CCPA: Restaurant Q&A

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply. The Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.

For more information about the CCPA and the rulemaking process, see the following:

• CCPA, as of January 1, 2020
• CCPA Fact Sheet, pdf
• Information about the rulemaking process, pdf
• Tips on Submitting Effective Comments, pdf
• Office of Administrative Law - California Code of Regulations

RTN Workgroups: CCPA Expert Guest Speaker

Odia Kagan, Partner, Chair of GDPR Compliance and International Privacy 
Fox Rothschild LLP

Expertise on CCPA Compliance 

Restaurant Operators Q&A

Q: You mentioned a 25,000,000 sales threshold. Is that limited to California sales or global sales? Also the 50,000 PI record count threshold.

A: The 25,000,000 is not limited to California sales. 50,000 consumers refers to 50,000 California residents. 

Q:Can you elaborate on the “legitimate interest” exception for denial on deletion requests?

A: There are nine exceptions for deletion. For instance, someone can not be deleted before payment goes through. An Exception is information that is necessary for internal purposes that are reasonably aligned with consumers expectations at the time. You need to disclose what is an exception to the deletion is and way.
 
Q: What is an example of discriminating against a consumer that opts out.

A: If someone exercises the right to opt out of a sale, then you can’t penalize them by not serving them or giving them access to content.
 
Q: When customer information is collected at a franchise and shared with a franchiser, is that considered a sale?

A: Analyze that when you map your data/look at the exchanges that take place. Whenever you have the transfer of data between two legal entities – you need to determine if it’s a service provider, and if it’s not then is it a sale?
 
Q: Do the same issues apply for transfer of a data request?

A: It depends on the relationship of the parties. If you are a service provider then you are not required to respond but can direct the consumer to the correct source of data. The parties should come up with a transparent solution/response for consumers.
 
Q: Are there any best practices for access requests?

A: Regulations say you need to share info in a certain way, but you just want to be clear and concise in instructions.
 
Q: How do you see CCPA and other state-level frameworks evolving? Will it continue to patchwork vs. federal?

A: There will be additional state laws but it’s not clear when and how similar to CCPA they will be.  There are currently 2 federal bills on privacy but they have a long road ahead of them.

Q: Is order history considered personal information and if so, what exactly do we need to provide?

A: It is. You need to disclose it as part of an access request.
There are categories of information and specific pieces. This would go in specific pieces.
You only have to disclose it if it is personal info tied to an individual.
 
Q: Are there opportunities for the industry to help drive regulatory conversations so that we can develop something sensible for all sides?

A: There have been but that closes tomorrow. After that date you can still come up with best practices and interpretations of the law.
 
Q: The law itself is well documented but it also looks like AG can offer clarification?

A: The AG enforces the law to a great extent. People will file complaints with AG and then the AG investigates. In addition, there is a provision in CCPA that instructs the AG to offer guidelines on how law works.
 
Q: What is a reasonable amount of time to respond to a customer request?

A: 45-days for access and deletion. They also require a response access request within 10-days and opt out in 15-days.
 
Q: Does the law offer any ways to identify whether a person asking for information is that person?

A: The draft regulations say to not ask for more information than you need, and to leverage information you already have. The more sensitive the information, the harder it is to access.
 
Q: Can you further define what sales data means with context to CCPA? Is that only a monetary transaction?

A: They don’t mean sale in the traditional sense of the word--it is much more broad.  It includes both information that you sell for money and also any information that you share for valuable consideration. Example - Enabling a 3rd party (Facebook & Google) to collect information for marketers (analytics) but then also have access to that information off their platform. This is also considered a sale. There needs to be the right to opt out.
 
Q: So users of website need to be given the option to opt out of analytics type cookies?

A: In some cases. If the 3rd party is getting something out of it, those would likely be considered a sale.  In Europe it’s in opt-in and in CCPA it’s an opt out.
 
Q: Can you give further context about how the CCPA might affect loyalty programs?

A: Loyalty programs can continue to operate under CCPA (GGPR has more difficulty). The programs need to be disclosed in general privacy notice. There are requirements on what the loyalty program needs to look like. Under certain circumstances you can monetize the data. You need to show that there is a direct relation between the value provided to you by consumer data. You cannot however treat someone differently if they exercise a right (i.e. opt out).
 
Q: Once data is collected, if you sell that data to a 3rd party (with consent), is there an obligation to pass that information on to the 3rd party?

A: You need to notify all 3rd parties that you sold the information within 90 days of request and instruct them to no longer sell and let consumers know. However, if the 3rd party does not comply you will not be held responsible. That said, in most situations the consumer would have not opted out (or opted in) to have their information shared. 
 
