Real World Scenarios for the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) launches on Jan. 1, 2020. Businesses are wisely beginning to prepare. As we start looking at the practicalities, here are some potential real world scenarios and solutions to consider.
February 15, 2019 at 01:05 PM
7 minute read
The California Consumer Privacy Act (CCPA) launches on Jan. 1, 2020. Businesses are wisely beginning to prepare. As we start looking at the practicalities, here are some potential real world scenarios and solutions to consider.
Our business received a request for access to all personal information. What are our options to confirm the requester's identity?
After receiving a request for access to personal information, the business is allowed to validate the request, to confirm the requester is who they claim to be. This may include confirming that the request was made by or on behalf of a California consumer, because they are the persons with these rights.
The business must respond within 45 days of a verifiable request. The deadline may be extended once by 45 more days “when reasonably necessary,” as long as the requester is provided notice of the extension within the initial 45-day period.
If the business needs additional information to validate the request, it should ask for the minimum amount it needs to validate the request. This is to protect the requester's privacy further and for data minimization on the part of your business. One suggested approach is to ask the requester to confirm personal information that you already hold, rather than ask the requester to provide new data. This could include data linked to the requester's profile (for example, login information, user name, password, etc.)
The business should establish a standardized process for validation and follow it. When the business collected the data, if it had a process at that time to confirm identity (such as confirming through an email link), then another option would be to follow that same procedure when validating a request.
How can we track and respond to individual access and deletion requests?
This will largely be driven by the size of your organization and amount of personal information you collect. If you have a small business with a few employees and you collect little personal data, you may not get many requests. Prepare established workflow procedures, one for each type of request. Determine who will coordinate and respond by the deadline. Here's great direction from the IAPP with more detail on designing these workflows.
If you're a larger organization and anticipate many requests, or don't have the resources to dedicate to a large volume of requests, you might consider an automated process through a service provider. Companies such as TrustArc, CyberScout and Data Grail offer such tools (no specific endorsement here). They can provide system integration, workflow management and compliance reports.
Our business sells personal information and wishes to keep this option. What do we need to do to keep doing so?
The CCPA doesn't prohibit the selling of personal information, but it adds an opt-out option that California consumers can exercise. The law requires very specific language in the opt-out link: “Do Not Sell My Personal Information.” It must be in a clear and conspicuous link on the company's home page. No colors, fonts or other details have been specified, though that could happen in future regulations. Here's an example of what the link on the home page could look like:
The link must take the requester to a separate internet page where the requester can opt out. Here's an example of what the opt-out might look like:
No particular language has been set for the opt-out. There is no precise time limit imposed but the business should comply with the opt-out request within a reasonable time.
Our business is updating its data breach preparedness policy. How does CCPA change data breach preparedness or response?
CCPA doesn't mandate or change anything specifically about preparing for or responding to a data breach. The CCPA states a duty of care on the business to have “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Businesses should continue to look to the applicable state(s)' data breach law for the specifics of how to prepare and respond. For an interactive data breach map that gives an overview of the data breach statutes in all 50 states as well as U.S. territories, click here.
What the CCPA does change about data breaches is that it provides a private right of action and specifies statutory damages. We can expect to see lawsuits filed by individual California consumers or class actions, arising out of data breaches that involved those persons.
Statutory damages of $100 to $750 per California consumer involved in a data breach are now specified. This means that those persons will no longer have to prove actual damages, which has in the past been a considerable hurdle. “Private attorney general” lawsuits will likely also be attempted.
The statutory damages are currently only limited to matters involving data breach. They don't apply to the entire law. However, the California Attorney General has publicly recommended in a letter to the law's sponsors that the private right of action be expanded to the entire law.
We collect some personal information that's also publicly available. Does information that's made publicly available still count as “personal information” under the CCPA?
Yes, in most cases. The CCPA broadly defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is the most far-reaching in any legislation we've seen, even more expansive than the EU's definition under GDPR. It's larger and different from the usual identifiers seen in U.S. privacy laws. The key is being able to link the information to a particular consumer.
If the information can be liked to a particular California consumer, the business should interpret it as covered under the CCPA. This is so even if the information appears publicly elsewhere. It would include, for example, information like business email addresses, business phone numbers, and business addresses that are on public websites; and names and other information posted in public chat forums and review sites. In the interest of data minimization, consider whether you need to collect or keep this information.
This information is likely covered even if the consumer has voluntarily consented to give the information. There is no exception under the CCPA for publicly-disclosed information. The CCPA's concern is what the business does with it.
In getting ready for the CCPA, lead time is important to minimize costs, get processes in place and avoid surprises. It's a unique law with leading-edge requirements for U.S. businesses. The global wave of data protection laws shows no sign of slowing.
We may well see more California guidance on or amendments to the CCPA in the next months. Your company's specific situation may vary from these general potential scenarios, and further clarification may be helpful about CCPA in your real world.
Kelly Wilkins has been a Certified Information Privacy Professional/US for five years and has been guiding legal clients since 1991. She advises clients on how to manage risks from data, on data breaches, and on rapidly changing regulations like CCPA. She is a partner at Snell & Wilmer..
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Three Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 111th Circuit Rejects Trump's Emergency Request as DOJ Prepares to Release Special Counsel's Final Report
- 2Supreme Court Takes Up Challenge to ACA Task Force
- 3'Tragedy of Unspeakable Proportions:' Could Edison, DWP, Face Lawsuits Over LA Wildfires?
- 4Meta Pulls Plug on DEI Programs
- 5On the Move and After Hours: Meyner and Landis; Cooper Levenson; Ogletree Deakins; Saiber
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
