California Consumer Privacy Act: Enforcement Priorities
It will soon be one year since the California Attorney General (AG) began enforcing the California Consumer Privacy Act (CCPA). Thus far, the AG’s enforcement efforts have focused on businesses’ compliance with several key areas, including:
Adequate notice at the time of collection of personal data, including but not limited to notice via privacy policies.
Compliance with requirements for a “Do Not Sell” mechanism and cookie audits.
Notice at Collection and Via Privacy Policies
In its initial efforts, the AG has scrutinized both notice at collection and notice as reflected in privacy policies. These enforcement priorities are not surprising. Notice is a foundational principle of data privacy.
What Is It?
CCPA requires that businesses provide a meaningful “notice at collection” when collecting personal data from California consumers. If the business also “sells” any of that personal data, the notice must include a “Do Not Sell” link that takes consumers to a page where they can opt out of the sale of personal data. The notice must also include a link to the company’s privacy policy.
A privacy policy need not be short, but it does need to use plain language and avoid legal jargon. To comply with CCPA and ensure that the company is transparent about the use of personal data, a good privacy policy should avoid overly technical details, cross-referencing, and complicated charts.
How to Comply
If your company is subject to CCPA, begin by looking hard at the data you have, where it comes from, and who you share it with. Be sure to note:
At what points do you collect personal data or receive it from other third parties?
Where do you store it, for how long?
For what purposes do you use personal data?
Do you also share it with third parties? If so, who are those third parties and what restrictions do you place on how they may use the personal data?
Is all this information reflected in your privacy policy?
After you have this information, you should check that your privacy policy describes the company’s data collection and data sharing practices in clear, easy-to-read language. The CCPA does not require that your policy have any “magic words,” but the AG’s office is reviewing privacy policies to ensure that the policy is crafted in a way that is clear to consumers. Can your grandmother or your teenager read your privacy policy and understand it? If not, it may be time to rewrite it.
Do Not Sell
What is it?
The CCPA defines the sale of data very broadly. Some businesses who thought they did not “sell” any personal data have discovered that they transfer data in a way that constitutes a sale under CCPA. Avoiding this requires vigilance. Be sure to answer these questions when engaging with a service provider or business partner with whom you want to share consumer data:
Do you have contractual restrictions you place on third parties when you provide data to them?
Are you getting some benefit by virtue of transferring personal data to a service provider or some other third party?
When you transfer personal data to a “service provider,” are you sure the recipient is a service provider under CCPA?
Have you verified whether your use of cookies or other tracking technologies might constitute a sale under CCPA?
If you cannot answer yes to the above questions, you might be selling personal data. You also need to understand what cookies or other tracking technologies you use now or plan to use in the future, and to assess your contracts accordingly.
How to Comply
The consumer’s ability to tell a company, “Do Not Sell My Personal Information,” must be easy to accomplish. First of all, there must be “Do Not Sell” option with every notice at collection, including a link that goes directly to the mechanism that enables consumers to do that. While a privacy policy should also include a link to the Do Not Sell option, linking to that privacy policy from the point of data collection is not sufficient to satisfy the Do Not Sell requirements of the CCPA.
Consider not only what personal data you collect, use and share but also how you keep track of consumer preferences. You may need to honor those choices six months from now. If you have an accurate data inventory and a managed system to track consumer choices, you can adapt as technologies change. The AG's priorities may wax and wane but the principle of consumer choices will be constant.
Author: Kellie Delaney, Of Counsel.
Please contact the team at Maier Law Group if we can help you assess your readiness for CCPA. We help companies ensure that their policies and practices comply with the relevant regulations. Please contact us at info@maierlawgroup.com for more information.
This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.