CCPA Regulation Update: Addressing Indirect Collection
In our fourth, and final, piece related to the California Attorney General’s proposed regulations to the California Consumer Privacy Act (“CCPA”), we answer one of the strangest questions that a business may encounter: what happens if a company collects personal information via a third party? Without a direct relationship between the business and the consumer, it would be impractical, if not impossible to give notice to a consumer. On March 11, 2020, a new provision was added to the proposed regulations addressing this issue. So when would "indirect collection" occur, how does the CCPA address the lack of a direct relationship, and when, if at all, would a business need to give consumers notice?
When Might a Business Collect Information Indirectly?
Businesses may collect personally identifiable information about consumers indirectly through web platforms like Facebook and Google, or by purchasing that information, like a consumer list, as part of an asset deal between two entities. Furthermore, businesses could purchase data from certain complementary entities in order to send directed advertisements for complementary goods (i.e. receiving hotel advertisements after purchasing plane tickets).
How do the Regulations Address Indirect Collection?
The new regulations state that businesses that do not collect personally identifiable information directly from a consumer do not need to provide a notice if they do not sell that consumer's personal information. While "sale" remains broad under the CCPA, this provides an easy “out” for information that, generally, would not be further shared by the business after receiving it. While there would still need to be a disclosure required for the business that originally collects the information, and for any subsequent entity down the line if it also sells information, this clarifies that the CCPA does not require businesses to track down consumers. However, it does impact marketing companies and data brokers more, as these entities: (a) are more likely to purchase large amounts of data from various sources, and (b) are more likely to distribute this information for some sort of gain to themselves.
How To Comply?
The first step a company must take is to determine whether it is collecting personally identifiable information from third parties, such as Facebook. After this, the business needs to determine if it then further sells this information (i.e. any transfer where something of value is exchanged on both sides). If a business does not further distribute or exchange the information, no further action is required. However, if a business does distribute the information, the business should ensure it can contact the consumer and provide notice as soon as is reasonably possible.
The Attorney General is supposed to begin enforcement of the CCPA on July 1, 2020. While the time to reach compliance is rapidly shrinking, it is more important than ever to form a compliance plan for the CCPA if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day CCPA compliance program (which can be expedited to 60 days) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation.