"I’m just a law whose intentions are good / Oh AG, please don’t let me be misunderstood."
- Nina Simone, Don’t Let Me Be Misunderstood, as adapted by the DWT Privacy & Security Team
Since its enactment in the past year, the California Consumer Privacy Act (CCPA) has been the subject of hundreds of news reports, blogs, webinars, and even attorneys’ bad dreams. But despite the constant flurry of discussion, many aspects of the law remain mostly misunderstood by the organizations looking to achieve compliance.
To help you cut through the barrage of information, we debunk some common CCPA myths and misunderstandings, through the lens of some of our favorite adapted lyrics.
(1) C Is for Anonymous Cookie, That’s Good Enough for Me
Organizations often think their online marketing operations are outside the scope of CCPA because the data involved are captured by cookies and “cookies are anonymous.” The reality is that the type of data collected by cookies is indeed within the scope of the law; specifically, the law considers any “unique identifier” to be personal information (“PI”) and defines “unique identifier” to include “a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology.” Cal. Civ. Code § 1798.140(x).
And even if unique identifiers were removed from the data set, the type of information generated by cookies is often “information regarding a consumer’s interaction with an Internet Web site,” which is called out on is its own as a form of PI. Cal. Civ. Code § 1798.140(i)(F). In fact, the CCPA does not mention anonymous data at all and certainly does not exempt some category of “anonymous” data from its reach.
(The CCPA exempts de-identified data, but the definition is so difficult to meet that it’s likely no data meant to represent an individual person, regardless of what fields are excluded, could actually be considered de-identified.)
Oh, cookie, cookie, cookie has PI. (with thanks to Sesame Street)
(2) Every Step You Take / Every Move You Make / Every Bond You Break / I’ll Tell You I’m Watching You
Transparency about privacy practices is indeed a large component of CCPA compliance, but fully meeting the obligations of the law requires more. CCPA requires an organization add forms on its website to intake access, deletion, and opt-out requests—and, implicitly, to then build back-end processes implementing these requests in the time frames required by the law.
An organization cannot simply add a description of California consumer rights and call it a day; rather, they have to go through each category of personal information enumerated in the law and state what they collect, where they got it, and who they share it with. The level of detail required typically requires an extensive investigation of an organization’s own practices—perhaps even a full data mapping exercise. (with thanks to Sting)
(3) Hello, Can You Hear Me? / I’m in California Dreaming About Storing Data in India / When We Were Younger and Free / I’ve Forgotten How It Felt Before Privacy Law Fell at Our Feet / There’s Such a Difference Between Countries / And a Million Miles
The EU General Data Protection Regulation (GDPR) and copycat global laws all restrict transfer of data outside their jurisdictions. The CCPA, however, is silent on the issue of transfer.
No special disclosures are required to inform consumers that their data may be transferred out of California, nor are special transfer agreements required with vendors outside CA who might receive the data (updates may be required, however, to classify them as service providers, as noted in Myth #2 above). (with thanks to Adele)
(4) She Works Hard for Her Access Rights
There is widespread confusion about whether the CCPA covers employee data—likely because amendments to change the law on this point are still pending and have changed several times. As passed in June 2018, the CCPA defined “consumer” to include employees. AB25, which the California Assembly passed earlier this year and is now waiting for a vote in the California Senate, would do two things:
- (A) Continue to require organizations to put out privacy disclosures regarding their practices with regard to employee data, in the format specified in the law; and
- (B) Suspend employee rights related to access, deletion and opt-out for one year, presumably to allow legislators to consider other bills that would be more tailored to the specific privacy issues that arise in the employer-employee context.
In short, organizations cannot write off obligations related to employee data and need to be aware of the risk that AB25 may not make it through the legislature by the Sept. 13 deadline. (with thanks to Donna Summer)
(5) Software Has Run, Software Has Crawled / IT Have Scaled These Firewalls / These Firewalls / Only to Be With You / But I Still Haven’t Found PI I’m Looking For
Use of survey tools to assist data mapping efforts can be helpful, but such tools are not a magic bullet. Gathering quality information via these tools requires counsel to make a number of design decisions about what surveys should look like and who should receive them—there is no such thing as an out-of-the-box survey that works for all organizations.
Stakeholders need to receive training about the CCPA so that they are all operating off the same definition of PI in responding to questions—which in itself involves dispelling myths they may have about certain data being “anonymous.” Much information needs to be collected about data stored with vendors—which data owners may not have on hand and have to chase down.
The effort required for counsel to implement a good survey process should not be underestimated. (with thanks to U2)
All of this boils down to the idea that CCPA compliance is a much more complex topic and lengthy endeavor than may have been initially obvious from news reports and blogs. With less than 16 weeks left until implementation, it’s time to stop “waiting for the law to change.” (with thanks to John Mayer)