Legal Disclaimer: Nothing stated hereinabove is legal advice. It is provided for informational purposes only. You should work closely with legal and other professional advisors to determine exactly how CCPA may or may not apply to you, and what you should do to comply.
Please change the first sentence to read "California’s new privacy law came into effect on January 1, 2020. Now’s a good time to check if you need to comply. And, if you do, what should be in place to ensure smooth operation.
At its most basic level, the California Consumer Privacy Act of 2018 (CCPA) grants rights to Californian residents on how their data is collected and used.
What’s unique is that this is the first statute in the United States that provides compensation for data breaches, greatly increasing the chances of class action lawsuits. See Cooley - CCPA FAQs Part 3: Litigation, Regulatory Actions, and Liability for more info. It also widens the definition of personal information to include an expansive list of items and even inferences (quasi-personally identifiable information).
Personal information includes ... inferences drawn from data sources "to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Lastly, it applies to Californian residents (essentially those paying income tax in California), irrespective of their location when their data was collected.
Eleven other states are following California’s lead, with their own versions of data privacy laws winding through legislatures in 2020. Even if you don’t think you need to comply with CCPA today, many elements of California's law might be applicable to you in the near future.
The regulation doesn’t apply to every business and unlike GDPR, it’s an opt-out law; not opt-in. Specifically, it’s aimed at for-profit enterprises that have information regarding Californian residents and who meet one of the following criteria:
- Revenue over $25M
- Collect personal information on more than 50,000 people, households or devices
- Derive at least 50% of revenue from selling consumer information
CCPA is focused against selling or sharing personally identifiable data, which they define as “selling, renting, releasing, disclosing...personal information to a third party for monetary or other valuable consideration”
Compliance is based largely on implementing privacy best practices. Generally, the requirements that need to be addressed are two-fold:
- Informing consumers through privacy notices, terms of service, data processing agreements, policies, etc of the categories of personal information collected, disclosed, or sold, and what purpose the information is used for, and
- Implementing protocols so that consumers can request, view and delete or otherwise limit the sharing of their information.
We recommend you seek professional advice for modifying your legal notices, although there's a plethora of information online to help.
Upon receipt of a request for information, it's necessary to have the following protocols in place to honor data subject rights:
|The Rights||What's To Be Provided|
|Right to Disclose||The right to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it's being disclosed or sold, and to whom it's being disclosed or sold|
|Right to Delete||The right to delete any personal information|
|Right to Opt-Out||The right to opt-out of allowing personal information to be sold to third parties|
|Right of Non-Discrimination||The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act|
Protocols need to be completed within 45 days of receipt of verifiable requests, so automation is key.
The law stipulates that penalties can be applied in two ways:
- For intentional violations, the civil penalty is up to $7,500 per violation, but subject to a 30-day cure period,
- For data breaches, consumers can sue either individually or in a class action, where statutory damages range from $100 to $750 per resident per incident.
Multiply those figures across millions of consumers and damages can quickly add up.
California's Attorney General calculated that CCPA will cost businesses $55B, with 75% of Californian companies affected. By following privacy best practices and aligning with the rules and policies of CCPA at the outset, costs can be mitigated.
CCPA doesn't just stop at a consumer-facing website. As part of your API program, you're probably already collecting personally identifiable information for API logging and monitoring, user behavioral analytics, security checks, and other critical business activities. This means you need to audit your internal processes and data management to ensure they comply with CCPA (and GDPR). Luckily, CCPA already defines 7 categories of business purposes under section 1798, specifically:
- Auditing Interactions with Consumers
- Certain Short-term Uses
- Performing Services
- Internal Research for Tech Development
- Quality and Safety Maintenance and Verification
This means, as long as you are not selling or sharing personal information in exchange for money or something of equivalent value, your risk is lower if you are only leveraging the data for one of those 7 categories, which API analytics falls under. Because even data used for legitimate business purposes can put your organization at risk, it's important to ensure you have the correct processes and infrastructure in place to handle CCPA and GDPR requests.
One way to aid this process is by tagging every single piece of data within your organization with the user who generated it. API analytics services like Moesif already do this today to make compliance automatic to fulfill data subject requests right out-the-gate. This enables a CCPA subject request to be handled by non-technical users with just a few clicks rather than overloading your internal data engineering teams with CCPA subject requests.
Don't allow anonymous access to your API. Otherwise, you may have a hard time auditing who accessed that data to not only comply with CCPA but also to aid security review. Your API should only allow registered users to access the data which is usually done by some sort of API key or token. Each user of the API should have a primary contact person.
As part of your API monitoring and analytics infrastructure, you should log every read and write operation
on personal data. CRUD APIs are a natural way to do this as every access must go through your API regardless of
the client (web apps, partner programs, internal consumers, etc). You should also retire or pseudonymize such data after a defined period.
Don't just store a subject request in a Google Sheet or Excel document and ask a developer to manually delete. Any data infrastructure that stores personal data should also have a clean set of APIs or UI to handle data subject requests along with a timestamped audit log when actions are completed to ensure your internal process does not slip. Audit logs should be able to stand up in court.
Right to Opt Out requests is a tricky gotcha for organizations trying to become CCPA compliant as data and engineering teams not only need to build infrastructure to access and delete a user's historical data, they also need infrastructure to prevent future data collection. Such data suppression logic has to be implemented correctly while scaling to billions of API calls a day.
Although you might not be compliant by the deadline, many others are in the same boat, by some estimates up to 50%. The good news is that enforcement won't go into effect until the middle of 2020. And given California's Attorney General recent statement, it's never too late to start.
This article was written by Larry Ebringer, Head of Marketing at Moesif. It was originally published on the Moesif Blog.