Collects consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000) (B) Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses that decide they do not need to comply may find themselves at a strategic disadvantage to other online platforms or may specifically not get their next round of funding or close an enterprise deal until they comply. It is already evident amongst institutional venture firms and F500 enterprise compliance teams that adherence to CCPA is going to become table stakes to do business because of their fiduciary risk (financial penalties, sanctions) on the larger vendor to comply with the statute. If your company works with larger businesses and is considered their service provider, the larger company will need to put in place a contract to govern your relationship with the consumers. This will have the effect that any collection, sale or use of personal information on behalf of your enterprise customer will be prohibited except as necessary to perform the business purpose.
To comply with the CCPA, a prudent course of action would be to take an inventory of your data and begin tracking internal consumer and employee data flows to be able to respond to requests from Californians (e.g., check your CRM, email management, benefits/HR providers, sales leads, and data agreements). Companies should also consider developing a “self-service” tool on websites or apps to enable Californians to access, download and request deletion of their personal information. Similarly, the GDPR affords individuals with the additional rights of correction. If you prepared for the GDPR, individual rights processes can be adapted to Californians. However, you may want to review these procedures to identify any required procedural or operational improvements.C. Incident Response Requirements under the CCPA
The CCPA includes a private right of action in the event of a data breach. However, prior to filing a claim, a business must first notify the business of the alleged violation (i.e., a breach) and provide the business 30 days to cure the violation. It is unclear how a business would “cure” a breach, but it does highlight the importance of rapid detection, containment, and mitigation. The GDPR’s notification requirements are more rigorous - 72 hours to notify the Data Privacy Authority but with no private right of claim.D. Pricing Transparency: A New CCPA Requirement
While both the GDPR and CCPA do prohibit businesses from discriminating against individuals who exercise their rights under the law, the CCPA specifically addresses pricing practices. Accordingly for the CCPA, businesses should confirm non-discriminatory practices and develop pricing guidelines that do not discriminate (or otherwise violate the CCPA) and document what portion of the cost relates to the collection and management of personal information.E. Governance Impact of the CCPA
While the CCPA may not define a role for program governance, like with GDPR you should consider designating a role with responsibility for CCPA compliance to clarify decision-making authority, provide oversight, and ensure sustained maintenance of the compliance program. We recommend this be a combination of a practitioner within your organization, such as an engineering or IT leader combined with an executive sponsor such as a VP of Engineering, Products or Marketing.Given the similarities in compliance obligations, businesses may wish to consider a role (internal or external) with responsibility for both GDPR and CCPA compliance and ensure your workforce receives updated training on procedures related to the handling of private data - including HR, marketing and sales. New data subject rights requests and incident response requirements under the CCPA will necessitate new, or changes to existing processes. Update your employee awareness training and consider tabletop exercises to train on: responding to CCPA/GDPR data subject rights requests and incident response under all applicable privacy regulations.