiple databases, in a variety of locations, along with backups and copies for use in development and testing. And that’s not to mention the laptops of salespeople, marketing people, business analysts – you get the picture.

The new rights, along with the sheer quantity of the types of information now regarded as personal information by the CCPA, mean we’re all going to have to go on a data diet. We need to start consolidating customer data in as few places as possible, and introducing role-based access controls so that only those people with the correct permissions to view unencrypted personal information are able to.

Want to know more?

This is the second in a series of blog posts about the CCPA from me and my colleague, Ryan Easley. If there’s an area of particular interest, you can discover more about it right now:

• Part 1: The businesses the CCPA applies to and the penalties for non-compliance
• Part 3: The requirements the CCPA imposes on businesses
• Part 4: The 3 areas businesses need to focus on to be compliant

For future reference, we’ve also combined them in a comprehensive CCPA whitepaper that you can download and share with colleagues.

For more information about how Redgate can help your business meet the obligations of the CCPA, visit the Redgate Solutions page online, or connect with me on LinkedIn.