Ch. 6 - California Consumer Privacy Act (CCPA)

Question 1

California Consumer Privacy Act (CCPA) (2018)

Answer 1

First state-level comprehensive privacy law in the US. Applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their person data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.

Question 2

What was the date that California passed the CCPA?

Answer 2

In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes additional consumer protections and business obligations.

Question 3

When will the majority of the CPRA’s provisions be enforced?

Answer 3

The majority of the CPRA’s provisions will enter into force Jan. 1. 2023, with a look back to Jan. 2022.

Question 4

The CCPA applies broadly to businesses that collect personal information from ______ consumers, imposing extensive transparency and disclosure obligations.
It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.

Answer 4

California

Question 5

CCPA Scope and Affiliated companies

Answer 5

To qualify as a ‘business’ under CCPA indirectly, an entity must be a parent or a subsidiary company to an entity that qualifies directly and share common branding with such entity

Question 6

CCPA Scope - who does it apply to

Answer 6

1) Annual gross revenue of more than 25M
or
2) Buy/sell PI of 50,000+ consumers, devices, or households
or
3) Derives 50% or more of annual revenue from selling PI of consumers’

Question 7

Who does CCPA “not” apply to?

Answer 7

The CCPA does not apply to nonprofit organizations or government agencies.

Question 8

CCPA expands the definition of personal information

Answer 8

CCPA’s definition of personal information broadly includes information that can identify, relate to, describe, be associated with or be reasonably linked directly or indirectly to a particular consumer or household

Question 9

Categories of PI listed in the CCPA

Answer 9

1) Identifiers
2) PI under Calfirona disposal law
3) Characteristics of protected classes
4) Commercial information
5) Biometric information
6) Internet or other electronic network activity
7) Geolocation
8) Audio, electronic, visual, thermal, offactory
9) Professional or employment information
10) Education information
11) Inferences drawn from the above

Question 10

Consumer Rights under CCPA

Answer 10

1) A consumer’s right to request disclosure of personal information collected.
2) A consumer’s right to request disclosure of personal information sold or disclosed for a business purpose.
3) A consumer’s right to the deletion of personal information.
4) A consumer’s right to opt out of the sale of personal information.
5) A consumer’s right to access and data portability.
6) A prohibition on discrimination for exercising a consumer right.
7) An obligation to notify a consumer of her rights.

Question 11

What does notice mean under CCPA?

Answer 11

Under Section 1798.100(b) read along with CCPA Regulation § 999.305.(f) this notice to employees needs to include the following information:

• Categories of personal information that will be collected.
• Commercial or business purpose for collection of personal information.

Question 12

CCPA and privacy notices - what markets will expect from orgs’

Answer 12

increased scrutiny about collection details and sales practices

Question 13

CCPA definition of sale of PI

Answer 13

Exchange of value (“consideration”) between the business and a third party or another business for the personal information

Risk that this applies to disclosures to vendors that process data for their own analytics or other secondary purposes.

Question 14

CCPA Notice Requirements should be provided when

Answer 14

1) At or before the point of collection

2) Upon receipt of a verifiable consumer request

Question 15

Requirements to prevent sale of information

Answer 15

(1) “Do Not Sell My Personal Information” button on homepages,
(2) Right to opt out

Question 16

Obligations with respect to third parties

Answer 16

1) Provide proper notice to consumers about personal information sharing practices.
2) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.

Question 17

CCPA definition of a “Service Provider”

Answer 17

(1) A legal entity organized for profit

(2) That processes personal information on behalf of a business.
(3) To which the business discloses a consumer’s personal information for a business purpose.
(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.

Question 18

Contractual methods to protect against a service provider does not qualify as a “third party” under CCPA

Answer 18

If service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection.

1) include a provision in the written contract that Prohibits the recipient from:
(a) Selling the personal information.
(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.
(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.
2) Obtain a certification that the recipient understands these restrictions and will comply with them.

