The Impact of the CCPA on Small Businesses

With the new year coming up fast, businesses are all scrambling to begin implementing necessary changes before the California Consumer Privacy Act (CCPA) goes into effect. And as one might expect, this poses some unique difficulties for small business that don’t have the same resources as larger companies might.  

This month, the International Association of Privacy Professionals (IAPP) released the findings of a number of surveys they conducted with small and medium sized businesses about their preparation for the CCPA. The findings highlight the unique impact compliance with the CCPA is having on smaller businesses 

Here are some of the key findings:

Confusion is Universal

One interesting aspect of the survey was that confusion surrounding CCPA compliance was universal to both small and large businesses. However, small businesses expressed a specific lack of clarity regarding what employee data is covered, how the sale of data relates to basic advertising, and potential conflicts with existing regulations.   

Vendor Management

Another key concern for small businesses is how the CCPA will affect their use of vendors and third parties. Because they have a limited number of employees, small businesses are more likely to outsource some of their work onto third parties. And, according to the IAPP’s findings, small businesses are less likely to have specific programs in place to ensure vendors’ privacy policies meet their own standards and comply with regulations. The report found that while small businesses do generally include privacy clauses in vendor contracts, “they use privacy questionnaires and audits significantly less often than larger companies.”  

Lack of Automation

The survey also found that small businesses are less likely to have privacy-focused automation in place. Because the CCPA requires business to process consumers’ data access requests, processing these requests along with managing data inventories will likely become more of a burden for small businesses. Without the resources to automate these processes, small businesses fear that implementing and managing data access requests will require an overwhelming amount of time and energy.  

What’s more, lack of automation could make it easier for fraudulent data access requests to slip by, resulting in data breaches that would leave them in violation of the CCPA. This has already been an issue with the GDPR, and small business worry that they don’t have the tools necessary to effectively verify the identity of individuals requesting access to their data.  

While preparation for the CCPA is a top concern for businesses of all sizes, the IAPP’s findings show that small business are facing a number of unique challenges. When it comes to compliance, the CCPA holds all businesses to the same standard. And while this gives consumers greater assurance that their privacy is protected across the board, the impact this will have on small business is greater than what larger companies are experiencing.

Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1

As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.  

Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in Julya number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.  

In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information. 

Here is an overview of some of the changes that made it through: 

Non-discrimination 

While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”  

This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.  

Definition of Personal Information 

The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.  

This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.  

Employee Information is Exempt 

The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.  

 

While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year. 

Preparing for the CCPA

Time is running out. The California Consumer Privacy Act (CCPA) goes into effect January 1st 2020, and businesses need to be taking the steps necessary to comply. The new law is widely considered to be the most comprehensive privacy regulation in the U.S. to date and won’t just affect businesses operating within the state of California. Instead, any organization that collects the personal information of California residents might be subject to the new regulation. It’s important that every business reviews the regulation to understand whether they will be required to comply.  

And while the CCPA has many similarities to the E.U.’s General Data Protection Regulation (GDPR)organizations should not assume that compliance with one automatically means compliance with the other. It’s therefore essential that any business potentially affected by California’s new law understand what compliance entails and take steps to put any necessary new systems in place.  

Compliance: The Essentials

Inventory California Data

Really, it’s always a good idea to conduct an inventory of the data collected and processed, but it’s going to be especially important for compliance with the CCPA. Because the regulation gives consumers the right to request information about how their data is used, the first step will be to conduct and maintain a comprehensive inventory of your data. This should include not only what data you’re collecting, but also how it’s collected, where it’s stored, and who it’s shared with.  

It’s important to note that “personal information” covers more than just names and addresses. It also includes, among others, biometric data, geolocations, and internet activityReally, any information that can be linked back to an individual will fall under the scope of the CCPA.  

Develop Systems to Process Consumer Requests

After conducting a throughout inventory of this data, organizations will need to put in place procedures to quickly and accurately processing consumer requests to access this information. Under the CCPA, consumers have the right to request information on what data is being collected and who that information is being shared with. 

The regulation requires organizations to provide at least two methods for requesting this information, including at minimum a toll-free number and a webpage designated for requests. Once a request is made, businesses need to be able to quickly process and fulfill them. The CPPA requires all requested information to be delivered to the consumer within 45 days of the request.  

For most businesses, this will be the toughest aspect of the regulation to put in place. To help, there are a number of automated tools that can assist with processing. We also recommend having someone on staff certified in privacy through the IAPP or have someone on retainer who can assist with the process.  