Q: How does this apply to CA residents who visit establishments outside of the state?

A: If they are temporarily there, the rules still apply. So from the tech perspective, they have to figure out how to identify that via cookies.
 
Q: How much information do you think is appropriate to have at the point of sale at a restaurant?

A: Regulations say that you have to tell them that you are going to collect their information, the categories of information, why you’re collecting it, and offer a link to the privacy notice for more information.
 
Q: Many of us have already implemented a solution for GGPR, what do we need to do differently to be compliant for CCPA?

A: Not an easy answer, but I have an article that helps.
Many of the same controls of requirements exist across both regulations; however, there are enough differences to evaluate your plan in place.
 
Q: The concept of encrypted data was brought up in regulation in relation to notification of a breach, if someone takes information that is essentially useless, do I need to notify the state AG? 

A: Most state laws say that if the encrypted data is taken but not the key (to read it) then you do not need to notify.
 
Q: Do you anticipate a greater number of lawsuits as a result of these changes?

A: Potentially yes, because it is an area of focus among consumers in the wake of some of the highly publicized data breaches.
 
Q: What are the damages associated with individual incidents?

A: The civil action is to recover damages not less than $100 and not greater than $750, per consumer per incident, or actual damages (whichever is greater) plus injunctive or declaratory relief plus any other relief that the court deems proper. 
 
Q: Does that apply to just data breaches or also apply to deletion requests?

A: Deletion requests are different.
As of July 1 the potential for ramifications is an injunction and civil penalty of no more than $2,500 for each violation or $7,500 for each intentional violation.
 
Q: How are you expected to verify the identity?

A: You are required to have a reasonable method for verifying.
The principles are don’t ask for more information than you already have. The level of the questions to verify should be proportionate to the data and how risky it is. The regs give examples for the verification process. You don’t want to ask for new information if you don’t have to.
 
Q: How far back and AG go to look for evidence of non-compliance?

A: The requests have a 12-month look back. That means if a person files a request (deletion, access, etc.) the restaurant needs to be able to provide information going back a year. If they are unable to, then that is a failure to comply with the request.

10 Things To Do Now for CCPA

(Recorded webinar) 

1) Identify the Personal Information Flows (B2C).
Where is it that your personal information is held in your systems? B2C is the most critical to tackle as there are carve outs for B2B and employee data.
 
2) Identify Exceptions That Apply To You.
Some examples of exceptions would be B2B & employee data. 

3) Ensure Your Information Security Is OK.
This is both from a tech perspective and paper perspective. There is an obligation to keep this information secure as now people have the ability to file a class action lawsuit and get remedies in an easier way. Work with information security tech teams to make sure this is buttoned up.
 
4) Develop a Process for Verifying Individuals.
People can begin filing requests on Jan 1, 2020 so you want to put a process in place that enables people to file these requests. There are 3 rights--the right to request information, the right to have it deleted and the right to opt out. For the first two, you have to be able to verify that the person you are giving the information to or having it deleted for is the correct person. You need a process to verify the information that is aligned with the level of information requested. The less sensitive information the less difficult the questions need to be.  
 
5) Create Methods for Submitting Consumer Requests.
The law requires at least two ways – an interactive web form and toll -free phone number.  A 3rd method is a physical method for submitting the request ( a physical place to file requests).
 
6) Develop a Process for Handling Consumer Requests. 
Who in the company should get them and handle the requests? Can you have an automated process?
 
7) CA Consumer Rights Page: Amend Your Privacy Disclosures
You need to amend your privacy disclosures. Consumers need a transparent disclosure on what are you doing with the information and what rights do they have?
 
8) Do Not Sell / Cookies.
Cookies are considered by some as a ‘sale’ and the Internet Advertising Bureau is building a framework for this. There needs to be an opt out option. 
 
9) Notice of Collection / Privacy Notice.
Revise online privacy notice or add notice of collection. Tell people what is happening with their data at time of collection. You need to have both the disclosure and then a link to the privacy notice. 
 
10) Service Providers / 3rd Party Providers.
You need to have written agreements with service providers. Look at any 3rd party providers and determine whether their help is needed to comply with CCPA.
You need to make sure the 3rd party doesn’t sell information and deletes when asked, etc.

More CCPA Resources from Odia Kagan:

• State Data Privacy Law Tracker
• Interactive Online Tool: CCPA Scope Adviser
• 20 Questions (and Short Answers) on the CCPA
• Leveraging GDPR Compliance Efforts to Address the CCPA
• Does the CCPA Apply to Me?
• The CCPA: What You Need to Know
• Practical First Steps to CCPA Compliance
• Where HIPAA Stops, CCPA Begins
• Video: CCPA: Does It Apply to Me?