SME and Data regulation: A Paradigm Shift CCPA bolstering privacy rights at the expense of SMEs?
Imagine your credit card details or other personal information flying all over the internet. You have no idea how this happened, only to realize later, some organization that you had transacted with is the source of the leak. Data is the new oil in the 21st Century, where the digital economy is growing by leaps and bounds. From e-commerce websites to online Food ordering apps, the digital era has reshaped how consumers interact with industry. However, the digital world that surrounds us has fallouts similar to everything that has pros and cons attached to it. Laws protect the vulnerable and hold the violator accountable, thereby creating an even playing field for all the stakeholders. Instances of a data breach are more common than once thought. Cambridge Analytica data scandal, Adobe data breach are a few examples that highlight the vulnerability of consumer's data collected by organizations.
In the background of data breaches, the State of California enacted CCPA to empower its residents that brings them out of a dilemma onto firm ground.
WHAT IS CCPA?
California Consumer Privacy Act (CCPA) is a data privacy law enacted by the State of California. The act grants more autonomy to consumers over their data, which is collected by the Organization, Company, or any entity as the case may be. It sets a benchmark for business platforms to adhere to when managing data of residents of California.
WHY IS THE CCPA REQUIRED?
As earlier stated in the article (example), to prevent scenarios wherein data breach in an organization occurs, thereby jeopardizing the privacy interests of persons whose data is leaked. The next logical question is, what if a data breach does happen?
WHAT ARE THE REMEDIAL STEPS?
The CCPA answers the above questions, along with other knotty data protection queries. It grants individual Privacy Rights or autonomy over data collected by an entity. We will discuss the rights later in this piece. From a broader perspective, it attempts to thread the needle concerning data protection between two disparate groups, i.e., Business houses and consumers. Furthermore, CCPA actualizes and concretizes the Fundamental right of Privacy. CCPA strengthens and prioritizes the culture of Privacy in the same manner when a decade back culture of compliance was emphasized by the financial regulators to fight corruption.
AMBIT OF CCPA
CCPA has three conditions, and on fulfillment of any, the CCPA will automatically apply to the respective for profit organization. The three conditions are: Any for-profit organization that sells the personal information of more than 50,000 California Residents, households or devices, or have an annual gross revenue exceeding $25 million, or It generates 50% of its annual revenue from selling the personal information of California residents. Sale of Personal Information (PI) is defined in the CCPA as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." An entity that owns or is owned or shares a familiar brand with a business that is CCPA covered automatically falls within the purview of CCPA. Besides, an organization should not necessarily have a physical existence in the State of California. The only requirement is that you must be doing business in California. "Doing business in California" isn't defined under CCPA. However, if some entity is serving the residents of California or derives significant profit from its activities in California, then CCPA will apply to the entity.
WHAT DOES CCPA BRING FOR THE CONSUMERS?
Under CCPA, California consumers have the following rights, which means the affected business has the corresponding obligation: The right to know what personal information business is collecting and how that information is being used and shared; The right to a copy of the personal information a business holds about a consumer; The right to delete personal information a business holds about a consumer; The right to stop the sale of personal information by a business; and The right to have equal service and price, even if a consumer exercises their privacy rights. The information must be delivered free of charge to the consumer, in a portable format, and typically within 45 days. The first step to complying with any requests from consumers is understanding your current data practices. SMEs AND CCPA Small and Medium Enterprises (SMEs) contribute to the National and Global Economy in a remarkable way. Let me throw some facts here to help you understand the significance of SME: SME represents about 90% of businesses and more than 50% of employment worldwide. Formal SMEs contribute up to 40% of national income (GDP) in emerging economies. These numbers soar when we consider informal SME. Although the conditions mentioned would seem to exclude small industries, on a careful reading, 50,000 residents per year come down to less than 150 visitors on your website. Besides, it's just not the user data but the device or household information that creates ambiguity. For instance, an organization is serving the California Residents has some part of its business process outsourced in India. It can be the customer support team of the Organization is provided by an Indian entity. Personal information will be exchanged between the organization and the outsourced entity to facilitate customer service. Under CCPA, both organizations on and the outsourced entity will have to implement practices that are adhering to CCPA. Consequently, this increases the cost of compliance for both organizations and the outsourced entity. Ultimately it is the consumers who will have to bear the inflated prices.
