CCPA: Getting Past Stuck and Getting Started with Consumer Rights Requests
On the heels of the GDPR, The California Consumer Privacy Act (CCPA) is set to be one of the toughest privacy laws enacted in the US. Many organizations are expressing a feeling of “being stuck” when it comes to getting started with managing consumer rights requests under the CCPA.
Last week we were joined by Britanie Hall, Senior Associate at Hogan Lovells, Privacy and Cyber Security, and Alexys Carlton, Director, Information Security & Privacy at Otter Products & Blue Ocean Enterprises for a webinar on practical steps companies can take today to get ready for the CCPA.
Personal information under the CCPA.
One of the challenges with the CCPA is the broad definition of personal information. Up until now, personal information was generally interpreted to be limited to a set of specifically identifiable information; breach notification laws cover name plus certain other information. Section 1798.140(o) of the CCPA, however, defines information more broadly as any information associated with, relating to, or capable of being associated with, or that could reasonably be linked, directly or indirectly, with a particular consumer or household. The inclusion of household makes this section broader than how personal data is defined by the GDPR.
There is also some confusion on whether de-identified data or aggregate consumer information will be carved out of the definition of personal information. The CCPA is also not defining a consumer by the individual’s relationship with a business. Rather, it applies to every resident of California whether they are a customer of a business and whether or not they are in the state, so long as they are a resident.
There remains some uncertainty on whether the natural person language extends to employees or to business to business contacts; would they be treated as a consumer? While the California state legislature or Attorney-General are expected to offer additional clarity around these definitions, businesses operating in California will want to consider how they would cover employee information as well as consumer information. We recently published a blog post on understanding individual rights.
Where companies are getting stuck
There are some key areas where we see companies getting stuck in their efforts to become CCPA compliant.
One of the most common questions we see is what is considered reasonable verification?
The CCPA directs the California Attorney General to establish the rules and procedures related to reasonable verification with a goal to minimize the administrative burden on consumers while simultaneously taking into account available technology, security concerns and burden on the business to determine that a request for information is a verifiable consumer request.
A business should be able to identify the consumer and associate the information provided by that consumer in the request to personal information. When consumers don’t have an account where they can log in, they do need to give your business some specific piece of information you can match so you can reasonably verify their identity.
While the CCPA discusses that it may be sufficient for someone to be logged into their account when they make the request, businesses may want to think about what types of information they will maintain in connection with that account. For example, if the information maintained is not sensitive (for example email address or mailing address) versus maintaining sensitive information such payment information or social security number, businesses will want to consider additional authentication (for example, requiring an answer to a security question, or two factor authentication).
Data structure and location.
Data access requests can cover data you have stored across multiple areas in your infrastructure. To fulfill the access request, organizations will need to prioritize available systems for searches. While structured data is easier to search in response to requests, unstructured data such as that contained in emails may also be subject to access requests. This could require policies to minimize sharing personal information through emails or give thought to where unstructured data that has personal information is stored and how to prioritize those systems for searches.
Deletion exceptions are another area causing organizations to get stuck in developing their CCPA compliance. If your company has implemented policies around deletion exceptions for GDPR, it is important to understand that the GDPR does not line up exactly to CCPA. While they both grant the right of the consumer to delete information, the two regulations are framed differently.
CCPA deletion exceptions do not focus on whether the data meets certain static characteristics (for example, is it subject to HIPPA), but rather, more on dynamic questions related to whether it is necessary to maintain data for a certain action. For example, if you get a deletion request, do you need to keep the data to complete a transaction? If so, then a deletion exception could apply. However, if that is not true at a later date, that data could be marked for deletion when it is no longer necessary.
Lessons learned from the early days of the GDPR.
With the GDPR approaching its one–year birthday, are there lessons we can learn as we approach compliance to CCPA? From a reasonable verification perspective, one of the main concerns emerging from Data Protection Authorities and organizations is related to the potential risk of over-collecting data just for the purpose of identification. When dealing with a request from an individual, DPAs are guiding organizations to ask questions based on the information that has already been provided. For example, Uber recently updated their access platform so that a consumer must log on to their account to do an access request.
European DPAs are also taking guidance from Canada where when authenticating an individual, organizations should focus on two to three elements that are known (e.g. password), something you have (e.g. date of birth), and something you are (e.g. biometric data – but only used in serious cases for sensitive data or higher threshold of access).
Finally, soon after the GDPR came into effect, there was a noticeable uptick in fake requests for access to data, from bad actors, and this will be a concern for the CCPA. About one in three complaints of non-compliance are directly tied to data subject rights and DPAs are starting to step up their enforcement. The first fines related to releasing data to the wrong persons have been levied in Germany.
Despite privacy professionals waiting for the confirmation and clarity from the courts and regulators on elements of the CCPA, implementing a compliance program can be a lengthy process so it is important to get started as soon as possible. Alexys Carlton, Director, Information Security & Privacy at Otter Products & Blue Ocean Enterprises offered some practical tips for getting started on CCPA compliance.
- Identify all of the goals of the business at it relates to privacy compliance. In the case of Blue Ocean, the most important goals were to meet consumer expectations maintaining their trust and demonstrate compliance to regulators quickly and efficiently.
- Identify the “data subjects” in your program. Blue Ocean established early on that they would offer the same data subject rights to everyone. By following one process, they can mitigate risk of human error.
- Know where consumer data stored. Due to complexity, time, and effort, conducting a full data inventory is not realistic for most organizations. Ms. Carlton recommends breaking this project into internal processing activities versus trying to tackle all processing activities into one data flow. For example, one can ask, “If I place an order on the website, where does my data go?” Data flow diagrams can be very helpful in this exercise.
- Develop a timeline for how to fulfill a data subject request. It is critical to document all the processes for dealing with requests with specific step by step instructions on how to do an access request or a deletion request. Blue Ocean defined the data that the company must retain and removed those data types from the deletion process.
- Understand how to demonstrate compliance. It is Important to track the evidence for each data access request to ensure the processes are followed and that compliance can be demonstrated to a regulator. Blue Ocean created a data subject log; once a request has been fulfilled including the communication that was provided back to the data subject, it is all stored in a secure electronic file. This enables the company to generate a report within an hour of a regulator request.
- Move your project to program for ongoing compliance. GDPR was often a treated as a project with an end date of May 25, 2018 – but that’s really when it began and the same can be said for CCPA. The steps in data subject rights processes change every time a data flow process changes and there could be significant consequence organizations lack processes to address those changes in a sustainable manner. Blue Ocean uses Privacy Impact Assessments to maintain their program. The privacy office is informed of any changes to process, or any new system or process that involves personal data. If it is completely new process, then new records of processing documentation and a new data flow diagram are created.
Blue Ocean is one of many customers who leverage Nymity’s Privacy Accountability Framework™ to identify the technical and organizational measures needed to build the process to be able to process data access requests under the CCPA. The Framework helps organizations with structuring their privacy program using a process-based approach and enables them to demonstrate compliance on an ongoing basis.
Nymity has a number of resources available for helping companies build sustainable programs for demonstrating CCPA compliance.