Introduce an Opt Out Link on the Homepage

Under the CCPA, businesses will need to include a link on their homepage allowing users to opt out of the sale of any personal information. The regulation requires that this link needs to be “clear and conspicuous” and be titled “Do Not Sell My Personal Information.” Consumers also need to be able complete the opt out request without having to create an account.  

Update Privacy Policy

The CCPA will require businesses to update their privacy policy. According to the regulation, privacy policies will now need to include a description of consumer rights under the CCPA as well as a list of the types of personal information the company collects, shares, and sells with other entities. The privacy policy should also include the link to the “Do Not Sell My Personal Information” page. 

Review Overall Cybersecurity Policies and Practices

On a more general level, businesses should also take the time to ensure their cybersecurity policies and procedures are up to snuff. According to the CCPA, if an organization experiences a data breach, they will be considered responsible and be subject to fines if the state deems the organization to have failed to implement and maintain reasonable security procedures and practices.” There will likely be more clarification on what “reasonable security procedures and practices” entails once the regulation goes into effect, but organizations should play it safe and ensure they have a strong cybersecurity system in place to safeguard against potential liability 

Writing a Privacy Policy You’ll Actually Want To Read

Creating a privacy policy is necessary for any business collecting or processing personal information and is essentially a legal agreement between you and people visiting your website. And more often than not privacy policies are thought of as just that: a legal buffer. But with more users mistrusting the services they use, these policies should instead be seen as an opportunity to build trust with customers, establish a level of transparency, and show that your respect their privacy.  

Here is a short primer on what should be included in a privacy policy, and how to write it in a way that is accessible to users.  

The What

What information you collect 

It’s important to be upfront about all type of information you may collect about your users. This not only includes personal information (name, email, phone number, etc.), but also things like usage and analytics data, as well as the first- and third-party cookies.  

How you collect information 

Listing the methods used to collect data is another important aspect of a privacy policy. Is it information that they are freely providing? Is it automatically collected through your browser? Is it collecting through a script or plug-ins on your website? Providing this information will help users make informed decisions on how to navigate your site in a way that fits their privacy needs.  

How you use information 

It’s essential that you inform users not only of what you’re collecting, but how youre using that information. In many cases, it can help explain why it’s important that you collecting this information in the first place. Examples include customer service, payment processing, and improving site experience. On top of these, you’ll also need to state if you’re using data for marketing and joint marketing purposes. 

What information you share and why 

You’ll also want to state any information that you share with others. This might be for something like third-party advertising but can also include other companies related by common ownership, non-affiliates that market to you, or even non-profits using the data for research studies. Today, users are concerned about understanding who has access to their data, so this information is especially important.   

How that information is secured  

This is something you’ll definitely want your users to know about. Listing what security systems and practices you have in place will go a long way to show users that you care about their privacy and are taking the necessary steps to ensure it’s secure. 

What privacy options do users have 

It’s become more common for websites to give users some choice with regards to their privacy. This includes whether they can access the data that has been collected, the ability to change what information they want to share, whether they can delete data previous collected, as well as the ability to decide how long you hold on to their information. If you allow users these options, you want to explicitly state that they have those abilities.  

Who users can contact about privacy concerns 

Another component to your privacy policy should be a contact person that users can contact when they have questions or concerns regarding the policy or any other privacy-related issues. It’s important that users have someone they can reach out to when they have concerns.  

Regulation Compliance 

Lastly, depending on where you operate and even where your servers are located, you may be subject to certain privacy regulations that require you to both include certain components in your policy as well as explicitly state your compliance with these regulations. Two big regulations that could effect your privacy policy is the California Consumer Privacy Act (CCPA) (effective in 2020) and the EU’s General Data Protection Regulation (GDPR). Another important regulation is the Children’s Online Privacy Protection Act (COPPA) which requires certain privacy controls and parental consent before collecting data on children under 13. 

The How

Above all, when it comes to writing your privacy policy, it should be readable. 

Your users shouldn’t need a law degree to understand what’s in the policy. Write in plain English. Keep it as short as possible. While there is a lot of information to include, you should stay as concise as possible. If need be, you can layer the policy, meaning have basic language that provides a general overview and link else for details about different sections. Lastly, you want to ensure that the policy itself is easily accessible to users. It shouldn’t be tucked away in tiny font. Place it somewhere prominent that users to find whenever they’d like to refer back to it. 

This is especially important if you need to comply with the GDPR. Not only does the regulation require you to include certain information in your privacy policy, but also includes requirements to ensure your policy is sufficiently clear. The GDPR’s website provides some guidance on privacy policy best practices that you can find here 

Even if you’re not subject to the GDPR, it’s probably a good idea to try and follow their guidelines as well. Again, your privacy policy isn’t just a legal safeguard. It should be understood as a way to communicate to your users about their privacy and ensure them you’re being transparent about your data collection.  

