Five steps to compliance with the California Consumer Privacy Act
At GDC Summer, Will Bucher outlines how companies already complying with GDPR can ensure CCPA compliance too
Earlier this year, the California Consumer Privacy Act took effect, implementing new requirements on companies that do business in and California and handle the data of the state's residents.
At GDC Summer, litigation associate Will Bucher from law firm Debevoise and Plimpton gave a talk on how gaming companies that are already complying with GDPR need to consider the CCPA, and five simple steps they can take to ensure compliance with the act.
Does the California Consumer Privacy Act apply to you?
Bucher began his talk by noting that his presentation is specifically for those who are already complying with GDPR, which impacts companies that do business in the EU or with EU citizens. For those that aren't, there are many more steps to be taken that he didn't cover in this talk.
For companies that already comply with GDPR, Bucher outlined how to determine if the CCPA applies to a company based on two requirements. The first requirement is that a company must do business in California -- and given that this includes doing business with companies based in California such as Valve or Apple, it's fairly likely most gaming companies will meet this requirement.
However, they also have to meet a second requirement: either a company must have annual revenue greater than $25 million, or possess data on more than 50,000 California residents (for example, if 50,000 people who live in California have purchased a game and are playing it online), or derive more than 50% of its revenue from selling Californian consumer data.
This means that some small start-ups and independent studios might not qualify, or smaller companies making single-player games that don't collect data such as IP addresses. However, if a company ever expects to clear any of these hurdles, Bucher recommends looking into the CCPA requirements anyway, as they may become relevant down the line if the company has a successful release.
Bucher noted that the final requirement, deriving more than 50% of revenue from selling Californian consumer data, will likely not apply to most game companies, but is nonetheless worth mentioning.
Step 1: Bring California users into your GDPR protocols
If you know that your company falls under the CCPA, then the first step is to bring your Californian users into your existing GDPR protocols.
Given that CCPA applies when doing business with companies based in California, such as Valve or Apple, it's fairly likely most gaming firms need to be compliant
Understanding that it can be challenging to separate out California-based users from other users depending on the data you have on them, Bucher noted that you can meet this qualification by simply bringing in all US users, or even just all users. He added that this can also be helpful to future-proof your company, in case more states add these requirements in the future.
Essentially, this means treating requests from these customers the same as you would for EU residents under the GDPR, with the added requirement that you must confirm receipt of Californian consumer requests within 10 days -- faster than the timeline for EU residents.
Step 2: "Do Not Sell My Personal Information" link
The next step is to implement a link on your company's website that says "Do Not Sell My Personal Information."
Bucher was clear that the link must use that specific phrasing, and it must take the user to a webpage where they can opt-out of the sale of their data.
"You can't fold it into your privacy policy, you shouldn't be using creative phrasing for that -- the statute is very clear," he said. "That's what the link should be named, and that's what you should have it say."
Additionally, you cannot require a user to create an account to use the link the opt-out.
Treat requests the same as you would under GDPR, with the added requirement that you must confirm receipt of Californian consumer requests within 10 days
However, the placement of that link can have a bit more flexibility. Bucher noted that while consumers have come to expect to see such links at the bottom of a company's webpages, the goal is to make sure that link is accessible to customers where they interact with the company. And for many game companies, their customers don't interact with them as frequently via webpages. For them, it may make more sense to put the link in the settings menu of the game itself.
As for what happens once consumers opt-out, you can either create a process which excludes their data from sale, or delete the consumer's data entirely as you would when processing a deletion request under the GDPR. Both of these options meet the requirement, though the second one is technically safer and easier because it both already falls into the processes for GDPR, and also avoids the problem if a consumer's data is accidentally tagged incorrectly and sold despite them opting out.
Step 3: Create a toll-free number for data sale opt-outs
Bucher acknowledged that Step 3 is a bit antiquated, but it's still a requirement -- companies need to have a toll-free number consumers can call if they decide they want to opt-out of having their data sold -- which will then be handled in the same way as if they opted-out via your website.
This number must connect them with an employee of your company that is trained to receive these requests, including informing consumers about their rights under the CCPA -- it's fine if this employee overlaps with the employee trained to respond to GDPR requests, too. The line can be staffed within your company's normal operating hours.
Bucher also pointed out that even if you've heard of the "exemption" to this step and think you might qualify, chances are, you don't.
"You do not qualify for the exemption," he said. "And that's because the exemption is worded in such a way that it's almost impossible to comply with."
Specifically, the exemption specifies that you can have no interaction with your consumers offline -- that means no offline marketing, no trade shows, no answering phone calls for troubleshooting problems, no handing out physical media, and no business cards. Plus, you also have to have a direct relationship with every single one of your customers.
"Maybe you have a business model I haven't thought of -- I don't mean to completely say there's no way you're exempt, but I think for all practical purposes, you really have to treat this like you need to create a telephone number."
Step 4: Update your Privacy Policy
Next up, you must add a statement regarding the rights of California residents to opt-out of the sale of their data to your Privacy Policy. This statement is required even if your response to opt-out requests is to fully delete the data as you would under GDPR.
As a part of this, you also must revise the phrasing on your GDPR statement in your Privacy Policy to make it clear that the policy applies to Californians as well.
Additionally, Bucher pointed out that you need to add a description to your Privacy Policy explaining how you will inform consumers of updates to said policy.
Companies need to have a toll-free number consumers can call if they decide they want to opt-out of having their data sold
And you also need to ensure its description of data use explains all possible uses that involve any transfer which has even a remote benefit to your company -- including examples such as transferring data to your publisher -- and also describe which categories of data are sold.
For the latter, this needs to include any categories of data from a very specific list dictated by the CCPA. If you sell any of the categories of data listed here, you must note that in your policy:
- Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email, account name, social security number, driver's license number, or passport number
- Consumer information, which includes payment information
- Any legally protected characteristics
- Commercial purchasing
- Biometric information
- Internet or network Activity
- Geolocation
- Information typically detected by the senses: audio, electronic, visual, thermal olfactory, or otherwise
- Employment information
- Education information
- And any inferences from the above used to profile the customer
Step 5: Update your Privacy Policy every 12 months
Finally, it's required under the CCPA that you review and update your Privacy Policy every 12 months, and to note in the Privacy Policy that you've done so.
"The easiest way for a California regulator to decide you're not in compliance with the CCPA is to look at your Privacy Policy and see that you haven't updated it in the last 12 months, or you haven't disclosed the last time you've updated it," Bucher said.
The most important thing, Bucher continued, is to change the date of your last review and update. That doesn't necessarily mean you have to change anything else if there's nothing that needs changing -- it can be as simple as reading the policy through and changing the date.
For smaller companies, it's easy enough to set a calendar reminder once a year to do this -- though Bucher noted that larger companies might need a dedicated compliance role for this or the entire process.