Ch. 6 - California Consumer Privacy Act (CCPA)

Question 1

CCPA definition of sale of PI

Answer 1

Exchange of value (“consideration”) between the business and a third party or another business for the personal information

Risk that this applies to disclosures to vendors that process data for their own analytics or other secondary purposes.

Question 2

Requirements to prevent sale of information

Answer 2

(1) “Do Not Sell My Personal Information” button on homepages,
(2) Right to opt out

Question 3

CCPA definition of a “Service Provider”

Answer 3

(1) A legal entity organized for profit

(2) That processes personal information on behalf of a business.
(3) To which the business discloses a consumer’s personal information for a business purpose.
(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.

Question 4

Obligations with respect to third parties

Answer 4

1) Provide proper notice to consumers about personal information sharing practices.
2) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.

Question 5

Contractual methods to protect against a service provider does not qualify as a “third party” under CCPA

Answer 5

If service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection.

1) include a provision in the written contract that Prohibits the recipient from:
(a) Selling the personal information.
(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.
(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.
2) Obtain a certification that the recipient understands these restrictions and will comply with them.

Question 6

Methods to avoid a third party from being considered a “third party” under CCPA;

• ideally you want them to be classified as a ‘service provider’

Answer 6

1) Need to show that the disclosure is not a sale of PI
2) show that no valuable consideration exchanged for the personal information obtained given that there is not in any meaningful sense payment for the data
3) business could also assert not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes contractual sell limitations.
4) sharing at the direction of the consumer

Question 7

CCPA expands the definition of personal information

Answer 7

CCPA’s definition of personal information broadly includes information that can identify, relate to, describe, be associated with or be reasonably linked directly or indirectly to a particular consumer or household

Question 8

Intragroup sharing under CCPA

Answer 8

theres nothing stated on whether intragroup sharing is an exemption to a “sale” under CCPA

Question 9

CCPA Scope - who does it apply to

Answer 9

1) Annual gross revenue of more than 25M
or
2) Buy/sell PI of 50,000+ consumers, devices, or households
or
3) Derives 50% or more of annual revenue from selling PI of consumers’

Question 10

CCPA Scope and Affiliated companies

Answer 10

To qualify as a ‘business’ under CCPA indirectly, an entity must be a parent or a subsidiary company to an entity that qualifies directly and share common branding with such entity

Question 11

CCPA and privacy notices - what markets will expect from orgs’

Answer 11

increased scrutiny about collection details and sales practices

Question 12

Consumer Rights under CCPA

Answer 12

1) A consumer’s right to request disclosure of personal information collected.
2) A consumer’s right to request disclosure of personal information sold or disclosed for a business purpose.
3) A consumer’s right to the deletion of personal information.
4) A consumer’s right to opt out of the sale of personal information.
5) A consumer’s right to access and data portability.
6) A prohibition on discrimination for exercising a consumer right.
7) An obligation to notify a consumer of her rights.

Question 13

CCPA Notice Requirements should be provided when

Answer 13

1) At or before the point of collection

2) Upon receipt of a verifiable consumer request

Question 14

Categories of PI listed in the CCPA

Answer 14

1) Identifiers
2) PI under Calfirona disposal law
3) Characteristics of protected classes
4) Commercial information
5) Biometric information
6) Internet or other electronic network activity
7) Geolocation
8) Audio, electronic, visual, thermal, offactory
9) Professional or employment information
10) Education information
11) Inferences drawn from the above

Question 15

advertising notice for CCPA example

Answer 15

“[TheScore] may also share certain information and data, such as [a list of data types described in the prior section]with our advertising partners to deliver advertisements … that may be of interest to you. We may allow third party advertisers, including but not limited to direct advertisers, ad networks, ad exchanges and private advertising marketplaces … to serve advertisements on the Service. These Advertisers use technology to send, directly to your browser or mobile device, the ads and ad links that appear on the Service, and will automatically receive your Internet Protocol (IP) address when they do so. They may also use other technologies (such as Cookies, JavaScript, Unique Identifiers, Advertising Identifiers, Location Data, and Clear Gifs) to compile information about your browser’s or device’s visits and usage patterns on or off the Service and between multiple platform such as your computer and your mobile device, measure the effectiveness of their ads, and personalize the advertising content to your interests. You can opt out of receiving certain Cookies.

