Lawmakers may still be working to fine-tune the California Consumer Privacy Act (CCPA), signed into law by former Gov. Jerry Brown in June, but in a recent webinar for the private sector, attorneys from Chicago and Los Angeles agreed the legislation will likely have a significant effect on how entities collect, use and store consumer data — almost regardless of their location.
That’s partly because as the world’s fifth-largest economy and the home state to an estimated 40 million residents, California makes a lot of connections.
“California has direct commercial ties to certainly every other state in this country and most other countries in the world," said Los Angeles lawyer Lukas Sosnicki, one of three attorneys at nationwide law firm Dykema, who hosted "The California Consumer Privacy Act: Why and How It Will Affect Your Business" on Wednesday. "Everyone does business with California. This is going to affect a lot of folks."
The attorneys offered several takeaways for business and government:
• Determine what type of “potentially affected entity” you may be. The CCPA defines a business as any legal entity organized or operated for profit that does business in California, collects information and either has annual gross revenues of over $25 million; sells the records of more than 50,000 consumers; or gets 50 percent or more of its annual revenues from selling consumers’ personal information, Sosnicki said. It considers a service provider to be a for profit entity that receives information for a business purpose — pursuant to a contract that specifies that purpose and limits the use of the information to that purpose. The CCPA defines third parties — the third such “entity” — more by what they’re not, in comparison, but considers them still to be entities that receive “consumer information from a business.”
• Think about consumers and their information. Attorney Ashley Fickel said the statute defines consumers as “a California resident, however identified, including by a unique identifier.” And what about their personal information which the CCPA guards so closely?
“It’s personal information defined as information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or household,” Fickel said, reading from the statute. “This is the broadest legal definition of personal data that we’ve seen. So, it’s important to keep this concept in mind as we go forward and as you as a business owner are managing risk (or) are evaluating what data you do indeed have.”
• Look at the data you've collected. It’s still an “open question” whether the CCPA will cover employee data, Sosnicki said — but it will not apply to de-identified or aggregate data, and will make an exception for information “covered by other existing statutes,” including the Health Insurance Portability and Accountability Act (HIPAA) for the health-care industry. But he issued a word of caution to entities who believe that their data may by sufficiently anonymized.
“You’ve got to be careful there because there’s risks that even though you may have purchased data that you believe has been de-identified or aggregated, it actually might be possible through technology to create an end run around the de-identification process, and you’ll actually end up having consumer information and running into problems,” Sosnicki said.
• Consider what CCPA will cover. Healthcare providers and government agencies may have grown accustomed to abiding by HIPAA, but they, too, should be cautious of the CCPA. That’s because they’re likely currently collecting information that’s permissible under HIPAA — but will now fall under CCPA and require further attention, Sosnicki said, warning officials to evaluate and map “key data” they possess.
• Work on those privacy notices. The CCPA will require businesses provide customers a new type of privacy notice “at or before the point of collection,” Fickel said, letting them know what categories of personal information are being collected, what it will be used for — and that they have the right to opt out of having that information sold.
• Remember — it may be retroactive. The CCPA doesn’t take effect until Jan. 1, 2020, but consumers can make a “verified consumer request” for the information they’ve provided to a business or entity on that first day, attorney Ashley Jackson said. The business or entity will have 45 days to respond and can seek a single 45-day extension, but must respond free of charge. Most significantly, however, respondents must provide all information on a customer from the previous 12 months — meaning that while the law won’t take effect until Jan. 1, it will effectively cover the previous 12 months, back to Jan. 1, 2019.
“(Make) sure that you understand your data, but also look at whether or not you need that information,” Jackson said, advising entities to “go on a data diet.”
