Chris Sundermeier is the General Counsel and Chief Privacy Officer for Reputation.com. We talked with him about the California Consumer Privacy Act, or CCPA, which goes into effect on January 1, 2020.
You recently wrote a whitepaper about the California Consumer Privacy Act (CCPA). The CCPA includes strong data protections, which could be a critical enabler for consumer confidence and trust. Is it fair to say that when consumers trust companies, they’re more likely to buy from those companies?
Yes. Customers are more likely to do business with a company if they know the company is careful with their data.
Which companies must comply with the CCPA?
The CCPA applies to any business that collects consumer data and that meets any of the following criteria:
- Has at least $25 million in gross annual revenue.
- Annually buys and sells or shares personal information of 50,000 or more consumers, households or devices for commercial purposes.
- Derives 50% of more of its annual revenue from selling consumer personal information.
Strictly speaking, “selling” data does not necessarily mean that the company gives someone data in exchange for dollars. Any time a company shares consumer data for some sort of consideration, it is “selling” that data.
If a company gives a recipient data in exchange for that recipient doing something for the company, that qualifies as selling data. Similarly, if two businesses have a partnership wherein one business provides consumer data to another business and that business does something for the provider in return, that is selling data, too. If the recipient of the data uses that data to profit and the originating company benefits as well, that constitutes a sale of the data.
What does the CCPA mean to Reputation.com customers?
Though the CCPA is technically a California law, it impacts consumers and businesses across the country. For example, right now, there are people headquartered on the East Coast who are all now going to have to worry about the CCPA if they do online business and have personal data for California consumers. Because the regulation applies across the country, Reputation.com customers nationwide are going to have to comply.
As for the future impact, the passage of the law will probably change the privacy landscape considerably. The fact that California has passed this legislation will likely drive the federal government to pass a similar type of legislation at some point.
What are California consumers’ rights under the CCPA?
One right is the right to stop a company from selling your personal data. Reputation.com doesn’t sell data, so it’s not hard for us to comply with that. We just have to communicate that to our customers.
The second right consumers get is the right to delete their data. It doesn’t mean you get to delete all data in all circumstances. Obviously, a company can keep records of customer sales made to a consumer. Companies are entitled to keep those records for specific purposes.
However, if the company just has you on its lists of customers or is sending you emails and so on, then you have the right to ask for that information to be deleted from the company’s system.
The third right is the right to know what data a company has collected about you in the last 12 months. So, that means you can send in a request to a company and say, “What personal data of mine have you collected?”
What is Reputation.com doing to help its customers comply with the CCPA?
We’ve created a dashboard within the Reputation.com product which allows clients to go search their platform, or their tenant in the platform, to determine the type of personal information that is in there for any individual. The client then has the ability to either export that information to give to their customer who has requested it or to delete that information.
Reputation.com is set to help our customers, particularly those people around the country who aren’t as focused on California law as we are, through this confusing time.
In what type of scenario would Reputation.com assist its customers with CCPA compliance?
Here’s an example: Suppose one of our automobile dealership clients has a customer that comes to us because we’ve sent them emails and says, “Please delete my data.” Once we verify the consumer’s request, Reputation.com is going to pass that request on to the automobile dealership. Then, the dealership can take care of deleting the data from its system.
How are CCPA provisions different from the typical “unsubscribe me” link that people click to remove themselves from a newsletter list?
The statute is actually fairly prescriptive. It says that, first of all, the request has to be a verifiable request made by a California resident, but it doesn’t really define what “verifiable” means. You have to verify that this request came from either the person making the request or someone who’s authorized to make it on their behalf in some way.
What does it mean for a company to delete someone’s data? As you say in the whitepaper, it may not include, for example, a transaction record. You couldn’t go and delete a history of sales purchases. So how does a company make that very difficult decision on what you actually delete and what you keep?
There are so many nuances to that. For example, our clients are sending review requests and surveys out to their customers for feedback. Well, there’s no reason for that data to be maintained other than to use it for those purposes. They’re going to be obligated to delete all that data.
What about the reviews? If any business requests reviews, does that constitute “data” under this regulation?
No. Personal information is defined. It wouldn’t necessarily include a review. Reviews are publicly posted reviews on a third-party website. So, I don’t think that is included within the “data.” We may import that into our systems, but that’s still public data.
What about surveys?
With surveys, again, a Reputation.com customer will be able to go in and search for a name in an email address and will get a, “Yes, we have this guy’s name and yes, we have this email address. He was sent a request to respond to a survey. Here’s his response.” They can delete all that.
Will they have to do so?
They are required to delete if it extends to personal data. If the survey response is detached from the name, address and phone number, it’s just an anonymized survey and they would not be required to delete it. So, they could choose to keep the survey responses for the value of the survey response as long as it’s not attached to a name and an email address, or to anyone’s personal information.
Because the CCPA makes California’s the most strict privacy standard, it is most likely to be the one by which businesses now comply or around which they build their privacy systems or their data collection systems. Does that sound accurate?
Yes. In a way, this is very similar to the GDPR. The GDPR applies to any citizen of the EU, wherever their data is collected. They have similar rights. They have the right to data removal. They also have what’s called the right to a subject access request, which means they can have the right to know what data you’re collecting about them. They don’t have a specific “don’t sell my data” right under the GDPR, but there are a handful of other rights that are similar.
In some ways, companies that have prepared for GDPR are going to be more ready to deal with this law. In a way, this is the California GDPR law.
It’s easier to appreciate now how the devil is in the details. It actually gets very tricky to implement in real life, even though everyone’s agreed about the spirit of the law.
For some companies, it’s going to be intensely complicated to do. For us, it’s a little easier because we aren’t in the personal data collection business. We tend to deal mostly with businesses, not consumers.
To learn more about the CCPA, download Chris Sundermeier’s white paper “Preparing for the California Consumer Privacy Act.”