The CCPA is only days away from taking effect, but don’t panic. OneTrust has all the resources you need to be CCPA ready by January 1, 2020 – including answers to your burning CCPA questions. After a very successful CCPA Master Class webinar series, we’ve compiled the most common and frequently asked CCPA questions and had our in-house CCPA legal experts curate responses just for you.  

If you’ve missed any of our CCPA Master Classes you can download the recordings on our Master Class webpage or submit questions to CCPAHelp@OneTrust.com and don’t forget you can access the full text of the law, relevant articles about the amendments and AG Guidance, as well as access the latest CCPA news and updates at Free.DataGuidance.com. 

Q: Under the scope of the CCPA, does the $25 million annual gross revenue apply to just California generated revenue, or to global revenue? 

A: We’re understanding it to be global revenue, and that’s what we’re seeing as the consensus in the market.  

A reasonable interpretation based on a plain reading Cal. Civ. Code §1798.140(c)(1)(A) is that the threshold operates at the level of the individual business (since the section reads ‘A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity […] that […] has annual gross revenues in excess of […]’] and does not exclude revenue derived from non-California business (as there is no indication any amount should be excluded from the ‘annual gross revenue’ in the text of the law. 

Keep in mind gross revenue is only one way to get pulled in—there’s also volume (50,000 CA residents, households, devices annually) and percentage of revenue from selling (i.e., 50% or more annual revenue from selling CA resident data). 

Q: Does the CCPA apply for non-consumer facing business (B2C)? If yes, how and why? 

A: B2B relationships are exempt from the CCPA for this first year of the law being in effect, but in general, yes the CCPA will apply to B2B organizations. While you may not have a direct-to-consumer business model, think about your marketing communications, your CRM where maybe you track leads and prospects, your website (which anyone can visit and download resources from or provide their contact information on), and your employees (which also has a one-year exemption but will be fully in scope after this first year of CCPA.  

Q: Is a business a “consumer” for purposes of the law? 

A: No – business is the entity regulated by the law and is defined as being a for-profit legal entity. The consumer is protected under the law and refers to “natural persons” who are California residents (not legal entities).  

Q: Can you explain from your perspective what you think the most common compliance challenges will be? What do the experts see as the most difficult area of compliance to implement from a technical perspective? 

A: Well the first area is operationalizing the consumer rights and opt-out requirements. As far as access and deletion requests go, those are fairly straightforward–it’s just a lot of work to get it set up, train people to handle it, and then actually put the time in to do it correctly.  

And in terms of the opt-out, we are seeing people really doing this in two ways—one is through giving people the ability to opt-out of cookies that might be tracking them and might be getting shared with third parties, and second is through the ability to opt-out of more traditional sharing of data–maybe through marketing partnerships for example.  

So, businesses need to figure out where that sharing is happening, with whom its happening, make an important decision about whether that sharing falls within the expansive definition of “sale” under the CCPA, and then decide if any exceptions apply.  

And then once an opt-out request comes in, you have to stop the sharing of that data and contact the third-party to tell them to do the same.  

That’s a big lift, but luckily there are technology solutions like OneTrust out there that help automate all of this that we’re finding a lot of our customers to be benefitting from. 

Another challenge I think many organizations are still facing in the leadup to January is in understanding scope. In other words, organizations are trying to nail down where the CCPA applies to them, and where it doesn’t. Part of the problem is that the CCPA is not easy to understand when it comes to navigating scope and exemptions to that scope, and we are going to be waiting for a while on the California AG to finalize their draft regulations on these topics. 

With that said, what we see most of our customers doing is they’re taking a conservative approach in their interpretation, interpreting things broadly, getting the major pieces in place as much as they can before Jan 1, and then when there is more clarification, then can always cut things back and narrow things a bit later on. But right now, I think companies have a general idea of whether the law applies to them and they’re running with that. And I think that approach is much better than overthinking and overanalyzing all the small nuances that are still yet to be interpreted with any real level of certainty. 

And as I said before, these sorts of requirements are becoming the norm and you’ll have to implement them sooner or later anyway so why not just do as much of the work now while you can and while there’s buy-in and attention to these topics. 

