By now, you’ve likely heard of the California Consumer Privacy Act (CCPA) that became effective on January 1. In an effort to explain CCPA in an understandable manner, we had a discussion with Prodege’s Stacey Olliff, SVP Business & Legal Affairs, who recently moderated a panel discussion titled “The CCPA and Beyond” at the Institute of Corporate Counsel in Los Angeles.
To kick off the conversation, as to who the CCPA impacts and what information is protected, Olliff explains: “The new CCPA broadly applies to almost every significant internet company with California operations or customers, as well as most other businesses. There are some exceptions for small businesses and certain industries and types of data that may be governed by other existing privacy laws, like HIPAA for healthcare data. It is important to note that CCPA protects “personal information” of consumers and others, which more broadly defined than the typical definition of “personally identifiable information” or “PII” that most businesses are accustomed to.”
As for the specific consumer rights offered by CCPA, Olliff states: “CCPA provides three basic rights to California residents: (i) a right to know what personal information a business has about them, (ii) a right to request that all of their personal information be deleted, and (iii) a right to request that their personal information not be sold. Obviously, these are broad concepts and there are lots of exceptions and limitations, such as a business’s right to retain and use data to combat fraud. Based on the first few weeks of experience under CCPA, we are seeing the vast majority of requests falling into the third category — requests that personal information not be sold — and we are implementing those requests promptly after we receive them without any difficulty. Incidentally, Prodege does not actually sell consumer personal information but the broad CCPA definition of “sale” may encompass relationships that would not typically be considered a sale by the average person.”
Olliff also details the thorough process Prodege undertook to ensure the company was CCPA compliant ahead of it going into effect. “Like most businesses affected by CCPA, we began our compliance efforts early in 2019 and were fully prepared for the new CCPA notices and other requirements that were added to our site and mobile apps on January 1, 2020. Compliance is an ongoing process as the pending CCPA regulations are finalized and other events occur, and we are closely following those developments to assure continued Prodege compliance.”
While CCPA has different requirements than GDPR, Olliff indicates that compliance with GDPR helped prepare for CCPA: “Clearly, our experience with implementing GDPR for our EU consumers made our compliance effort with CCPA easier, although it still required significant effort.”
As for whether we can expect similar laws to be rolled out in other states or on a Federal basis, Olliff says: “Yes. Nevada passed a privacy law that took effect on October 1, 2019, relating to the sale of personal data, though not as wide-ranging in scope as the CCPA. More states are expected to pass similar legislation, and there is an effort to pass a new Federal privacy law which will provide more uniformity across the country and a baseline for extending additional privacy rights to all Americans, and we support that effort. In fact, although it isn’t legally required, we are already generally voluntarily treating CCPA notices and requests that we receive from non-California residents the same as those received from California residents.”
Prodege is proud to protect the privacy of our members and ensure that our clients can confidently partner with us.