The California Consumer Privacy Act: Are You Ready?
By Stuart Brock, Director at Seal Software
The California Consumer Privacy Act (CCPA), enacted by the California legislature in June, contains a number of similarities to the European Union’s General Data Privacy Regulation (GDPR). To date, the CCPA is one of the most comprehensive privacy laws in the U.S. It becomes effective the first day of 2020, with enforcement currently slated to begin July 1.
The law states it may apply to businesses directly or indirectly. To qualify directly, there must be a for-profit entity doing business in California that meets certain requirements. This includes entities that have annual gross revenues in excess of $25 million, or those that buy, sell, or share for ‘commercial purposes’ personal information of more than 50,000 consumers, households or devices. An entity also qualifies if it derives half or more of its annual revenue from the sale of personal information.
Indirect qualification includes entities that are the parent company or a subsidiary to an organization that directly qualifies and shares common branding with that entity.
The CCPA broadly defines the term “sell” to include any act of “disclosing” or “making available” personal information “for monetary or other valuable consideration.” Moreover, the scope of what constitutes “personal information” is also broad to include any type of data or information that “could reasonably be linked, directly or indirectly, with a particular consumer or household” such as unique online identifiers, browser and search history, and even personally identifiable information pertaining to an individual’s shopping habits and interaction with online advertisements.
Some of the key requirements related to consumer rights are:
Notice: Businesses must provide notice of the categories of personal information collected and how they will be used.
Disclosure: Upon request, businesses must disclose categories of personal information collected, sources of information, commercial purpose for collecting/selling the information, and third parties with whom the information is shared. Consumers may request disclosure up to twice annually.
Right to Be Forgotten: Consumers have the right to have all their personal information deleted (with exceptions).
Protection Against Discrimination: Businesses are prohibited from discriminating against consumers who exercise rights under the CCPA.
There are a number of exceptions including, for instance, information protected by other California laws and subject to federal preemption. Moreover, the law may be enforced by the California attorney general (the “CAG”) or by private consumers (limited private rights). The CAG may seek civil penalties up to $7,500 for each violation, and subject to the appropriate period to cure any alleged violation, consumers may seek statutory damages of $100 to $750 per incident.
Contract analytics to the rescue
Time is running out. Businesses should assess whether the CCPA applies to them and, if so, complete an assessment of the personal information they collect, buy, sell or share (“Collected Information”). This necessarily includes the agreements and other documents that authorize the Collected Information, and the processes for obtaining and storing it. In particular, firms must also review their third-party contracts to ensure they are CCPA compliant, and cases where they are not, it is advisable to create a remediation plan to amend the contracts in question.
For most businesses, this means a time- and people-intensive review of large numbers of contracts and other such documents that are typically stored in multiple repositories throughout an organization. Artificial intelligence can be applied under these conditions as a means to identify contracts across multiple repositories, automate the process of contract analysis, and decrease the time and manual effort required to complete such reviews. Contract analytics also minimize costly human error, and can be scaled to the contract corpus of even the largest enterprise.
For example, with pre-configured tools designed specifically for data privacy compliance, the Seal platform is able to provide detailed insight into contract compliance and remediation. Whether that insight is in regard to general third-party data privacy or for specific regulatory compliance such as the GDPR and the CCPA, analytics have been pre-built to target the business and regulatory mandates associated with data privacy.
Knowing whether contracts meet the compliance requirements for CCPA boils down to understanding the legal provisions they contain. The process of evaluating these documents, no matter where they reside or the data source type, is an obligation rather than a choice. An accurate and efficient assessment is possible with an AI platform that is tuned to the subject matter. Qualifying entities must adopt a defensive posture, leveraging technical tools to maintain and protect their contracts in keeping with the provisions of the law, before regulators come knocking.
If you would like to know more about this subject, then please check out the Seal Software webinar here.
About the author:
Stuart Brock is a Director at Seal Software where he helps lead Seal’s financial services programs. Stuart is a licensed attorney who practiced law at a top national firm for some 10 years before moving in-house at Bank of America. During his tenure with Bank of America, Stuart held various roles within the Legal, Compliance & Procurement organizations where his responsibilities included the governance & management of third-party contracts including the maintenance and technology to support the Bank’s arsenal of contract templates for more than 60 countries around the globe.
[ Artificial Lawyer is proud to bring you this sponsored thought leadership article by Seal Software. ]