Hi, this is Sukarno Goswami, Associate Editor with Information Security Media Group. CCPA continues to pose challenges for organizations. There are ambiguities which remain uninterested. With less than 40 days to go for CCPA implementation, what steps can companies take to fulfill CCPA requirements against these ambiguities?
Speaking more on this is Kathleen Fennessy, Research Director, International Association of Privacy Professionals. Welcome, Kathleen, to the ISMT discussion. Thank you, it's a pleasure to join you. Thank you, Kathleen.
So, Kathleen, as part of IAPP, you must be interacting with businesses on how they can be CCPA compliant. What are you hearing from businesses, and what are they finding tough to comply with? Yeah, thank you for asking. We are interacting and engaging with a lot of businesses on CCPA right now.
I'd say it's top of mind for most companies. And actually, this past summer, we conducted a focus group with some smaller businesses. And what we heard from them, I think, is consistent with what we're hearing from larger businesses as we do trainings and conferences around the world, which is that getting vendor contracts in place to comply with CCPA is probably their topmost concern. And what we heard from the small businesses was that they were, back in August, at least very much in wait-in-see mode.
They were waiting for the biggest players in the field to act first to give them contracts in line with CCPA that they would then plan to kind of replicate downstream. As we interact with some of the bigger players, figuring out what those vendor contracts should look like is their biggest challenge. Because many of these companies have to put in place new data processing agreements to comply with GDPR. Which, like we recall, went into effect in May 2018.
So they feel like they just did this, and now they realize that they really need to do it again. And that is a huge lift for many companies. And so that is the thing that I think they are most focused on right now. So Caitlin, you said they did it once for GDPR and they have to do it again for CCPA.
So is there a major difference between the way the contract has to be designed to meet the two compliances? Well, I think that there is a lot that companies can do to leverage their GDPR compliance effort. And that includes a lot of the components that they put into vendor contracts, such as making very clear what the business purposes are for processing, what personal information is being shared with vendors, and for what purpose, what they can process it for, and what they can't. So all those components will be really important for CCPA.
The key component and what is causing challenge and focus with regard to CCPA is the notion and delineation between service providers and third parties. And, you know, there's some parallels here between the notions of processor and controller under the GDPR, but the CCPA creates really specific requirements for the business that originally holds the information, the covered business, when they transfer data to a third party who can use it for their own purposes, versus when they transfer data to a service provider, which is only using it for the specified purposes pursuant to a contract and they can't further sell it. I'm happy to talk further about that delineation, but that is why new work is necessary on the vendor contracts on top of GDPR. Sure.
So elaborating more on that. So clearly there's a confusion on who is a service provider and who is a third party contractor. So basically businesses are unable to determine this. Can you explain why there is a confusion and what is your advice to companies?
Sure, sure. So, you know, I think not all companies will face a lot of confusion between these terms. But the reason this becomes so important is because one of the most novel elements of the CCPA is the requirement that businesses place a button on their website that says it allows a California resident, a consumer, to click, do not sell my personal information. So business under CCPA has to put this button on their website whenever they are transferring personal information to another entity, a third party, for valuable consideration.
And that's a really broad notion of sell. So the idea here is that an individual can opt out of the sale of their personal information by clicking on the sign. Businesses do not have to place that button on their website if they're not selling personal information. And one of the ways to kind of show that you're not selling it is to make clear that you're transferring it to a service provider, that you're not giving it to another entity that can use it for their own reasons, but rather you're transferring it to a service provider for your own business purposes pursuant to a contract that also prescribes that a service provider cannot sell the personal information.
I just want to kind of make that clear why this distinction is so important. Now the reason it's difficult is that for many businesses there are a blurry line between who is a service provider and who is a third party. Maybe they're serving, the vendor is providing services to the business using the personal information, but also using that personal information for their own analytics purposes. Maybe they're repackaging the analytics information that they clean from that data and reselling it to a broader audience.
