What Manufacturers Need to Know About the California Consumer Privacy Act
Overview of CCPA
The California Consumer Privacy Act (CCPA) is a bill that was passed on June 28, 2018, goes into effect in January 2020, and is intended to provide California residents with the rights to:
- Know what personal information is being collected about them,
- Access that information,
- Know if their personal information is disclosed, and to whom,
- Know if their personal information is sold, and the right to opt out of the sale, and
- Receive equal service and price whether or not they exercise their privacy rights.
The law applies to any for-profit business that collects consumers’ personal data (non-profits are exempt), does business in California, and satisfies at least one of the following:
- Has gross revenues in excess of $25 million
- Possesses personal information of 50,000 or more consumers, households or devices
- Earns more than 50% of its annual revenue from selling consumers’ personal information
Definition of Personal Data
CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, and could reasonably be linked, directly or indirectly, with a particular consumer or household including, but not limited to the below.
Figure 1: CCPA: What’s Included in “Personal Data” Definition
Source: California Consumer Privacy Act (CCPA)
Compliance – Business Requirements
In order to comply, businesses must:
- Provide a “Do Not Sell My Personal Information” button on the home page of their website that directs California users to a page that enables them – or someone they authorize – to opt out of the sale of their personal information.
- Designate methods for California residents to request their personal data – toll-free number and web form or email.
- Update privacy policies with new CCPA obligations including a description of California resident rights.
- Disclose to a requesting consumer the categories and specific pieces of personal information the business has collected.
- The types of data might include: name, address, email, phone number, product ownership information, and customer service interactions.
- At or before the point of data collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
- For example, because of this requirement, routine data collection methods, such as online product registration forms, will likely need to be changed to make clear what will be collected and how it will be used. Will it be used strictly in the event of a recall, or will it be used for marketing and analytics?
- Disclose and deliver for free personal information as requested by consumers. Businesses are not required to provide personal information to a consumer more than twice in a 12-month period.
- In many manufacturing companies, the data collection and storage systems for customer information may be siloed, meaning that this requirement will take coordination across teams and systems.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
- The challenge here is that manufacturers will need to be able to track opt-out requests along with time stamps, and ensure that data collection endpoints (e.g. customer service software, online product registration, etc.) can access these settings.
- If applicable, implement processes to obtain parental or guardian consent for minors under 13 years and affirmative consent of minors between the ages of 13-16 years for data sharing.
- Companies may already have controls in place due to prior legislation for “under 13 years” but should review compliance under CCPA.
Note: Manufacturers should seek legal counsel to get advice about how CCPA applies to their company.
Non-Compliance – Penalties
Fines under the CCPA will cap at $7,500 per violation – for “intentional violations” of the CCPA (“intentional” is yet to be defined); violations lacking intent cap at $2,500.
Of greater concern to businesses is that the CCPA paves the way for the California residents to bring lawsuits for the breach of their “non-encrypted or non-redacted personal information”—even in the absence of evidence of actual damage. The CCPA allows individuals to recover between $100 and $750 per incident—or greater if they show actual damages exceeding $750.
Five Amendments to be signed by October 13, 2019
The California legislature passed five amendments which are awaiting Governor Gavin Newsom’s approval, and expected to be signed into law in October.
- Clarifications and Exemptions – Bill 1355 exempts de-identified or aggregate consumer information from the definition of personal information. It also creates a 1-year exemption for B2B communications or transactions and expands exemption for consumer credit data.
- Data Brokers – Bill 1202 requires data brokers to register with the California Attorney General.
- Employee Information Exemption – Bill 25 includes personal information of employees/job applicants/contractors in the definition of “personal information,” but exempts it from CCPA access/deletion rights for one year.
- Methods for Disclosure – Bill 1564 prescribes the channels (email, website, and phone) to be made available for CCPA consumer requests, with a toll-free number optional for businesses operating online-only.
- Vehicle Warranties and Recalls – Bill 1146 exempts vehicle information retained or shared between dealer and manufacturer for the purposes of warranties or recalls.
CCPA vs. GDPR (General Data Protection Regulation (EU))
Businesses impacted by GDPR in Europe – which passed in April 2016 and came into force in May 2018 – have already implemented processes to comply with that data protection regulation. Thus, they have a head start.
Domestic manufacturers or manufacturers not doing business in Europe must build a thorough compliance plan from scratch. To that end, PWC provides a great summary of the workstreams necessary in its white paper, “America’s GDPR? Seven Workstreams to Implement California’s Consumer Privacy Act”.
In addition, PWC’s comparison of CCPA and GDPR below offers a valuable summary of the differences in the two laws, which should help “GDPR companies” better understand what they can leverage and where they need to focus their CCPA compliance efforts.
Figure 2: GDPR vs. CCPA – Comparison Chart
Source: PWC website, “Your Readiness Roadmap for CCPA”.
How After, Inc. Ensures Compliance as a “Service Provider”
The CCPA defines a service provider as “a for-profit legal entity that processes personal information on behalf of a business pursuant to a written contract for a business purpose.” Business purposes defined by the law include “advertising or marketing, analytics and similar services” – what After, Inc. provides to its Warranty Services clients.
Under the CCPA, manufacturers that receive “verifiable requests” from California consumers (meaning that they can validate the consumer’s identity through an authentication process) to delete their personal information must also direct After, Inc. to delete the data from its records. Manufacturers that disclose information to After, Inc. are not liable for any potential violations by After, Inc. unless they have actual knowledge or reason to believe, at the time of disclosing the personal information, that After Inc. intends to commit a CCPA violation (Figure 3 illustrates how After, Inc. mitigates any chance for a violation to occur). Similarly, After, Inc. is not liable for the obligations of a manufacturer under the law.
Figure 3: Summary of CCPA “Service Provider” Obligations & After, Inc. Compliance
After, Inc. is a global leader in Warranty Analytics, Marketing and Program Management. If you have any questions about CCPA or would like to discuss potential implications for your Warranty business, feel free to contact us at http://afterinc.com/contact/.