And what we’re doing on our end at OneTrust is making sure that our technology is flexible enough to support any interpretation, and that we’re able to support what’s in the draft regulations so that we and our customers are as ready as we can be when the regs do get finalized, and then if there are gaps we’ll cross that bridge when we come to it. 

Q: What are the top 2-3 risks where business may fall behind in compliance by Jan 1? 

  1. Not understanding scope – Am business? Am I a service provider? Am I both? Where am I one and not the other? Do I fall under an exemption?
  2. Operationalizing opt-out of sale, DSAR, and other public-facing requirements
    State that browser plugins and privacy settings could be used
  3. The AG Regulations — the AG promised to finalize them by Spring 2020 (which is after the CCPA takes effect)
    Regs propose new recordkeeping and notice requirements
    For businesses that collect or share personal information about more than 4 million California consumers, include the reporting metrics for the previous calendar year on the number of requests to know, delete and opt-out that the business has received, complied with in whole or in part and denied, and the median number of days within which the business substantively responded to requests to know, requests to delete and requests to opt-out.

Q: Can you provide clarity around the legal aspect of the law, including the Attorney General’s proposed regulations and the amendments’ impact on the final text of the law, to the operational challenges and considerations for meeting compliance. 

A: The law will go into effect in two weeks, on Jan 1, but the CA AG’s enforcement powers won’t actually begin until July 1. However, the AG has specifically stated that this 6 month period from January to July shouldn’t be viewed as a safe harbor or grace period—the core provisions of the CCPA become operational on January 1, 2020, companies should account for the prospect that the Attorney General may look to bring enforcement actions after July 1, 2020 based on conduct that occurs between January 1, 2020 and July 1, 2020. Accordingly, companies should seek to achieve compliance by January 1, 2020.  

CCPA amendments were officially signed into law on October 11th. The passage of the amendments comes on the heels of the California Attorney General’s draft regulations. 

The CCPA requires the California AG with the ability to adopt regulations that further the purposes of the CCPA, following a public consultation period.  

The AG issued a draft of those regulations on October 10, and they’re now undergoing a public consultation period until December 6th and are expected to be finalized sometime next Spring (after the CCPA goes into effect).  

Q: How is CCPA different from GDPR? Will this affect other States at some point and if so, with which regulations?  It would great to understand CCPA viewed by a non-stateside point of view.  

A: Well, it’s not as comprehensive as the GDPR in terms of what it requires of organizations, but it does have some key similarities, mainly in the area of data subject rights, or as the CCPA calls it “consumer rights”.  

So, like European residents, California residents as of January 1st will have rights to get information about what their personal information is used for by businesses, who it’s shared with, and so on., as well as rights to get access to that data and rights to have that data deleted by the business.  

One thing that is unique about the CCPA, however, is that there is a specific call out in the law about the sale of personal information and this right of California residents to opt-out of the sale of their information to third parties, and that one in particular is creating some operational challenges for companies primarily due to the fact that the CCPA has a very broad definition for what is considered a “sale” of information–it’s not what you would typically think of in terms of money changing hands, instead it is defined as exchanging data for any valuable consideration in return, so there are a lot of possibilities there in terms of scope and businesses are working on wrapping their heads around that. 

We’ve already seen some other states follow in California’s footsteps, which essentially followed in the GDPR’s footsteps, and I think we’ll continue to see more of that, as well as a continued debate over comprehensive federal legislation that could preempt state laws like the CCPA. However, being in an election year might slow this down a bit.  

Learn more about the CCPA vs. The GDPR. 

Q: What language is required to be in service provider agreements to qualify for service provider exception? 

A: Found in 1798.140(w)(2) 

Q: Scenario – a Canadian citizen also has a winter residence for part of the year in California.  Are they considered a California resident as it relates to CCPA? 

A: Maybe. Whether someone is considered a “consumer” is based on California tax law.  

The Act defines a “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. . . . 

Section 17014 defines a California resident broadly to include “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.” Cal. Code Regs. tit. 18, § 17014.  

The challenge here is the “temporary or transitory” language: 

A business would have to assess if the customer, for example, came to or left California for vacation, to perform a specific transaction or contract, or to fulfill a particular engagement. However, because most consumer-side businesses collect massive amounts of data on individuals, it will be a costly and time-consuming endeavor to evaluate these facts for each consumer’s personal information, and regularly update the analysis to reflect the changing geographic location of its customers. In addition to the time and cost involved in conducting such an assessment, there is potential exposure to legal risk if a consumer’s residence is misidentified. Thus, the prudent response to this issue is to be over-inclusive in categorizing consumer information that is subject to the CCPA. 

