CCPA compliance: A rocky road ahead? on Mar 28, 2019
Last week while discussing the GDPR compliance implications with a retail entrepreneur from the Bay area, I was told that businesses treated it as a “marathon. I was not shocked to hear that business owners were fatigued considering that complying with a new set of regulations is an uphill trek and requires significant flexing of mental muscles.
GDPR was huge last year. (In fact, according to Google search traffic, it grew to become even bigger than Beyoncé.) I was fascinated to learn just how businesses are reacting to the California Consumer’s Privacy Act (CCPA). In 2018 CCPA was voted into law and slated to come into effect on January 1, 2020. Since many feel that the CCPA was rapidly drafted and passed, leaving little time for public comment or making any responses-based changes, I wanted to understand how happy U.S. businesses really are that California would have privacy regulation of its own.
Through discussions, I learned that most organizations feel that complying with the CCPA is going to be a difficult challenge since the way the law reads seems contradictory and ambiguous to them.
Industry experts sense that business entities currently breathing a temporary sigh of relief following the GDPR implementation on May 25, 2018, are now once again about to feel the heat in revving up their privacy compliance efforts. While the CCPA bears a resemblance to the GDPR, the requirements and their legal implications vary from and sometimes exceed those of the GDPR. Those differences cause understandable worry for enterprises required to comply with both the CCPA and the GDPR.
The CCPA may be a protective boon for consumers but has its share of grey areas causing sleepless nights for business leaders. Let’s check out these problem areas:
1. The Anti-discrimination clause
Section 1798.125 of the CCPA clearly states that a business is prohibited from discriminating against the Californian citizens in exercising certain rights (request to access, to delete, and to opt-out of the sale of personal information).
The statutory language mentions that discrimination is not limited to but includes:
- rejecting goods or services to consumers;
- levying varied prices or rates for goods or services, comprising through the use of discounts, benefits or other penalties;
- offering a different level or quality of goods or services;
- proposing a customer receive any different price or quality of goods or services when the consumer chooses to exercise their right under the law.
California’s privacy act offers few exceptions to the general prohibition on discrimination. Organizations are only allowed to charge customers different rates or to provide different service level only in instances when the difference is directly or reasonably “related to the value provided to the consumer by the consumer’s data.” Businesses are also allowed to offer financial incentives, including monetary payments, to customers for collecting, selling or deleting personal data. There can be no unjust, unreasonable, coercive, or usurious financial incentives. Businesses must give notice to customers of the material terms of their financial incentives and receive prior opt-in consent before including any customer in any financial incentives, and customers can withdraw consent for the incentive programs for which they previously opted in, at any time.
The CCPA language states that California’s privacy act permits businesses to provide tiered pricing or service levels only if the differences are reasonable or supported by written consent. The provisions for businesses to engage in financial incentives need a more in-depth look to clarify when and how they would legally work.
2. Lack of clarity about the Financial Incentive Provision
California’s privacy act does not allow discrimination against those customers who exercise their rights under the law by choosing to not opt-in or when later choosing to opt-out of the sale of personal data. The law allows organizations to provide financial incentive programs to customers on an opt-in basis, only. Customers must also be able to exercise their right to opt-out at any time and thereby remove their consent for and their participation in these programs.
The statutory language does not clearly state whether or not organizations are allowed to impose any consequences to customers for choosing to opt-out of a financial incentive program for which they previously gave consent. The lawfulness of any consequences imposed after opting out is not clear but possibly may be interpreted to be legally allowable if considered “reasonable” according to the definition of reasonableness under the CCPA.
3. The absence of a standard process to measure the value of customer data
The CCPA prohibits indiscriminately providing variable prices, goods qualities or the levels of service. Again, businesses are allowed to provide different levels of service or prices to customers when those different levels of service or prices are directly or reasonably “related to the value provided to the consumer by the consumer’s data.” The statements raise a question as to what constitutes consumers legally being offered something worthwhile based on the consumer’s data.
The CCPA does not mention anything regarding a standard process that should be used to evaluate the value of customer data. It raises other relevant questions like whether or not organizations are allowed to determine and measure themselves the reasonable value of the data to a customer or whether or not the value should be measured for every individual customer. The value of data for any given customer may be context-driven.
Industry insiders feel organizations face uncertainty due to the lack of clear guidance in the CCPA as to what would be the right way to calculate the data value. Many view this as a drafting error. Still, the lack of clarity is creating confusion. Experts are in favor of clear and appropriate measurements that would assess value to the businesses, proposing that the discounts or incentives would then directly relate to that allowed value. This way the law could support and preserve commonly used discounting programs.