Question 16

May need to map the categories of data collected listed in the privacy notice

Answer 16

to the the categories of personal information described in the CCPA

Question 17

What is the first state-level comprehensive privacy law in the U.S.?

Answer 17

CCPA

Question 18

The CCPA applies broadly to businesses that collect personal information from ______ consumers, imposing extensive transparency and disclosure obligations.
It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.

Answer 18

California

Question 19

What was the date that California passed the CCPA?

Answer 19

In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes additional consumer protections and business obligations.

Question 20

When will the majority of the CPRA’s provisions be enforced?

Answer 20

The majority of the CPRA’s provisions will enter into force Jan. 1. 2023, with a look back to Jan. 2022.

Question 21

What are two points that an HR department of an organization needs to keep in mind regarding CCPA compliance:

Answer 21

1) It requires mandatory privacy notices and disclosures about the data collected by employers and the purpose for the collection.
2) It provides for statutory damages ranging from $100-750 if sensitive personal information is breached.

Question 22

Speak to the importance of employee data under the CCPA and what steps can be taken to comply with this regulation.

Answer 22

Employees and potential employees are both very concerned about how their personal information is being collected and captured by their employers.
- And employees will not hesitate to go to court to enforce their rights.
Thus employers should work to implement all responsibilities on employment data imposed by data privacy regulations such as the CCPA.

Question 23

Why is CCPA important? It excludes employment data.

Answer 23

While it is true that employment data was excluded from many of the legal obligations and requirements of the CCPA, as per a time sensitive exemption brought by the California Legislature via Assembly Bill No. 25, there are still some obligations on employee data under the CCPA which are enforceable right now and which businesses have to follow to avoid violation and potential penalties.

Question 24

What does notice mean under CCPA?

Answer 24

Under Section 1798.100(b) read along with CCPA Regulation § 999.305.(f) this notice to employees needs to include the following information:

• Categories of personal information that will be collected.
• Commercial or business purpose for collection of personal information.

Question 25

Can you provide greater detail about the notice?

Answer 25

It is important to note that the notice should be:

• Prominent and readily available where employees will encounter it at or before the point of collection of any personal information. For example, if the employer is monitoring its employees physical actions via CCTVs, it must inform them with prominent signage within the physical location.
• Using plain and straightforward language and should be in a language in which business is ordinarily conducted.
• Reasonably accessible to consumers with disabilities. For example, for online notices, it should follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

Question 26

Do you have a reference regarding data collection of employees?

Answer 26

Section 1798.150 of CCPA applies to employee data and means that businesses are liable for undertaking adequate and reasonable security measures to protect the data of their employees.
I
f unredacted or unencrypted employee personal information is breached due to the employers’ failure to take reasonable security measures, they would be open to civil action brought by the employees.

Under Section 1798.150, damages in suits brought by aggrieved individuals in such cases of breach can be granted $100-$750 in statutory damages or actual damages (whichever is higher).
Thus, employers must make sure to protect employee data as it protects consumer data to avoid facing penalties under the CCPA.

Question 27

What is the third step toward CCPA compliance for an HR department?

Answer 27

Assess your organization’s compliance requirements
Privacy regulations can differ based on industry, location, and types of data being processed. It is paramount that the organization is aware of the compliance requirements of laws that apply to them.

Question 28

What is the fifth step toward CCPA compliance for an HR department?

Answer 28

Set expectations with staff
The HR department needs to make their staff aware of the importance of protecting an individual’s sensitive information and how they can balance individual privacy concerns against the privacy requirements of running an organization.

Question 29

Describe how you would implement CCPA.

Answer 29

Organizations today are collecting more and more data, whether that be from their consumers or their employees. Privacy regulations such as the CCPA require organizations to keep track of data collected from their own employees and in turn protect this data being responsible custodians.

