As I’ve blogged about before, the California Consumer Privacy Act (CCPA) will significantly change the landscape for tech companies who do business with California residents.
Now that we are less than a month away from the CCPA’s implementation, more has become clear about what it means for small and mid-sized businesses.
However, there’s still quite a bit of uncertainty. In this update, I’ll explain some reasons for the uncertainty and summarize the must-do steps for startups.
The United States Consumer Data Privacy Act of 2019
Presently, the largest source of uncertainty about the CCPA is it being pre-empted or invalidated by a privacy law on the federal level. Both Democratic and GOP members of Congress have proposed various federal privacy acts. The latest GOP proposal, published December 5, would supersede the CCPA and thus invalidate many, if not all of its provisions.
If such a bill passes federally, the CCPA could be a very short-lived regulation. Sentant will keep a careful eye as these bills progress through the legislature.
Private Right of Action
One of the most significant changes to the CCPA has been an amendment to clarify the private right of action (AB 1355). Individuals may in limited circumstances pursue suits against tech companies for statutory damages if there has been a breach of an individual’s name along with their:
- social security, driver’s license, or California identification card number;
- account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or
- medical or health insurance information.
Notably, companies have 30 days to “cure” the breach and provide “an express written statement that the violations have been cured and that no further violations shall occur” to avoid liability for statutory damages under the CCPA. It remains unclear exactly what “cure” entails, and the recent regulations published by the Attorney General do not mention it.
This means if a breach doesn’t involve the above information, the company cannot be sued for money by consumers. Consumers can only seek injunctive or declarative relief, which is far less likely to be pursued.
Since many companies do not collect any of the above data, this is a key distinction.
Attorney General Publishes Draft Regulations
Much anticipated draft regulations of the CCPA from the California Attorney General were published in late November. These give detail on what is required from Privacy Policies, CCPA notices on websites and in-app, and handling CCPA requests.
However, it’s absent of clarification for many of the questions privacy experts have had (such as what cure means mentioned above); and expect further information to be published as time goes on.
Must Haves for Tech Startups
While this list is not exhaustive and will differ from company to company, major elements of CCPA compliance for startups boil down to:
- Revise or publish a new California-specific Privacy Policy covering all the elements the CCPA requires;
- Ensure you have GDPR-like processes to be able to receive and respond to CCPA requests and purge user data;
- Setup your application to provide CCPA notices (compliant with the AG’s regulations) before data is collected and stored;
- Make sure staff involved in CCPA requests or compliance receive CCPA-specific training.
If your business deals with vast amounts of consumer data or particularly sensitive data, it’s likely this list will grow a lot longer. The above list represents the minimum “must-haves” for companies in scope for CCPA compliance.
Sentant is continuing to monitor the CCPA’s development and communications from the Attorney General and will continue to publish updates as the CCPA comes into effect.