White Papers

CCPA Compliance: Where Do I Begin?

Issue link: https://insights.redspin.com/i/1081440

Contents of this Issue


Page 2 of 4

Consider This…. Page 3/5 CCPA Compliance: Where Do I Begin? 9/20/19 and means of the processing under the California Civil Code Article 1798.140 (c)(1)"]. As the next step in identifying if an entity must comply with the requirements of CCPA, assess if they are acting as a data controller. Generally, a data controller is an entity that determines the purposes and means of processing personal data. An example would be a healthcare organization that is also an employer that collects the personal data of employees. The company decides what data is collected as well as how it is used, disclosed, and maintained. A data processor is responsible for processing personal data on behalf of a controller. An example would be a healthcare organization that hires a vendor to manage employee payroll. The company transmits the personal data of employees to the vendor. The vendor is an example of a processor. If your organization has undertaken compliance efforts to comply with foreign data protection laws like the General Data Protection Regulations (GDPR) of the European Union (EU), then past assessments can provide direction. If your organization has not had prior experience with global data protection laws, resources 5 are available to assist in identifying a data controller as well as distinguishing them from a data processor (e.g., check the website of the UK's Information Commissioner's Office 6 ). It is expected that the California attorney general will issue guidance on determining the "means and purposes" under the CCPA. It is possible that future CCPA guidance will create a gap between the California law and the GDPR. However, the definition of who is a "controller" is a core concept for many data protection laws and has been shown to be interpreted consistently. Measure Your Revenue & Determine if You Are Engaged in Data "Sales" CCPA will apply to an entity that is a for-profit organization acting as a data controller that meets one of the three thresholds for revenue or data sales as defined in the law. Under CCPA, any entity with $25 million in gross revenue qualifies as a "business." There are some open questions as to whether the $25 million threshold operates at the enterprise level (i.e., revenue of a single entity is combined with that of its corporate parent, subsidiaries, or affiliates) and whether revenue not derived from California is counted. In the absence of advice from counsel or subsequent clarification through guidance from the California attorney general or legislative action, we recommend erring on the side of caution. Under the provisions of CCPA, any entity "alone or in combination" that sells or shares for commercial purposes or that buys or receives for commercial purposes more than 50,000 records of California residents, "households," or "devices" per year qualifies as a "business" under CCPA. There is general agreement by legal experts that the definition of "sale" and "commercial purposes" in the act are unclear, making multiple interpretations possible. In the absence of advice from counsel or subsequent clarification through guidance from the California attorney general or legislative action, there is some risk in these analyses and they will need to undergo revision as CCPA evolves. A common assumption is that the CCPA seeks to curb and control how data brokers conduct sales or transfers of consumers' personal information. However, under the law entities that would not be traditionally considered data brokers may be conducting sales under CCPA. High risk activities would include controller to controller transfers without consent of the data subject, controller to data processor transfers without an appropriate contract containing assurances for CCPA compliance, and transactions in which the data is repurposed. Some Healthcare Businesses Are Exempted Businesses are fully exempt from CCPA's privacy requirements for data that is regulated by the HIPAA standards, for providers under the California Medical Information Act (CMIA), and for clinical trials subject to the Common

Articles in this issue

view archives of White Papers - CCPA Compliance: Where Do I Begin?