A year after GDPR came into effect, ICO (British regulatory authority on Data privacy) had fined British Airways and Marriott International for £183.39 million and £99 million respectively The penalties imposed on the companies are less than 4% threshold limit (GDPR stipulates penalties up to 4% of global revenues). By imposing the penalties, ICO have signaled that companies need stronger data privacy regulations and mechanism. If proper care is not taken by companies, ICO will not shy away from heftier fines.
Across the North Atlantic, US is also bringing a law in form of NVSB220 and CCPA (also referred by some as GDPR-Lite). The regulation may probably douse the ongoing debate on data privacy. As response to CCPA, companies will need to start adding clauses in privacy policies or managing the data stored or processed.
The two regulations (CCPA and GDPR) do have commonalities such as:
Major point where CCPA departs from GDPR is putting in clauses for:
- The Right to Opt-Out
- The Right to Access
- The Right to Delete
- Restriction of sales of personal information
- Minimal discrimination of consumers opting out of data sharing with a company
Instead of dwelling on the definition of CCPA (the web is filled with definition), we may see how the law will apply to vendor businesses. To begin with, CCPA would apply to ‘businesses that collect or determines purposes and means for data for commercial purposes”.
1. Questions the companies should ask themselves on data policies
Any company that operates in California or deals with data of California residents needs to know-
- Will CCPA apply to my company or service providers of my company?
- Which category of personal data is stored/processed by the company?
- Why or where the data will be processed?
- Will the data be shared with 3rd party for business purposes? If yes, how?
- How can data be used for identifying consumer for different requests categories?
- How to amend the existing vendor contracts?
2. What clauses can companies start applying to vendor contracts?
Companies can update privacy policies with clauses and explicitly specify the purpose – “Business (or-profit legal entity — that collects and sells consumer/ personal information)”. Some clauses that can be added are proactively by Government are-
- Define the purpose as per CCPA standards when data is shared with other parties- research, sale, service provider and the third party.
- Commercial purpose as stated in CCPA – Right to access and Right to be informed
- Clauses for disclosure of processing not restricted by CCPA
- Clauses to restrict usage, retaining or disclosing personal information of consumers in case service providers do not qualify as the third party
- Clauses to ensure proper differentiation among vendors or service providers or third parties. This categorization will define the nature of data usage by each category.
- Clauses that enable a process for lawful data transfer across borders
- Clauses that mention vendors or service providers should comply with governmental inquiries
- Clauses that enable compliance on the deletion of user data or pseudonymization of data
- Clauses that prohibit vendors from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract
- Clauses to obtain certification from vendors for compliance with policies and proper compliance
The above list might not be exhaustive but can be a starting point for CCPA compliance journey.
3. What Next?
With CCPA coming into effect, companies need to start considering compliance costs in their budgets. This is a simplistic overview of estimated costs that companies might face.
Like GDPR, CCPA regulation will continue to evolve and some ambiguity will remain on its interpretation. In case of GDPR, data regulatory authorities have not yet penalized any company for the 4% of global revenues. Currently, no one is sure on the level of penalties imposed by CCPA and this is something to watch for.
Disclaimer: This analysis is not a substitute for considering CCPA’s requirements in its entirety.