Historically, this has through manual methods, although may be possible, is a tedious task and organizations are encouraged to automate their operations. With the constant evolution of privacy regulations, automation is the only way an organization can keep up.

Question 30

How are the CCPA and GDPR similar?

Answer 30

• Broad applicability beyond physical jurisdictions
• Potential for large fines for violations
• Data subject right of access

Question 31

California Consumer Privacy Act (CCPA) (2018)

Answer 31

First state-level comprehensive privacy law in the US. Applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their person data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.

Question 32

What are a consumer’s rights under CCPA?

Answer 32

o Right to know what information is collected
o Right to know how information is shared
o Right to opt out of information sharing
o Right to review information
o Right to request deletion of information

Question 33

What does California require of companies and organizations doing in-state business?

Answer 33

To post privacy policies on their websites.

Question 34

True/ False

The CCPA applies to any statutorily defined business. The word business, as defined in the statute, means any legal entity “organized or operated for the profit or financial benefit of its shareholders or other owners” which alone, or jointly with others, “determines the purposes and means” of processing consumers’ personal information, provided that the entity does business in California, and meets one of the following additional requirements:

1) Has annual gross revenues exceeding $25 million.
2) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
3) Receives 50 percent or more of annual revenue results from sales of consumers’ personal information.

This number may be adjusted upward by the California attorney general to account for inflation.

Answer 34

True

Question 35

Based on a plain reading of this statutory definition, business thus excludes :

(1) nonprofit organizations which are not organized for the profit of financial benefit of its owners,
(2) entities which do not determine the “purpose and means” of processing consumer personal information, such as entities who act only at the direction of other companies regarding the “purposes and means” of such processing, and
(3) entities which

Answer 35

. do not conduct any California business.

Question 36

True/ False

Though most provisions of the CCPA create obligations for “businesses,” at least one provision of the CCPA applies to “third parties” who may not meet the above statutory definition of “business.”

Answer 36

True

Question 37

Does CCPA apply to healthcare providers?

Answer 37

Nonprofit organizations are exempt from the law, which means many hospitals and health systems are exempt.

However, for-profit healthcare companies, insurance providers, and digital health technology companies may be subject to the CCPA for any non-health data collected from California residents.

Question 38

Who does CCPA not apply to?

Answer 38

The CCPA does not apply to nonprofit organizations or government agencies.

Question 39

What data is exempt from CCPA?

Answer 39

The CCPA exempts any activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information subject to the Fair Credit Reporting Act (FCRA) so long as the activity is authorized by the FCRA. This exemption does not apply to the data breach liability provision.

Question 40

Is HIPAA data exempt from CCPA?

Answer 40

A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA.

Question 41

Does the CCPA apply to HIPAA business associates?

Answer 41

AB 713 exempts a HIPAA business associate from CCPA regulation to the extent the business associate maintains, uses and discloses patient information in the same manner as information regulated by HIPAA or CMIA.

Question 42

What is the CCPA HIPAA Exemption?

Answer 42

The CCPA HIPAA exemption is two-fold, with the first part dealing with the protected health information (PHI) that is collected by a covered entity or business associate. The second part is less clear, dealing with covered entities that maintain PHI in a certain way.

Question 43

What is part 1 of the CCPA HIPPA exemption?

Answer 43

Part 1 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(A)):

PHI collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. However, healthcare information that is collected for other purposes would not fall under the CCPA HIPAA exemptions, and would be subject to the stricter privacy laws set forth by the CCPA.

Question 44

What is part 2 of the CCPA HIPAA exemption?

Answer 44

Part 2 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(B)):

A covered entity may qualify for the CCPA HIPAA exemption under part 2. Part 1 exempts PHI, while Part 2 exempts providers, under certain circumstances..

A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA.

This means that if a covered entity is not compliant with one or more HIPAA regulations, the covered entity is not in complete compliance with the CCPA.

Question 45

What Else May the CCPA HIPAA Exemption Apply to?

Answer 45

There are other types of information covered by the exemption, such as de-identified information, some information collected for clinical trials, and aggregate consumer information.

Additionally, medical information already covered under California’s Confidentiality of Medical Information Act, is also exempt.