Question 19

Methods to avoid a third party from being considered a “third party” under CCPA;

• ideally you want them to be classified as a ‘service provider’

Answer 19

1) Need to show that the disclosure is not a sale of PI
2) show that no valuable consideration exchanged for the personal information obtained given that there is not in any meaningful sense payment for the data
3) business could also assert not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes contractual sell limitations.
4) sharing at the direction of the consumer

Question 20

Intragroup sharing under CCPA

Answer 20

theres nothing stated on whether intragroup sharing is an exemption to a “sale” under CCPA

Question 21

advertising notice for CCPA example

Answer 21

“[TheScore] may also share certain information and data, such as [a list of data types described in the prior section]with our advertising partners to deliver advertisements … that may be of interest to you. We may allow third party advertisers, including but not limited to direct advertisers, ad networks, ad exchanges and private advertising marketplaces … to serve advertisements on the Service. These Advertisers use technology to send, directly to your browser or mobile device, the ads and ad links that appear on the Service, and will automatically receive your Internet Protocol (IP) address when they do so. They may also use other technologies (such as Cookies, JavaScript, Unique Identifiers, Advertising Identifiers, Location Data, and Clear Gifs) to compile information about your browser’s or device’s visits and usage patterns on or off the Service and between multiple platform such as your computer and your mobile device, measure the effectiveness of their ads, and personalize the advertising content to your interests. You can opt out of receiving certain Cookies.

Question 22

May need to map the categories of data collected listed in the privacy notice

Answer 22

to the the categories of personal information described in the CCPA

Question 23

What is the first state-level comprehensive privacy law in the U.S.?

Answer 23

CCPA

Question 24

What are two points that an HR department of an organization needs to keep in mind regarding CCPA compliance:

Answer 24

1) It requires mandatory privacy notices and disclosures about the data collected by employers and the purpose for the collection.
2) It provides for statutory damages ranging from $100-750 if sensitive personal information is breached.

Question 25

Speak to the importance of employee data under the CCPA and what steps can be taken to comply with this regulation.

Answer 25

Employees and potential employees are both very concerned about how their personal information is being collected and captured by their employers.
- And employees will not hesitate to go to court to enforce their rights.
Thus employers should work to implement all responsibilities on employment data imposed by data privacy regulations such as the CCPA.

Question 26

Why is CCPA important? It excludes employment data.

Answer 26

While it is true that employment data was excluded from many of the legal obligations and requirements of the CCPA, as per a time sensitive exemption brought by the California Legislature via Assembly Bill No. 25, there are still some obligations on employee data under the CCPA which are enforceable right now and which businesses have to follow to avoid violation and potential penalties.

Question 27

Can you provide greater detail about the notice?

Answer 27

It is important to note that the notice should be:

• Prominent and readily available where employees will encounter it at or before the point of collection of any personal information. For example, if the employer is monitoring its employees physical actions via CCTVs, it must inform them with prominent signage within the physical location.
• Using plain and straightforward language and should be in a language in which business is ordinarily conducted.
• Reasonably accessible to consumers with disabilities. For example, for online notices, it should follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

Question 28

Do you have a reference regarding data collection of employees?

Answer 28

Section 1798.150 of CCPA applies to employee data and means that businesses are liable for undertaking adequate and reasonable security measures to protect the data of their employees.
I
f unredacted or unencrypted employee personal information is breached due to the employers’ failure to take reasonable security measures, they would be open to civil action brought by the employees.

Under Section 1798.150, damages in suits brought by aggrieved individuals in such cases of breach can be granted $100-$750 in statutory damages or actual damages (whichever is higher).
Thus, employers must make sure to protect employee data as it protects consumer data to avoid facing penalties under the CCPA.

Question 29

What is the third step toward CCPA compliance for an HR department?

Answer 29

Assess your organization’s compliance requirements
Privacy regulations can differ based on industry, location, and types of data being processed. It is paramount that the organization is aware of the compliance requirements of laws that apply to them.

Question 30

What is the fifth step toward CCPA compliance for an HR department?

Answer 30

Set expectations with staff
The HR department needs to make their staff aware of the importance of protecting an individual’s sensitive information and how they can balance individual privacy concerns against the privacy requirements of running an organization.

Question 31

Describe how you would implement CCPA.

