CCPA and CPRA: What You Need to Know and Consider for Customer Requests
If you have customers in California, listen up! The California Consumer Privacy Act (CCPA) is here, the proposed modifications to the CCPA regulations are coming, and the California Privacy Rights Act (CPRA) is not far behind. They all affect you.
The following guide highlights the key aspects of the CCPA and CPRA and how they affect you and your business with customer identity verification.
What is the CCPA?
The California Consumer Privacy Act of 2018, or CCPA, directs businesses in their digital collection, storage and security of information of California-based customers.
While passed in 2018, the CCPA went into effect on January 1, 2020 with enforcement having started July 1, 2020. One round of implementing regulations came into effect in August 2020, and there are two more sets of proposed modifications pending as of the date of this article. Additional amendments through Proposition 24 – California Privacy Rights Act, which we will address shortly, will go into effect starting January 1, 2023.
Under the CCPA currently in effect, Californian consumers gain the protections of:
- Learning what personal data a business has collected about them
- Learning if and to whom their personal information has been sold or disclosed
- Denying the sharing of their information
- Receiving the same pricing and service, regardless of whether or not they’ve used any of these privacy rights
The CCPA affects legal, for-profit entities operating in California that collect personal information from consumers – provided they meet one or more of the following criteria:
- An annual gross revenue that totals $25 million or higher
- Buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices
- Make the majority of their annual revenue from selling personal data
What is the CPRA?
The California Privacy Rights Act of 2020 (CPRA), is the California ballot Proposition 24 which further expands California consumer privacy rights originally founded by the CCPA. Passed on November 3, 2020, the CPRA will take effect on January 1, 2023 and will affect data collected on or after January 1, 2022.
The CPRA affects legal, for-profit entities that collect personal information from consumers provided they meet one or more of the following criteria:
- An annual gross revenue that totals $25 million or more
- Buys, sells or shares personal data from 100,000 or more consumers or households
- Makes at least 50% of their annual revenue from selling or sharing personal data
CPRA also amends the CCPA to include the following key changes:
Expanded definition personal information. “Sensitive personal information” includes standard private data as social security number, driver license number, and geolocation, but will also sensitive information such as genetic data, biometric data, ethnic origin, religious beliefs, union membership and sexual orientation among other data.
Specifications and restrictions on sensitive personal information. Consumers will be able to request limits on how their information is used and request corrections thereof. Additional disclosures, opt-in/opt-out consents and requirement and purpose limitation are also specified.
The creation of the California Privacy Protection Agency, or CalPPA. CalPPA will be established as an “independent watchdog whose mission is to protect consumer privacy… .” The CalPPA’s aim is to enforce the privacy laws and impose penalties.
Additional and enhanced protections for minors. CPRA will require businesses to obtain permission to obtain information from consumers younger than 16 and to obtain parental/guardian consent of consumers under age 13.
Inclusion of service providers, third-parties and contractors. Contractors and service providers will also be required to only use California consumer information for a limited time and specified reason.
These external groups must also comply with CPRA in privacy protection and allow the contracting business access to monitor the compliance.
Explicit mention of prudent data security and liability. CPRA will require businesses to provide reasonable security procedures and practices to protect private personal information including regular audits and risk assessments. Companies who experience a data breach compromising consumers’ email, password and security question will be liable to private right of action.
Fines and Penalties
Companies that do not meet the current CPPA requirements leave themselves open to lawsuits from both California residents and the state itself.
Non-compliant companies can face civil penalties of $2,500 for each violation or $7,500 for each intentional violation that goes unaddressed for over 30 days. For instances of data breaches in which data is not harmed, consumers may collect between $100 and $750 for each instance. If harm is done, consumers may collect more than $750.
As imagined, data breaches can end up being extremely costly to businesses, not only in the managing and recovery of the breach, but in company reputation and CCPA penalties.
Under the CPRA, fines for violations for mishandling minor’s data will be at $7,500 per incident.
What Do The CCPA and CPRA Mean for Companies?
In light of the current CCPA and future CPRA, companies must not only ensure consumer data is secured from hackers and breaches, but companies also need to evaluate their current data awareness, collection, and distribution policies and practices.
The National Law Review provides a solid list of ten things companies should do to become compliant with the CCPA:
- Delegate CCPA compliance oversight to a knowledgeable employee or team
- Implement and maintain reasonable security practices
- Maintain procedures to respond to request for access to personal data and specific pieces of information
- Maintain procedures to respond to requests to delete personal information
- Maintain procedures to respond to request to opt-out of sale of personal information
- Update vendor contracts to comply with CCPA and avoid being characterized as “selling” personal information to vendors
- Maintain procedures for collection and use of personal information of minors
- Conduct appropriate privacy training for personnel depending on their job function
- Assess affiliates’ need to comply with the CCPA
“Verifiable” Customer Requests?
A key aspect of the CCPA relates to how companies interact with customers wanting to exercise their CCPA information rights.
However, according to the International Association of Privacy Professionals notes that changes to the CCPA “will make it more difficult for businesses to receive, verify, and respond to data requests submitted by customers.” This means companies will need to examine and perhaps improve their customer verification process.
The CCPA requires that:
- Businesses create, document and enact a reasonable process for identity verification
- Generally avoid asking for extra information to verify the customer unless it cannot do so with the information it has
- Businesses not impose any fees on customers for identity verification for purposes of information access or deletion
- Implement reasonable security measures to avoid and detect fraud in customer identity verification
For businesses that have a password-protected accounts, businesses may use those accounts and related password access to meet the reasonable verification standard.
However, for businesses that do not have password-protected account, verification is a bit more complicated. Non-accountholders must be verified through a reasonable degree of certainty “matching at least two data points provided by the consumer with data points maintained by the business that it has determined to be reliable for the purpose of verifying the consumer.”
This begs the question: how can businesses with customers who do not have accounts comply with these CCPA requirements to ensure reasonable identity verification? Below are three options:
Manual Verification– businesses could create processes and allocate employee resources to manually handle requests as they come in. Although this may appear simple at first glance, it would actually take considerable time to create the processes, and depending on how large the business and customer base is, will take considerable employee resources to oversee and implement.
Internal Software Automation– businesses could create their own bespoke automated software to handle requests and verify customers. While this could be a good long-term solution, the amount of time and financial resources to create this software would be a considerable upfront cost. And if a business does not have the internal technical resources, the business would need to employ an external technical manager and software developers. Keep in mind that advanced, multi-feature apps can cost between “$150,000 and $250,000” which does not include the long-term software maintenance.
Third-Party Solutions– businesses could source and employ a third-party solution that already has the functionalities in place to verify identities. Businesses need not be afraid of this solution especially if the third-party is CCPA compliant and has safeguards in place to protect personal information. Additionally, third-party options already exist that are easily to integrate into an existing website and are reasonably priced.
The likelihood that your company has or will have a California-based customer is almost certain with California’s 39.5 million residents and fifth largest world economy worth $2.7 trillion. As such, companies cannot afford to ignore these groundbreaking legislative activities.
The CCPA and CPRA are likely only the beginning of more stringent consumer data collection regulation. Companies should immediately review their policies and procedures to ensure CCPA compliance or risk facing dire consequences.