How to prepare for the new California Consumer Privacy Act (CCPA)

By John Carbo, Director of Information Security at Abacus Group

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.  The purpose of the CCPA is to extend protections for the personal data of California residents and imposes new requirements for businesses that process personal data.  The focus of the CCPA is on disclosures for the collection and “sale” of personal information.  In this context, a “sale” covers any disclosure of personal information for any “valuable consideration.”  Consumers have the right to opt-out from selling of their personal information which can be done with a link on a website titled “Do Not Sell My Personal Information.”  Obviously, this requirement is only for businesses that “sell” personal information.

The scope of the CCPA includes:

• for-profit business conducted in California
• which collects consumer personal information
• and determines the purpose and means of the processing

The CCPA excludes from its scope the collection and sharing of certain categories of personal information:

• personal information under the Gramm-Leach Bliley Act
• the right to opt-out is only available in the case of selling or sharing personal information

The CCPA also excludes specific processing activities from the definition of “selling”:

• where a business shares personal information with a service provider that is necessary for a “business purpose”
• where the business transfers the personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction.

There are many similarities between the EU's General Data Protection Regulation (GDPR) and the CCPA.  Firms that have taken action to comply with the GDPR will have many of the requirements in place that can be adapted for the CCPA.  There are some notable differences: CCPA has “businesses” (Controllers) and “service providers (“Processors”).  The CCPA requires that personal information disclosed to service providers be done under a written contract that prohibits the service provider from retaining, using, or disclosing the information for any purpose other than the purpose of the service specified in the contract.

For Abacus (service provider) and Clients (business), the personal information processed by the Abacus FLEX platform is not considered “selling” information.  Abacus does not further collect, sell, or use the personal information except as necessary to perform the business purpose.

Abacus recommends working with your compliance professionals to:

• Determine who you are under the CCPA (business, service provider, or both) and what information is collected, shared, or transferred.
• Update your vendor contracts to prohibit the further collection, selling, or use except to perform the business purpose.
• Update your privacy policy to include the CCPA Consumer Rights.
• Enable consumer opt-out to the sale of personal information.
• Implement employee training on how to respond to consumer inquiries regarding personal information.