Q: How is employment information defined by the CCPA? What employee data is subject to the CCPA? 

A: Employment information” is not defined but is mentioned in the CCPA. 

First place is in the definition of personal information, which refers to “professional or employment-related information” about a person as being an example of personal information covered by the CCPA. 

Elsewhere, it is mentioned as part of an amendment to the law which essentially for the first year of the CCPA exempts employment data from most aspects of the law (except for notice requirements and the data breach private right of action). 

Q: How to determine the appropriate level of reasonable security to comply with CCPA? 

A: There are different guidance documents and recommendations out there that have been issued by various regulators, the CA AG, the FTC, etc. and overall, I think these are helpful for businesses to understand how the regulators view things.  

One that was recommended to me in particular is California’s Data Breach Report. It goes into detail on the question of “reasonableness” – ultimately going to depend on context, size of organization, sensitivity of data being processed, volume of data processed, categories of data subjects, what the data is being used for, etc. And basically down to what the reasonable expectation would be of an organization with all these different factors considered. And what’s reasonable for one business, maybe a large social media company, versus a small retailer, is most likely going to be different. 

Q: For minors between 13-15, what kind of age verification will work for the opt-in for sale of information? 

A: Look to the draft regulations: 

For consumers 13 years and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.   

Within the context of a parent or guardian acting on behalf of a child under 13, it means that the parent or guardian has provided consent to the sale of the child’s personal information in accordance with the methods set forth in section 999.330.  

A business that has actual knowledge that it collects or maintains the personal information of children under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq.  

Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include:  

  1. Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;  
  2. Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; Page 21 of 24  
  3. Having a parent or guardian call a toll-free telephone number staffed by trained personnel;  
  4. Having a parent or guardian connect to trained personnel via video-conference;  
  5. Having a parent or guardian communicate in person with trained personnel; and  
  6. Verifying a parent or guardian’s identity by checking a form of government issued identification against databases of such information, where the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete. 

Q: What if your company does not sell personal information for monetary or other value consideration?  Do you still need a “do not sell my personal information” button on the website? 

A: No – the CCPA states in section 1798.135(a) that a business is only required to do this if they are selling information. 

One thing we are seeing that you could do is add a statement to your privacy notice that states “we do not sell personal information.” And then on the back-end, having a documented analysis of how you arrived at that determination in case you have to explain.  

If we don’t’ sell any of consumer information, then what are the required items to do? For Insurance carrier, is it up to carrier or up to MGA to take care of the requirement? 

Q: Is the use of cookies considered a sale? 

A: We’re seeing it interpreted that way, especially if you do not have a service provider contract in place to take advantage of the exception to sale. Learn more about OneTrust’s cookie blocking tool.  

Q: Is a cookie consent banner required for CCPA?  

A: No, but data collected by cookies can be considered personal information and thus subject to CCPA. Cookie banners, notices and preference centers ensure a greater level of notice, transparency and choice for consumers.  

Q: Does the do not sell button have to be on the first webpage or can it be a link within the privacy page to a California specific page which offers this right? 

A: Button should be in both places, including everywhere else where personal information is collected (i.e., via cookies and web forms). We most commonly see customers putting the button in the footer of their site (so, every page), and on their privacy notice.  

Q: What ‘proof’ is required to provide regarding deletion of customer data upon request? 

A: I think what we’re hearing from most customers is that this will be confirmed within the request workflow–so for example if you used OneTrust to facilitate consumer rights, you would treat the receipt of the request, the action you take, and the response to the individual as one completed request. Again, this is what we see our customers doing the most, but at this point it’s probably open to interpretation. 

Q: How are most companies addressing requests made by consumers who are not California residents? 

A: There’s a split between companies wishing to treat California residents separately, and those taking a more global approach. However, I think we see the global approach (i.e., giving everyone the opportunity to opt-out) the most often.  

Q: Can you explain exactly what the Toll-Free Number amendment laid out and who is now in scope for that requirement?  