4. Potential effects on the data sharing relationships of businesses
Considering the broad definition of “sale” in the CCPA, the customer’s right to opt out of the sale of their personal data is likely to severely impact existing data sharing relationships. Organizations or the affiliates exchanging data about their mutual consumers could be considered as a “sale” even as part of a broader relationship if the exchange could be considered as taking the place of other valuable consideration. These sorts of “sale” transfers would be subject to customer opt-out. This broadly framed right to opt-out of the sale of personal data, combined with the anti-discrimination provision, can considerably affect data-driven business models.
As an example, a customer might decide to sign up for a free or discounted ad-supported version of a service and then choose to opt-out from the business’ sharing their personal information with the advertisers directly responsible for making the service financially viable. Yet if the customer decides to opt-out of the sale of their personal information, the anti-discrimination clause of the CCPA might fully prohibit the business from certain responsive actions. Certain other responses might only be allowed when any difference in the level of service provided was “reasonably related to the value provided to the consumer by the consumer’s data.” The ambiguity between the two provisions, customers’ rights to opt-out and anti-discrimination, leaves businesses not knowing what the standard actually is and how to implement it.
5. The Anti-Discrimination Clause in the Workplace and Employment
As to employment, it is uncertain if the CCPA is going to apply to employee and HR data. Organizations collect personal data about their employees routinely in conducting business.
In case the CCPA becomes applicable to the employee data, employers or organizations would have to ensure that they engage in routine data practices without violating the employees’ CCPA rights, even when sharing employee personal data with their affiliates in maintaining compliance or in investigation practices. Depending on how the law is applied in employment, this may mean that businesses would have an even tougher time becoming CCPA compliant.
The CCPA’s broad privacy requirements are utterly new to the U.S. and the compliance deadline, January 1, 2020, is just a few months away. Compliance doesn’t appear to be an easy task. Organizations have to spend a considerable amount of time before then in understanding the intricate details of the CCPA. For the many businesses that have already begun complying with the European GDPR, the road to timely CCPA compliance seems achievable.
If you haven’t yet started your journey to CCPA readiness, the time is ripe now to treat it as a priority. Be sure to consider these pointers below so that becoming CCPA compliant doesn’t become a headache.
— Speak to your legal team
Yes, you read that right. It is an absolute must-follow step. Take time to understand your relevant corporate governance policy. Ask for advice from your legal counsel and request that they identify the specific legal needs around the CCPA as well as what steps your organization needs to take to address them.
— Evaluate your 3rd party data purchase
Considering that this law will soon to be enacted, allowing customers to find the specifics of data collected and used, your purchase of data can come under scrutiny anytime.
— Assess the details collected on the forms
Considering that the CCPA is aimed at individuals, organizations should reevaluate their personal data collection strategy and if needed, make necessary revisions to ensure their profiling strategy follow a progressive approach.
— Evaluate your organization’s ability to govern sensitive data
Examine your organization’s ability to maintain security and allow sharing and deleting of customers’ personal data as requested. It is the responsibility of a business to fully understand the policy needs and ensure that necessary procedures are in place.
— Review your data selling strategy
If your organization is engaged in the sale of personal data, ensure that you maintain a detailed record for a minimum of 12 months from any sale. Also, provide a clear link on your website that allows individuals to choose the “Do Not Sell My Personal Information” option at any given point in time. Know your customers’ ages. According to the CCPA, for businesses that are engaged in the sale of personal data of individuals below 16 years of age, further mandatory permissions are required.
— Examine and revise your organization’s privacy policies as needed
According to a PwC survey, only half of the US businesses that will be legally governed by the CCPA are expecting to become compliant by 2020. The survey also reveals that retail is among one of the least confident sectors in meeting the CCPA compliance deadline of January 1, 2020.
Although the PwC survey shares an overall bleak picture of CCPA compliance, those businesses that are already getting ready for California’s privacy law seem likely to have a better chance of achieving the compliance target. Lessons learned while meeting the GDPR requirements may also provide businesses advantages, despite the differences between the two privacy laws.
Industry analysts generally believe that the CCPA’s impact won’t be limited to just the Golden State and its 39.5 million residents. So the onus lies on the business honchos to get started with their customized CCPA compliance plan right away to assure sufficient time to design for privacy upfront, instead of following a wait and watch approach.
It’s clear the CCPA is vague and marred by inconsistencies, but businesses have no other choice than getting the compliance recipe right in order to avoid data breach and penalties.
So, buckle up and start auditing your data today to be sure that you are prepared for upcoming changes in the law. Need auditing help? Talk with us.