And so there's this question as to where the line lies between using it for the business purpose and using it for the vendor's own purposes. And I think this really comes to a head in the ad tech space because companies in the ad tech space are sometimes providing services directly to a business. Perhaps they drop a cookie on the business's website, but also using the inside means to repackage and provide to a broader audience. And so that's where it gets fuzzy and I think there's still a lot of discussion.
But clearly there is no clarity from the Attorney General as of now on this. Well, you know, the Attorney General provided a set of draft regulations that I think do add clarity to a lot of parts of this law. This one is complicated and I think remains complex despite those draft regulations. But there's an opportunity for public comments on those regulations.
It does close December 6th. So there's a potential there will be additional clarity on this point. I think what some lawyers are recommending here and what I can offer as just pointing to some of the advice that has been provided is that making the delineation between service providers and third parties can be done and understood in conjunction with those vendor contract updates. So some lawyers are recommending that as you look at the different type of relationships you have, one option is to just make very clear in the contract where there is some ambiguity that the recipient will only act as a service provider and will only process that personal information pursuance of business purposes and not for it or sell it.
So that is one recommendation we're seeing out there. Sure. So, Gatling, I know there is a 40 days to go for this implementation, but what are the steps that an organization just looking at the CCP for the first time should follow to prepare for a CCP? That's a great question.
So, you know, this is right upon us, but recognize that the privacy landscape is constantly changing. So businesses are grappling with a lot of different changes at once. I would think there's kind of five steps that a business should follow to prepare for a CCP? I think the first step is determining who you are under the CCP?
So are you a covered business that has gross revenues over $25 million annually, buys or receives the personal information of over 50,000 California residents, or derives 50% more of your revenue from selling consumers' personal information? So that would be a covered business. Or are you a third party or a service provider? So the first step is how does the CCP apply to you?
The second step, we've kind of discussed already, is taking a look at your vendor relationships and getting your vendor contracts in order. And that's pretty critical, not only because it ties in with other provisions, but also just to limit your organization's own liability and make very clear what can be done with personal information you share with vendors. This is an area we've seen additional enforcement in of late, and so doing that due diligence is critical. Step three, I'd say, is updating more privacy notices.
So the CCP requires companies to provide notice in a few different ways. So one is just making sure the company's privacy policies are in order. And this speaks to things like describing the rights of access and deletion, methods for contacting the organization, the type of information that is collected, from whom, and for what purposes. But CCP also requires two other notices.
One is notice at the point of collection. And at the point of collection, businesses have to provide information on the categories of personal information collected and the purposes of use of that. And then the other notice is that last piece that we talked about, that if a business determines they are selling personal information, they need to provide that opt-out button to the sale of personal information. So that, I would say, is step three.
Step four is kind of getting your back-end processes in place to enable consumer requests and engagement, as well as opt-out of sales. So this is just all the processes that you have to put in place to receive and respect a consumer's request and make sure your record-keeping is up to part as well. And one of the key components that comes into place there is the verification that is required under CCPA. CCPA gave the attorney general the authority to create a detailed process around verification to make sure that the individual that is reaching out to exercise their rights is who they say they are.
And that is really critically important also to avoid unintentional data breaches that could occur if you're not dealing with who you think you are. So I would say that the final step to just think through on an ongoing basis is employee training. CCPA actually mandates that the customer-facing employees of dealing with individuals are trained on CCPA requirements, understand what CCPA requires them to do. But I would look at the training as a broader component here as well, which is just that CCPA is still changing.
We have the AG regulations to come, and we also have the potential for another ballot initiative, what folks are calling CCPA 2.0, which could create further change in the requirements for businesses. So making sure that employees are aware of these developments and respect them is critical. Sure, Ketting. Thanks a lot for sharing your thoughts and suggestions and how best companies can adhere to CCPA guidelines.
Well, thank you so much for asking. It's been great speaking with you. Thank you. You've listened to Ketting Finise.
For ISEN Genesia, this is Super Naguswamy. Thank you for listening.