What is the CCPA?
The California Consumer Privacy Act (“CCPA”) was passed by the California Legislature on June 28, 2018 and takes effect from January 1, 2020.
The CCPA brings in significant new requirements for organisations to identify, manage, secure, track, produce and delete consumer personal information. Further, it introduces (for the first time) a number of rights for individuals in the State of California.
Enforcement of the CCPA will generally be conducted by the California attorney general, which shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. This means there will be developments in regulations in early 2020 which should also be monitored.
Who does the CCPA affect?
The CCPA applies to the personal information of all “natural persons” who are California residents. “Residents” in this context means any individual in the state for other than a temporary or transitionary purpose and every individual domiciled in the State but located outside of the State for a temporary or transitionary purpose.
Compliance with the CCPA applies to any businesses operating for-profit that collect and/or control California residents’ personal data and meet one of the three criteria below:
- Have annual gross revenues in excess of US$25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
What are the penalties for non-compliance?
Any violation of the CPPA may result in an injunction and liability for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.
Furthermore, a consumer has the right to bring a civil action amounting to not less than $100 and not greater than $750 per consumer per incident or actual damages (whichever is higher). This action relates to unauthorised access or disclosure of nonencrypted / nonredacted as a result of a business’ failure to implement and maintain reasonable security procedures.
What is “personal information”?
Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CCPA describes various types of personal information.
Specific examples include names; aliases; unique personal identifiers; postal, IP, and email addresses; account names; social security, passport, and driver’s license numbers.
The CCPA grants consumers the right to request details of the information held about them and how it is used.
On request from a consumer, a business that collects personal information needs to disclose the following:
- Categories of personal information the business has collected about that consumer;
- Categories of sources from which the personal information is collected;
- The purpose for collecting or selling personal information;
- Categories of third parties with which the business shares personal information; and
- Specific pieces of personal information the business has collected about that consumer.
A business that sells or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a consumer’s request:
- Categories of personal information the business has collected about that consumer;
- Categories of personal information the business has sold about that consumer;
- Categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold; and
- Categories of personal information the business has disclosed about that consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact).
Consumers are also able to request that their information is deleted. On receipt of such a request, a business is required to delete their personal information.
There are some important exceptions to this where a business is permitted to retain a consumer’s personal information, as summarised below, where the personal information is required to:
- perform a contract, complete a transaction or is otherwise reasonably required within the context of the business relationship;
- detect or protect against security incidents;
- debug to identify and repair errors that impair existing intended functionality;
- research in the public interest;
- compliance with a legal obligation (e.g. obligations to retain data, requirements under lawsuits); and
- internal uses that is compatible with the context in which the consumer provided the information.
The CCPA offers companies a 30-day opportunity to cure violations before the Attorney General may file an enforcement action. If an organization incorrectly interprets the law and fails to appropriately delete an individual’s information, the cure provision may nevertheless offer the organization the ability to avoid an enforcement action by subsequently deleting the required information properly.
A business that collects a consumer's personal information must inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. This must be at or before the point of collection.
Consumers are also granted a right to opt-out of the sale of the personal information to third parties. There are additional requirements on businesses as to how this needs to be affected (see below).
In addition to the obligation to respond to valid consumer requests in exercising their rights, there are further obligations on businesses under the CCPA.
As well as the notice requirements specified above, a business that sells consumers' personal information to third parties needs to provide notice to consumers of the same and that consumers have the right to opt out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on the homepage of its website that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer's personal information.
A business must not sell the personal information of consumers less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or their parent or guardian (where the consumer is less than 13 years of age) has positively provided permission to the sale of the consumer's personal information.
- The rights of consumers under the CCPA, including the right to opt-out / “Do Not Sell My Personal Information” requirements.
- Details of how to submit a request to exercise their rights; and
- A list of categories of personal information relating to consumers that is collected, sold and disclosed for business purposes.
Businesses cannot discriminate against a consumer who exercises any of their rights under the CCPA.
However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data. A business may also offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
What are the key things to consider when handling personal data?
As well as the exercise of rights that the CCPA provides and the specific online requirements, there are security measures organisations need to consider due to the liability that the CCPA places on business.
The CCPA holds businesses liable to consumers directly and open to penalties from the Attorney General when a consumer’s “nonencrypted or nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
What is meant by “reasonable security procedures and practices” is not defined under the CCPA and is likely to be subject to further development by the Attorney General. However, a number of security measures have historically been endorsed by the Attorney General that may be a useful point of reference in order to mitigate any risks by incorporating these into a CCPA compliance program.
In 2016, emphasis was placed on the Center for Internet Security controls as a baseline for any information security program. Full details can be viewed in the then Attorney General’s 2016 Data Breach Report here.
