Alvaria's Preparation for the California Consumer Privacy Act CCPA)
The California Consumer Privacy Act (CCPA) offers California consumers strengthened individual privacy rights including: requesting access of any personal information, requesting any personal information be deleted, and suing companies that violate the law. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.
New rights afforded to California consumers under CCPA include:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
The CCPA applies to all businesses that meet one or more of the following conditions:
- Has gross annual revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
As the CCPA implementing regulations develop, Alvaria will monitor this important law and make necessary preparations.
The CCPA includes the following key requirements:
- Alvaria and our customers must disclose data collection and sharing practices to consumers.
- Consumers have a right to request that their data be deleted.
- Consumers have a right to opt out of the sale or sharing of their personal information.
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. The regulations would address some of the open issues raised by the CCPA and would be subject to enforcement by the Department of Justice with remedies provided under the law. The proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums held throughout the state and a public comment period during which the office received over 300 written comments.
Alvaria achieved a strong compliance position regarding the EU’s General Data Protection Regulation (GDPR) and those compliance efforts are being leveraged for CCPA preparation. We completed the exercise of data mapping of personal information processes and locations of storage, along with processes to respond to access requests from consumers. We are reviewing our data access request procedures, privacy policies, and websites to identity and remedy gaps with CCPA requirements. Alvaria’s current knowledge and records regarding data collection, storage, breach response, data subject access requests, and retention allow Alvaria to address these risks as the CCPA develops.
CCPA may have a limited applicability to Alvaria when compared with GDPR. For example, the law applies mainly to personal information that is controlled by Alvaria. However, we anticipate that more states will adopt similar laws and our preparation will keep that perspective in mind.
We recognize that our customers and partners may require Alvaria’s assistance to comply with CCPA and we stand ready to assist. For example, a customer may receive a request for data access from a California resident and our support team will be prepared to advise on product capabilities and functionalities to carry out the request.
The Attorney General closed public comment on the implementing regulations on December 6, 2019, and is now considering modifications. During this process Alvaria will closely monitor the results and continue to assess legal obligations, security risks, problematic practices, and pinpoint operational priorities.
Alvaria is also reexamining data processing policies, data access request procedures, data breach protocols, access and deletion procedures, privacy notices, data retention policies, product manuals, including scenarios involving the improper or unauthorized collection, use, or sharing of personal information as defined under CCPA.
For reasons above, Alvaria will maintain a fluid approach in its preparation for CCPA. Our customers and partners will benefit from our early compliance efforts and we will closely monitor and take all necessary actions prior to enforcement.