The California Consumer Privacy Act is a landmark piece of legislation widely considered to be the nation’s most significant data privacy law to date. It grants new and unprecedented rights to California consumers, including the right to know what personal information is collected, used, shared or sold by businesses, the right to delete personal information held by businesses, the right to opt-out of a business’s sale of personal information, and the right to nondiscrimination in price or service when exercising a privacy right under CCPA.
The CCPA was passed in 2018 and went into effect on Jan. 1, 2020. Since then, businesses had the luxury of a six-month grace period during which they could work out implementation kinks and address issues or potential violations in real-time. Beginning July 1, however, California’s Attorney General can begin enforcing penalties for infractions. Depending on the severity and number of violations, enforcement actions could be as minor as an injunction or as major as a six-figure fine.
CCPA has been compared to the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world, passed by the European Union in 2018. The possibility of more widespread adoption of this type of legislation in the U.S. means that businesses operating outside of California would be wise to become well-versed in CCPA standards. In 2019, Nevada enacted an amendment to its online privacy law that shares similarities with the CCPA. In addition, Washington, D.C, New York, Texas and Washington have all either introduced or have similar legislation pending. As such, it is in every business’s best interest to carefully review the CCPA guidelines and begin outlining how your company could adapt to potential consumer privacy protocol changes.
Does CCPA apply to my company?
Any businesses—located in any U.S. state or even a different country—must comply if they collect or sell Californian’s personal information and meet one or more of the following thresholds:
Has gross annual revenues in excess of $25,000,000
Buys, receives or sells 50,000 or more consumer records each year
Derives 50% or more of annual revenues by selling consumer’s personal information
What are the key provisions?
Either before or at the point of collection, businesses must provide notice to consumers of the categories of personal information to be collected and the purposes for which personal information collected will be used.
Businesses must create procedures to respond to requests from consumers who want to know, delete, and/or opt-out of personal data collection. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
Businesses must respond to requests from consumers to know, delete and/or opt-out within specific timeframes.
Businesses must verify the identity of consumers who make requests to know about the collection, disclosure or sale of their personal information and/or to delete the personal information, whether or not the consumer maintains a password-protected account with the business.
Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain both how they calculate the value of the personal information and how the incentive is permitted under the CCPA.
Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance. Businesses that collect, buy, or sell the personal information of more than 4 million consumers also have additional record-keeping and training obligations.
What policies should my business implement to ensure compliance?
Update all privacy policies and notices on websites and mobile apps to conform to the specifics of the law.
Ensure appropriate security measures are in place to protect consumer information.
Provide options for consumers who want to know:
What personal information is being collected and how it is being used
How to delete their previously collected personal information
How to opt-out of data collection
Review all third-party service providers your company does business with (i.e. marketing companies, IT support, etc.) and validate their compliance with the CCPA as well.
Develop protocols and procedures for record retention and timely responses to consumer requests.
Train employees on all relevant privacy policies and new CCPA procedures to maintain consistent standards.
The CCPA is detailed and complex and ensuring your individual business is in compliance with all facets of it will naturally go beyond what can be shared in a blog post. If you would like a full briefing on the CCPA or have questions about how to implement the required procedures before the enforcement period begins on July 1, 2020, please reach out to Julie Herzog at Fortis Law Partners.