This topic is provided "as-is." Information and views expressed in this topic, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This topic has been created as a guide and should not be construed as legal advice. You should consult with your own legal professionals. This topic does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this topic for your internal, reference purposes.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an 'opt-out' for certain data transfers and an 'opt-in' requirement for minors.
Who needs to know about the CCPA?
The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
When will the CCPA come into effect?
The CCPA goes into effect on January 1, 2020. However, enforcement by the Attorney General (AG) will not begin until July 1, 2020.
How will the CCPA affect my company?
Many of the CCPA's rights afforded to Californians are similar to the rights the GDPR provides, including the disclosure and consumer requests similar to data subject right (DSR) requests, such as access, deletion, and portability. As such, customer can look to our existing GDPR solutions to help them with their CCPA compliance.
To begin your CCPA journey, you should focus on five key steps:
- Discover: Identify what Personal Information you have and where it resides.
- Map: Determine how you are sharing Personal Information with third parties and identify if the third party is subject to an exception from the CCPA opt-out requirements.
- Manage: Govern how the data is used and accessed.
- Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- Document: Document a data breach response program and ensure your contracts with applicable third parties are able to take advantage of the opt-out exceptions.
You need to understand what your organization's specific obligations are under the CCPA and how you meet them, though Microsoft is here to help you on your journey.
What rights must companies enable under the CCPA?
The CCPA requires regulated businesses that collect, use, transfer, and sell personal information to, among other things:
- Provide disclosures to consumers, prior to collection, regarding the categories and purposes of collection.
- Enable Consumer rights relating to access, deletion, and portability of the specific pieces of personal information that has been collected by you.
- Enable a control that will permit consumers to opt out of the 'sale' of the consumer's data. However, certain transfers, like transfers to service providers, remain permitted.
- For minors, under 16, enable an opt-in process so that no sale of the minor's personal information can occur without actively opting in to the sale.
- Ensure that consumers are not discriminated against for exercising any of their rights under CCPA.
What are the CCPA required disclosures?
The CCPA requires disclosure of the following:
- Categories of personal information of the consumer that have been collected.
- Categories of sources used in collection.
- The business or commercial purposes for collecting.
- The categories of third parties with whom the personal information is 'shared'.
- Categories of personal information that has been 'sold' and the categories of 'third parties' to whom each category of personal information was sold.
- Categories of personal information that has been 'disclosed for a business purpose' (that is, transferred but not a 'sale') and the categories of 'third parties' to whom each category of personal information was transferred.
- The specific pieces of personal information that has been collected about that consumer.
How is data 'sold' under the CCPA?
The definition of 'sell' in the CCPA is incredibly broad, including 'making personal information available to' a third party for monetary or other valuable consideration. Where a consumer has elected to 'opt-out', the business will be required to turn off the flow of personal information to any third party.
The CCPA does provide a number of carve-outs to this 'sale' opt-out control. The three primary carve-outs are transfers (i) to a Service Provider, (ii) to an 'exempted entity' or 'contractor', and (iii) at the direction of the consumer. Even if a consumer has elected to 'opt-out', personal information can continue to transfer to third parties who fit into those carve-outs.
To take advantage of the first two exemptions, businesses will have to ensure that the transfers are governed by written contracts containing the specific terms required by the CCPA.
What do 'Businesses' and 'Service Providers' mean in the context of CCPA?
In the context of CCPA, Businesses are individuals or entities that determine the purposes and means of the processing of consumer's personal data, and Service Providers are individuals or entities that process information on behalf of a business. These are broadly synonymous with the terms Controllers and Processors used in GDPR.
How much can companies be fined for noncompliance?
The private right of action in the CCPA is limited to data breaches. Under the private right of action, damages can come in between $100 and $750 per incident per consumer. The California AG also can enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.
What is Microsoft doing to achieve CCPA compliance?
As Microsoft has implemented GDPR-related DSRs globally, we are currently in an excellent position to meet the related CCPA requirements. We have also reviewed our third-party data sharing agreements and taken steps to establish that the necessary contractual terms are in place to ensure that we do not 'sell' personal information.
What are some tools that can help my organization to start preparing for CCPA?
- Start leveraging the GDPR assessment in Compliance Manager as part of your CCPA privacy program.
- Establish a process to efficiently respond to Consumer Requests.
- Set up label and policies to discover, classify & label, and protect sensitive data with Microsoft Purview Information Protection.
- Use email encryption capabilities to further control sensitive information.
- Learn more in this blog post.
What are the differences between GDPR and CCPA?
There are many differences. It's easier to focus on the similarities, including:
- Transparency/disclosure obligations.
- Consumer rights to access, delete, and receive a copy of data.
- Definition of 'service providers' that is similar to how GDPR defines 'processors' with a similar contractual obligation.
- Definition of 'businesses' that encompasses the GDPR definition of 'controllers'.
The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with 'sale' broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of 'sale,' but is not specifically limited to covering this type of sharing.
What are 'Processors' and 'Controllers'?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
What specifically is deemed personal information?
Personal information is any information relating to an identified or identifiable person. There is no distinction between a person's private, public, or work roles. The defined term 'personal information' roughly lines up with 'personal data' under GDPR. However, CCPA also includes family and household data.
Examples of personal data include:
- Home address
- Work address
- Telephone number
- Mobile number
- Email address
- Passport number
- National ID card
- Social Security Number (or equivalent)
- Driver's license
- Physical, physiological, or genetic information
- Medical information
- Cultural identity
- Bank details / account numbers
- Tax file number
- Credit/Debit card numbers
- Social media posts
- Social media posts
- IP address (EU region)
- Location / GPS data
How does the CCPA apply to children?
- CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
- For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any 'sale' of their personal information.
What about personal data from my employees?
In October 2019, a number of amendments were passed to the CCPA. One amendment clarified that the CCPA obligations do not apply to the personal information of employees of the business. However, legislators put a one-year sunset on that exemption. We expect California to legislate a new data protection law for employees in 2020.
As a Microsoft customer, do I need to implement the opt-out control for transfers to Microsoft?
No. As a provider of online services, we are taking steps to ensure that we qualify as a 'Service Provider' under CCPA. As noted above, transfers of personal information to service providers are permitted, even where a consumer has opted out.