While assessing your overall CCPA compliance efforts, we understand that dotdigital is one of many tools your organisations uses to store and process personal information. There are a number of features built into the Dotdigital CPaaS platform that help support your compliance requirements.
Responding to disclosure requests
When responding to valid disclosure requests, businesses need to provide details of categories of information held about a particular consumer.
dotdigital holds the data that our users have uploaded with the platform in a database. Our users have full control and access to their data, including the ability to search, import, export, delete and forget contact profiles and modify the data as needed.
To export the data on a profile, you can use the profile search to find the customer profile and use the export button to export all associated data with that profile
In the event that we receive a disclosure request from one of your clients (a consumer), we will pass on any request for data for which you are the organisation managing their data so that you can manage the request.
Responding to deletion requests
dotdigital will be one of the places where you hold data about your clients and will need to be considered when responding to deletion requests. You can delete data in your account at any time (including when responding to a request for a consumer to be deleted).
dotdigital holds profile data for as long as clients use the platform and keep data within their account. Message history data is held for as long as specified by the client with a default of 13 months and is retained for at most a further 90 days for support and billing purposes.
There are two ways to remove personal data from systems. You can delete Profile data on your account at any time. Using the 'delete' function enables agents to remove but re-add any data on that customer in the future. Using the 'forget' function will permanently remove the Profile and prevent agents from re-adding information. You can also respond to a request for a data subject to be deleted by erasing all messaging history references. This can be done by finding the customer profile under “profile search”, clicking on the selected profile where you can then see a list of properties associated with that profile. From there you can then remove personal data from these properties.
If an individual’s data is being erased due to a deletion request, the client will be able to identify and delete their profile. The profile and all messaging history associated with it will be retained for a further 90 days for support and billing purposes only.
If an individual’s data is being deleted since they are no longer a customer, the dotdigital off-boarding process will be employed to delete the client’s Account and all their profiles and associated messaging history. All deleted data stays in the recycling bin for 90 days before final total deletion. To delete a profile, use the profile search to find the customer profile and use the 'Delete' profile button or 'Forget' profile button. Both will remove the profile and all associated data from the account, but the 'Forget' prevents agents from re-adding the profile to the system.
At the end of a contract, all clients have the right to delete their data before we close the account on their behalf. When they do so, accounts are terminated and associated data is deleted after 90 days. If a client does not delete their data, on closing the account it is suspended which means data is finally deleted 90 days after Account suspension.
Security is an integral part of the CCPA and you need reassurance that your suppliers have appropriate processes and measures in place to support your compliance obligations. dotdigital takes the security of our clients’ data very seriously and a summary of our processes and policies is below.
Our process for reporting breaches concerning the data of individuals is addressed in our Data Processing Agreement and more specifically addressed in our Incident Reporting Policy.
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
Where is data stored?
To safeguard the confidentiality, integrity and availability of data, the core dotdigital platform is hosted on high security Microsoft Azure data centres. All Azure facilities meet a broad set of compliance standards, details of which can be found here. A map showing the Azure data center locations can be found here.
Comapi also utilise Google Cloud services in West Europe and the UK. These hold copies of Comapi data for disaster recovery purposes. Details around Google’s cloud security can be found here.
What security measures does dotdigital have in place?
dotdigital maintains ISO27001: Information Security and Management certification in relation to the Dotdigital CPaaS platform. A certificate can be found here.
Details of our technical and organisational security measures are provided below:
dotdigital employs dedicated privacy & compliance and security teams (with a nominated Data Protection Officer) to oversee the security, privacy and compliance programs of the organisation.
Personnel Security (Human Resources Security)
dotdigital maintains starter/leaver policies and procedures which will include the conducting of background checks (where available) on employees joining the organisation, and revocation of access rights on termination of employment.
Physical & Environmental Security
dotdigital restrict access to workspaces, and secure data centre facilities were information systems that process personal data are located to identified authorised individuals.
Workstation Security & Server Security
Within dotdigital, we:
- Employ a maintenance schedule that facilitates the timely installation of security
- Install and regularly update anti-virus
- Commission annual independent build reviews of workstations and
- Use role based permissions to restrict access to
Within dotdigital, we:
- Deploy firewalls at network perimeters; running management authorised rule
- Maintain a vulnerability management program to regularly asses the security of network perimeters.
- Subject both internal and external networks to annual independent security assessments
- will undergo annual independent technical security reviews and shall maintain at a minimum the Cyber Essentials Plus Certification.
Full copies of our information security policies are available under NDA. If this is required, please reach out to your account manager or our support teams.
If you have any further queries in relation to dotdigital and CCPA compliance, please contact firstname.lastname@example.org.
The information in this document is for general guidance and is not legal advice. If you need more details on your obligations or legal advice about what action to take, please contact your legal advisor or attorney.