Answer 31

Organizations today are collecting more and more data, whether that be from their consumers or their employees. Privacy regulations such as the CCPA require organizations to keep track of data collected from their own employees and in turn protect this data being responsible custodians.

Historically, this has through manual methods, although may be possible, is a tedious task and organizations are encouraged to automate their operations. With the constant evolution of privacy regulations, automation is the only way an organization can keep up.

Question 32

How are the CCPA and GDPR similar?

Answer 32

• Broad applicability beyond physical jurisdictions
• Potential for large fines for violations
• Data subject right of access

Question 33

What are a consumer’s rights under CCPA?

Answer 33

o Right to know what information is collected
o Right to know how information is shared
o Right to opt out of information sharing
o Right to review information
o Right to request deletion of information

Question 34

What does California require of companies and organizations doing in-state business?

Answer 34

To post privacy policies on their websites.

Question 35

True/ False

The CCPA applies to any statutorily defined business. The word business, as defined in the statute, means any legal entity “organized or operated for the profit or financial benefit of its shareholders or other owners” which alone, or jointly with others, “determines the purposes and means” of processing consumers’ personal information, provided that the entity does business in California, and meets one of the following additional requirements:

1) Has annual gross revenues exceeding $25 million.
2) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
3) Receives 50 percent or more of annual revenue results from sales of consumers’ personal information.

This number may be adjusted upward by the California attorney general to account for inflation.

Answer 35

True

Question 36

Based on a plain reading of this statutory definition, business thus excludes :

(1) nonprofit organizations which are not organized for the profit of financial benefit of its owners,
(2) entities which do not determine the “purpose and means” of processing consumer personal information, such as entities who act only at the direction of other companies regarding the “purposes and means” of such processing, and
(3) entities which

Answer 36

. do not conduct any California business.

Question 37

True/ False

Though most provisions of the CCPA create obligations for “businesses,” at least one provision of the CCPA applies to “third parties” who may not meet the above statutory definition of “business.”

Answer 37

True

Question 38

Does CCPA apply to healthcare providers?

Answer 38

Nonprofit organizations are exempt from the law, which means many hospitals and health systems are exempt.

However, for-profit healthcare companies, insurance providers, and digital health technology companies may be subject to the CCPA for any non-health data collected from California residents.

Question 39

What data is exempt from CCPA?

Answer 39

The CCPA exempts any activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information subject to the Fair Credit Reporting Act (FCRA) so long as the activity is authorized by the FCRA. This exemption does not apply to the data breach liability provision.

Question 40

Is HIPAA data exempt from CCPA?

Answer 40

A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA.

Question 41

Does the CCPA apply to HIPAA business associates?

Answer 41

AB 713 exempts a HIPAA business associate from CCPA regulation to the extent the business associate maintains, uses and discloses patient information in the same manner as information regulated by HIPAA or CMIA.

Question 42

What is the CCPA HIPAA Exemption?

Answer 42

The CCPA HIPAA exemption is two-fold, with the first part dealing with the protected health information (PHI) that is collected by a covered entity or business associate. The second part is less clear, dealing with covered entities that maintain PHI in a certain way.

Question 43

What is part 1 of the CCPA HIPPA exemption?

Answer 43

Part 1 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(A)):

PHI collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. However, healthcare information that is collected for other purposes would not fall under the CCPA HIPAA exemptions, and would be subject to the stricter privacy laws set forth by the CCPA.

Question 44

What is part 2 of the CCPA HIPAA exemption?

Answer 44

Part 2 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(B)):

A covered entity may qualify for the CCPA HIPAA exemption under part 2. Part 1 exempts PHI, while Part 2 exempts providers, under certain circumstances..

A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA.

This means that if a covered entity is not compliant with one or more HIPAA regulations, the covered entity is not in complete compliance with the CCPA.

Question 45

What Else May the CCPA HIPAA Exemption Apply to?

Answer 45

There are other types of information covered by the exemption, such as de-identified information, some information collected for clinical trials, and aggregate consumer information.

Additionally, medical information already covered under California’s Confidentiality of Medical Information Act, is also exempt.