HOW WILL THE CCPA COMPLIANT SMEs STAY COMPETITIVE WITH OTHER SMEs THAT ARE PRODUCING THE SAME ARTICLE AT LESS COST BECAUSE OF THE ABSENCE OF COMPLIANCE COST?
It's a double whammy for SMEs, which don't have a large cash reserve as large scale industries but have to comply with CCPA and GDPR. Besides, the entities must incorporate practices that will actualize consumer rights, as mentioned in the previous section. It will entail compliance costs and other regulatory requirements, such as appointing data expert personnel.
WHY SHOULD YOU CARE?
There are also many provisions in the CCPA which are ambiguous, and only judicial interpretation can lift the ambiguity surrounding it. However, lack of clarity may lead to penalties unfairly imposed on organizations by the executive wing of the state. The California Attorney General's Office is responsible for enforcing the CCPA. If an entity violates CCPA, The AG's office will notify the entity about the violation. The respective entity will have 30 days to fix the violation. If, after 30 days, the organization hasn't rectified the breach of CCPA provision, or the AG concludes the Organization can't remedy the breach, then a fine of $2,500 to $7,500 for shall be imposed. Furthermore, a CCPA compliant organization generates goodwill among customers; therefore, in the long run, it will lead to more revenue and an increase in customer base.
HOW CAN ENTITIES COMPLY WITH CCPA?
Constituents of a comprehensive CCPA compliance process
a) Data Delineation: It is the rudimentary step in charting out a course for a CCPA compliant entity. Data Delineation entails identifying what type and what is the source of the data collected by the organization. Any third party URLs that your website hosts or third-party cookies through which the respective third-party entity collects data about the visitor to your website. It helps in categorizing data in under specific headings:
• source, • purpose, • people who have access to the collected data, and • Removal of data from the database once it fulfills the purpose of its collection.
b) Data storage Where is the data collected stored in your Organization, or is the storage outsourced? Does your existing contract require to be reviewed with the third-party vendors that are involved in processing the data that you collect?
c) Data sharing The entities or organizations with which you are sharing the data. Are they handling the data according to the CCPA standards?
d) Technology You should realize that although CCPA is a legal requirement, for an entity to be CCPA compliant, the synergy between legal and technology/IT is an indispensable element. For a smooth transition of an organization to a CCPA-compliant Organization, legal and technology/IT must work synchronously. Although CCPA requires legal compliance in a significant way, you cannot sidestep the role of technology in the process of making your firm CCPA compliant. One of the essential elements of compliance is how to secure the information collected and stored by the organization. A weak firewall is vulnerable to data theft. Hence the firm can find itself at the wrong end of the CCPA stick. It is the collaborative effort of the legal and technology team that can ensure a CCPA compliant organization.
e) Data Breach plan There is a possibility that a data breach may happen in your Organization or at your vendor Organization. You should always prepare a data breach plan. The plan includes essential elements: • Identify where the data breach has occurred, • Informing the relevant authorities about the breach, • Informing the data breach affected users, mitigation plans, subsequent steps after the breach has occurred, etc.
f) How long must the data be stored? The gold standard is that the holder of data must delete the data from the database once the purpose of the collected data is realized. It is necessary to delete the redundant information because it reduces the responsibility of the Organization vis-à-vis the amount of data stored.
HOW DOES CCPA IMPACT ENTITIES HAVING A WEBSITE?
You need to modify your website to ensure it's compliant with the CCPA provisions. Your website must before or at the point of data collection from the user conspicuously state kinds of information and the objective of collecting data. Visitors to your website must have access to a Do not sell my personal information link. The link provides a way for users to withdraw from any transaction that is related to third-party data sales. If the visitor is below 16 years old, then you must get their consent before you sell their data to the third party. For users below 13 years old, a parent or legal guardian must grant permission on behalf of such a user. Your website should mention the Rights users have under CCPA and how the users can actualize their rights. When you receive a verifiable request from the user and the query is related to disclosure of information collected by you. You must render without charging any fee to the respective user records of personal data collected in the last 12 months. The document shared must contain details like sources, commercial purposes, and categories of third parties with whom it has been shared. You must not differentiate among users based on the preference of each regarding the sharing of data with the third party.
About the author:
Suryash Kumar, working at Vidma Consulting Group LLP, who loves exploring the uncharted territories. He has always been fascinated by the legal field, and he believes writing is one of the ways through which he contribute to the growth of the legal field.