A: As of January 1st, when the law takes effect, if your organization falls within the definition of a “business” under the CCPA, you’ll be required to make available to consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number.  

The exception to this rule is if you are a business that operates exclusively online and has a direct relationship with a consumer from whom you collect personal information. If this is the case, you can provide an email address instead of a phone number.   

This exception was added through an amendment to the CCPA, and was signed into law, which means it will also go into effect on January 1st with the rest of the CCPA.  

So, if you are a business that operates exclusively online and has a direct relationship with a consumer from whom you collect personal information, then you do not need to provide the toll-free phone number and can instead substitute an email address to meet the requirement instead.  

The stated reasoning behind the toll-free number requirement to begin with is that it is intended to protect consumers who may not have access to the internet or who interact with a business only in their brick and mortar establishments due to lack of access issues.  

And so, the exception was added after recognizing that some businesses may operate exclusively online and not have toll-free numbers available, and so the amendment intends to provide a limited exception for those online-only businesses with some added flexibility.  

Learn more about OneTrust’s CCPA Toll-Free Number solution. 

Q: Can the 800 number be provided in the privacy policy on a company’s website, or does this need to be on a homepage? 

A: The law and the draft regs are both silent on this, so I’d say you have some flexibility here, but the goal is to make sure that individuals are able to find it. So, on your privacy notice, maybe on the web-form, maybe in the footer or “contact us” page, maybe in written privacy notice mailings if you send those, maybe at your front desk or register, the back of a receipt, etc. etc. A lot of different options, and I think the best practice is still in development at this time.  

The stated intent behind the phone number was to protect consumers who may not have access to the internet or who interact with a business only in their brick and mortar establishments due to lack of access issues. 

Learn more about OneTrust’s CCPA Toll-Free Number solution. 

Q: For “right to know” – is that both disclosure of what the company is doing or please give me information you have on me (portability)? 

A: Both – there are two levels to this. The first is a request for categories of information, and the second is a request for specific pieces of information delivered in an electronic, portable and readily useable format (e.g., in a spreadsheet or CSV format). 

Q: What’s the difference between commercial and business purposes? 

A: Defined in § 1798.140(f) (f) “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism. 

“Business Purpose” defined in § 1798.140(d) and includes a detailed list: 

  1. Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. 
  2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. 
  3. Debugging to identify and repair errors that impair existing intended functionality. 
  4. Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction. 
  5. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider. 
  6. Undertaking internal research for technological development and demonstration. 
  7. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. 

Q: When does the 45-day clock start? When the request has been received or when the identity has been verified? 

A: Section 1798.130(a)(2) of the CCPA: 

“disclose and deliver. . . Free of charge Within 45 days of receiving a verifiable consumer request . . . Shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request . . . 

Q: Can deletion be limited, or must it be across entire IS systems of company? 

A: The CCPA just says that the information needs to be deleted, without going into detail on what that means. However, there are exceptions to deletion that are written into the law that could allow you retain the data in certain cases—the important thing there is to notify the consumer of the reason why you can’t delete if that’s the case.  And so again, this is something we expect to hear from the CA AG on, BUT we can look to guidance in other jurisdictions. For example, EU regulators such as the UK Information Commissioner have stated that deletion needs to include backup systems as well as live systems, but if for some reason the backup data can’t be deleted, the ICO says the key issue is that it be put “beyond use”–i.e., make sure it’s not used until the time that it can feasibly be overwritten.  

Q: Are there any changes in timeline in terms of Access, Deletion and Opt-Out requests? 

A: Not in the amendments. See draft regulations: 

Upon receiving a request to know or a request to delete, a business shall confirm receipt of the request within 10 days and provide information about how the business will process the request.  

Businesses shall respond to requests to know and requests to delete within 45 days. The 45- day period will begin on the day that the business receives the request, regardless of time required to verify the request. If necessary, businesses may take up to an additional 45 days to respond to the consumer’s request, for a maximum total of 90 days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request. 

Upon receiving a request to opt-out, a business shall act upon the request as soon as feasibly possible, but no later than 15 days from the date the business receives the request. 

Business shall notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information. The business shall notify the consumer when this has been completed. 

The CCPA is coming. Are you ready? Download the report today. 

Resources: 

Check out our CCPA blog series: