Two Checklists to Help Businesses Prepare

The California Privacy Protection Agency (CPPA) released initial draft regulations for cybersecurity audits (which have since been amended) and risk assessments late this summer. The agency’s board of directors addressed the drafts at its September 8 public meeting, and will do so again in December, as part of the pre-rulemaking process. While formal rulemaking has not yet begun and enforcement is likely at least two years off, it is imperative that businesses subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the CCPA), consider now whether and how these regulations may apply to them. If enacted, the regulations will impose substantial cybersecurity obligations on certain covered businesses (Businesses). Identifying and filling existing gaps, and preparing your workforce and governing body for compliance, will help your Business properly safeguard the personal information (PI) it processes. It will also allow you to prioritize, budget, and avoid a last-minute rush to compliance.

Is my company subject to the CCPA?

The coverage analysis can be complex.

A company can be subject to the CCPA even if it is not located in California. Generally, a company is covered by this law if all of the following are true:

• It is a legal entity that operates for-profit.
• It does business in California (while the CCPA does not define “doing business,” it typically means directing purposeful commercial activity toward the state).
• It collects, or has collected on its behalf, the PI of California residents (including employees, job applicants, and independent contractors) who are natural persons (Consumers).
• Alone or jointly with others, it determines why and how PI is Processed.^[1]
• It satisfies one or more of the following:
  • As of January 1 of the calendar year, it had annual gross revenues greater than $25,000,000 in the preceding calendar year.
  • Alone or in combination, it annually buys, Sells,[2] or Shares[3] the PI of 100,000 or more Consumers or households.
  • It derives 50 percent or more of its annual revenues from Selling or Sharing PI.

Certain entities that control or are controlled by a Business are also covered, as are certain joint ventures and partnerships composed of covered businesses. Likewise, certain entities (e.g., covered entities subject to HIPAA) and data (e.g., information subject to HIPAA or GLBA) are specifically excluded from coverage.

What is “personal information”?

The CCPA defines PI broadly to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer [California resident] or household.” It excludes publicly available information, certain information of public concern, and deidentified or aggregate information. Most who have seen a CCPA consumer privacy notice are familiar with these defined (but nonexclusive) categories of PI:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
• PI described in Cal. Civ. Code § 1798.80(e) (name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information).
• Characteristics of protected classifications under California or federal law.
• Commercial information (such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies).
• Biometric information.
• Internet or other electronic network activity information (such as browsing history, search history, and information about a Consumer’s interaction with a website, application, or advertisement).
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory, or similar information.
• Professional or employment-related information.
• Education information (information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act).
• Inferences drawn from information in other categories to create a profile about a Consumer reflecting the Consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Sensitive PI.^[4]

This is the information that the draft regulations (and the rest of the CCPA) are designed to protect against risks to confidentiality, integrity, and availability.

What should my Business be doing now?

Because the regulations are currently in draft form, they are subject to change during the pre-rulemaking and rulemaking process. Keep in mind, however, that anticipated regulatory compliance should not be the only driver for your Business’s cybersecurity efforts. The California statute itself demands that Businesses implement “reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure,” as do most industry standards and best practices. Customer protection, reputation management, and litigation avoidance compel the same thing. The draft regulations do not create this requirement—they merely flesh it out.

A Business should take a risk-based approach to preparation, guided by such considerations as:

• The nature and scope of PI it Processes.
• Available human and financial resources.
• The current state of its cybersecurity program, and what it will take (time, money, effort) to close gaps.
• Leadership, corporate, and industry mandates.
• Risk tolerance.

While Businesses have time to get ready for enforcement, the regulatory burden may be substantial. Assessing gaps and planning for compliance now will help Businesses safeguard PI and be well positioned for the future.

[1] Processing means any operation or set of operations performed on PI, whether or not by automated means.

[2] Selling means communicating PI to a third party for money or other valuable consideration.

[3] Sharing means communicating PI to a third party for cross-context behavioral advertising, whether or not for money or other consideration.

[4] Sensitive PI is:

• A Consumer’s Social Security, driver’s license, state identification card, or passport number.
• A Consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
• A Consumer’s precise geolocation.
• A Consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
• The contents of a Consumer’s mail, email, and text messages unless the Business is the intended recipient of the communication.
• A Consumer’s genetic data.
• The Processing of biometric information for the purpose of uniquely identifying a Consumer.
• PI concerning a Consumer’s health.
• PI concerning a Consumer’s sex life or sexual orientation.

[View source.]