The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020, and many companies (and lawyers) are scrambling to make sense of how the law will apply to businesses in Washington State. Below is a brief overview of CCPA compliance concepts, as well as some practical advice for businesses looking to comply with the new law. 

An important distinction in the CCPA and one somewhat mirrored in the Global Data Protection Regulation (GDPR) is a distinction between data controllers and data processors, or under CCPA, businesses and service providers. That is new privacy laws recognize that certain entities are collecting personal information for business purposes and such an entity might use any number of “service providers” to process personal information (among other things) so the entity can provide products or services to the end-user. 

 

CCPA Compliance for Businesses

 

Much like data controllers under GDPR, the CCPA specifies entities that collect personal information are businesses. More specifically, a business under the CCPA determines the purpose and means for the processing of personal information and meets one of the three following criteria:

• Annual gross revenue of $25 million,
• Transactions of personal information relating to 50,000 or more individuals or households, or
• Derives more than 50% of its revenue from the sale of personal information.

As with data controllers, the onus is on the business to ensure the proper handling of personal information. 

 

CCPA Compliance for Service Providers

 

Under Section 1798.140(v) of the CCPA, service providers are entities that process personal information on behalf of a business. Importantly, the CCPA requires that service providers enter into a written agreement with the business that essentially reins in permissible conduct and practices with regard to such processing. Namely, the written agreement between service providers and businesses must provide that the retention, use, and disclosure of personal information processed by the service provider is done for the purpose of providing services to the business.  The CCPA does imply a limited number of permissible uses and disclosures outside of the bounds of the written agreement mostly related to complying with civil, criminal, or regulatory inquiries, etc. 

 

Deidentification of Personal Information

 

Another common question from Washington State businesses is whether they may use deidentified information. Under Section 1789.145(a)(5), businesses and service providers seem permitted to collect, use, retain, sell, or otherwise disclose consumer information that is deidentified or in the aggregate. So this implies that a business or service provider may not be prohibited under the CCPA from deidentifying and aggregating information because such information would no longer be considered personal information under CCPA since it is no longer capable of identifying a particular California household or consumer. 

The CCPA specifies that steps should be taken to lower the chance of reidentification, including technical safeguards that prohibit reidentification and business processes that prohibit reidentification, under Section 1789.140(v). GDPR seems to be stricter on what anonymization is sufficient to reclassify personal information as not personal information, where data must be irreversibly prevented from being used to identify an individual. 

 

Upcoming CCPA Regulations 

 

It’s important to remember that the CCPA is a new law, and CCPA compliance may look different after proposed regulations are adopted. The CCPA’s implementing regulations and guidance is yet to be finalized. As of the writing of this post, the law is now in its second set of modifications to the proposed regulations. The proposed regulations and modifications seem to further define what a business and service provider can do with personal information.

 

CCPA Compliance: Privacy Policies and Data Processing Addendums

 

Promulgating policies, practices, and agreements that ensure compliance with the CCPA can be deceptively complex. At a minimum, Washington State entities that are businesses under CCPA should have user privacy policies, internal business policies, and agreements with service providers that ensure compliance with CCPA. 

In order to comply with the CCPA, the privacy policy must at least set forth the basic rights afforded consumers under CCPA and the means by which a consumer exercises rights. The CCPA provides further information about verifying privacy requests and a timeline for responding to such requests. Data Processing Addendums are written agreements between a service provider and business, usually in addition to a master service agreement of some kind, and sets forth service provider processing requirements (e.g., no sale of personal information) and to otherwise define the relationship between the service provider and business.

 

At Foundry Law Group we offer a variety of services designed to bring your company into compliance with the CCPA, from assessing CCPA applicability to drafting CCPA compliant privacy policies and data processing addendums. We provide our clients with practical and current advice for privacy compliance. Contact Foundry Law Group today for a free initial consultation.