CCPA in a Multilayered B2B Environment

Organizations that collect business-to-business (B2B) data from residents of the US State of California got a reprieve in 2019. The California Consumer Privacy Act (CCPA) went into effect in January 2020, applying to the collection of business-to-consumer (B2C) data. However, as of 1 January 2021, B2B data collectors were instructed to comply with its provisions. That date was later extended to 2022.¹

Upon first read, the requirements of data disclosure and deletion seem straightforward, if a bit intimidating. However, a recent experience I had with a client demonstrated just how complicated a given situation can be. The following experience is illustrative and may be instructional for other organizations, especially if they have client relationships with nonprofits or governmental entities.

First, begin with the basics. It may be helpful to think about the CCPA as California’s version of the EU General Data Protection Regulation (GDPR). According to its provisions, a person has the right to do the following:

• Request which data the organization possesses (data disclosure)
• Know how that data are being used, shared or sold
• Opt out of the sale of their information
• Request their data be deleted from the organizations’ records

Nonprofits and governmental entities are currently exempt from the CCPA.

In this example, our client is a for-profit company, making products used for fundraising purposes by nonprofits. Organizations do this often; for example, many may be familiar with the magazines, popcorn or other items a child might sell to support their local school. The scenario recounted here refers to the organization as Makery, because it makes products that nonprofits use. This example refers to the nonprofit as Raisery, because it uses the product to raise funds.

One more fact to round out the picture is that, in addition to a physical product, Makery also provides a piece of software to help Raisery manage the sale of its fundraising products.

Because Makery is a for-profit entity, early in 2020, the Makery stakeholder group decided a CCPA workflow was necessary (figure 1), as Raisery had divisions in California.

Figure 1—Sample CCPA Diagram

View larger image 

Preliminary Analysis

The project appeared to be fairly extensive. The following are some key points and questions to consider:

• In distributing the fundraising items, Makery’s software collected the data of many entities, including Raisery staff and volunteers.
• The matter of identity verification was an issue. Was Makery responsible for verifying users’ identities if they requested data deletion?
• The team also had to consider whether Makery would be obligated to comb backups and free-text input fields if a data deletion was requested.

Initial Analysis

After some analysis, the stakeholder group concluded the following:

• Raisery, not Maker, would be in the best position to verify the identity of the users in the system. These users were Raisery’s staff and volunteers, after all. A repository was envisioned where Raisery could view the users’ form submissions asking for data deletion aligned with the probable matching user from the database. The request form asked for an individual’s email, but the team understood it was possible that email might differ from the one in the software system, hence the repository-approval workflow.
• Raisery would also have to identify if there existed a business need not to delete a user’s data for a specified time. The CCPA has an exception if an organization and the user are in a transactional relationship. The example often cited on the consumer side is if an organization is in the process of shipping an item. The shipment must be completed before a user’s data can be deleted. Another example more specific to Raisery might be if a volunteer had collected money and not yet turned it over to the nonprofit. Instances exist where legal action was necessary in such circumstances. If that were the case, user data would need to be preserved.
• Unfortunately for the technical staff, free text fields would need to be scanned for user data. Backups would need to be sanitized too; however, a CCPA provision allows for this work to happen only when the backup is next accessed.

Subsequent Analysis

As the implementation team prepared to get to work, a business analyst on my team with a keen eye spotted another exception in the CCPA statute. Under the CCPA, service providers are treated differently than the clients for whom they provide the service. The client is responsible for responding to data access or deletion requests. If an individual submits a request to opt out of a service provider, the service provider may deny the request and ask that the individual submit the request to the organization itself.

Makery heaved a sigh of relief. After a modest investment in studying the issue, the company concluded it did not have to implement the full CCPA workflow. It only had to prepare for requests coming from its client, Raisery. But Raisery, being a nonprofit, was exempt from the CCPA. With this double layer of exemption in front of them, the Makery legal team decisively concluded that nothing further needed to be done for the CCPA in 2020.

Conclusions and Implications

After the experience with Makery and Raisery, my team learned several important lessons to be kept in mind throughout our technology practice:

• Read and understand all provisions and exceptions in the CCPA. Involve both legal and cybersecurity experts. Makery’s legal team, while experts in product and corporate law, benefitted from the cybersecurity team’s ability to parse the statue as it related to data and data sources. The cybersecurity team was key in posing questions that allowed the Makery attorneys to analyze the company’s legal position.
• Realize that many organizations can have multiple layers in their relationships to users, data and other enterprises. In Makery’s case, this involved a for-profit layer, a service-provider layer and a nonprofit layer.
• Consider reputational issues. Many dynamic discussions are still occurring among the Makery leadership on this topic. Regardless of a legal requirement, what are California residents now expecting of organizations that collect data in California? Will abiding by a CCPA exemption—however legitimate—hurt an organization’s reputation?
• Look to the future. The exemption for governments and nonprofits is a significant loophole in the CCPA. It seems likely that some pressure will come to bear to close it.

A final point to remember is that the end is not yet written regarding data privacy and protection in California. On 3 November 2020, the California Privacy Rights Act (CPRA) was approved as a ballot measure. In general, the measure strengthened and enhanced CCPA provisions. With regard to the subject at hand, all B2B data exemptions will permanently sunset in 2023. As of now, nonprofits are still exempt. However, the adoption of this ballot measure, as well as global trends toward privacy and data regulation, suggest nonprofits will need to keep an eye on the legal landscape and prepare for regulations to affect them.

Endnotes

¹ State of California Department of Justice, California Consumer Privacy Act of 2018, USA, 2018

Anna Murray

Is a nationally recognized technology consultant, writer and author of the critically acclaimed book The Complete Software Project Manager. She is a frequent public speaker and has presented for numerous industry organizations including CSX North America, the Digital Experience Summit and the ISACA® Women’s Day of Advocacy. She is also a member of the Women’s Leadership Council of She Leads Tech, which advocates for greater representation of women in technology. Murray is a 2-time recipient of the Stevie Award for Women in Business and has received a Mobile Marketing Association award for mobile app development, several Kellogg top agency awards, and Folio's Top Women in Media award.