Taking Aim at the CCPA

From the land of Silicon Valley comes privacy regulations that may have a tremendous impact on how tech companies use and share your data. 

Modelled largely off the EU’s GDPR, the California Consumer Privacy Act (CCPA) is the largest and most comprehensive online privacy regulation passed in the United States to date. The regulation provides California residents extensive rights over what personal information companies collect, how the information is used, and even gives consumers the right to opt-out of data collection all together.  

The bill was passed into law in September 2018 and goes into effect this coming January. With the door fast closing, the race is on to add amendments and further clarifications to the new law. Last Tuesday, California Senate’s Judiciary Committee voted on a series of new amendments that could limit the scope of the CCPA.  

Here is a brief primer on the three most contested amendments and their fate in last Tuesday’s hearing.  

AB-1416  

This amendment proposes that business should be able to sell personal information even if consumer has opt-ed out if the sale is “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.” The amendment worried many privacy experts, who considered it to open major loopholes in the regulation. Specifically, according to one commentator, the bill would “would chip away at the rights of Californians by allowing law enforcement to get around existing warrant requirements to access personal information.”  

The bill was withdrawn by the author, Assemblyman Ken Cooley, at the last minute and so no vote was taken. However, according to some reports, it’s possible to bill will reappear for a vote next year, after the law has gone into effect. 

AB-873 

This amendment would exclude any de-identified data from the scope of the regulation. The real issue, however, is that bill lowers the threshold of what information is understood as de-identified. According to the amendment, data such as I.P. addresses and browser fingerprints would now be considered as de-identified information. However, according the senior counsel for policy and privacy at Common Sense Media, Ariel Fox Johnson, that information could potentially be used to re-identity data to specific users. “Deidentification is not a privacy protective technique if deidentified information can identify you.” 

The vote on the amendment was split 3-3, so the bill did not pass. Howeverthe bill’s author was granted reconsideration, so it is possible another vote on the amendment will be taken before the end of the summer. 

AB-25 

Another proposed amendment takes aim at restrictions on employers. As Bloomberg Law reports, the bill would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.” 

The bill passed with 8-0 votes in favor, but with added changes that still require employers to inform employees about the types of information they are collecting about them and why. 

Next Steps 

The California legislature has until September 13, 2019 to pass bills amending the CCPA. Any bills up for reconsideration must still pass a vote in the Senate’s Judiciary Committee. All approved bills will then move to the Committee on Appropriations for a vote in August, to be followed by a vote of the full Senate. 

While it is likely some of these changes will go into effect, the results of the Judiciary Committee’s hearing make clear that the main purpose of the CCPA will remain intact. As a result, businesses should be taking this bill seriously and begin looking into what processes will need to be implemented in order to comply with these new regulations.  

 

Privacy Sells

There is no doubt that technology and digital tools have helped business grow. From more effective lead generation to highly-targeted marketing campaigns, there is a lot that organization can gain from using such tools.  And, there is a lot that consumers gain in terms of ease, cost and convenience.

Follow the adage that “there is no free lunch”, consumers do pay a number of costs related to the access to their data — the costs related to their ability to learn, costs related to their ability to expand beyond their narrow world past decisions, choices and interactions, costs related to their ability to feel and act independent and costs related to their privacy or their ability to choose how and with whom they share information about themselves.

Regulations such as the European GDPR and the California CCPA are upping the ante for businesses to install more privacy mechanisms in place.  And typically, when business hears regulation it hears disruption (in the bad way, not the sexy positive way disruption is used most times today).

But it doesn’t have to be that way.  Set aside the regulation and focus on your brand.  Focus on your relationship with your customer. Then ask yourself the following questions:

  1. Am I willing to be transparent of what I do with my customer’s data?
  2. Am I willing to tell my customers to whom their data may be shared (and hold those parties to the standards I am committing ourselves to with regards to the customer’s data)?
  3. Am I willing to ask my customers if it is ok to use their data for specific purposes?
  4. Am I willing to assist my customers if they wish to change or delete their data from our systems?
  5. Am I focused on only asking for or tracking data that I absolutely need in order to delight them and enhance our combined experience?
  6. Am I prepared to put in necessary safeguards to protect their data while it is on our systems?

If you can say ‘yes’ to each of these questions, not only will you have an opportunity to comply with privacy regulations, but you put yourself in the position of respecting your customer and enhancing your brand.

Perhaps privacy does sell.