Understanding the California Consumer Privacy Act (“CCPA”)

You only need to look at the headlines. They argue that California is at the forefront of things like digital rights and anti-trafficking laws. California’s recent legislation on consumer privacy is the latest game-changer. Called the California Consumer Privacy Act (“CCPA”), this piece of legislation, which was enacted last year, creates new consumer rights related to personal information that is collected by businesses. The protections within the CCPA are quite strong and are essentially unrivaled when comparing this legislation to consumer privacy legislation in the forty-nine other states (excluding Nevada). It is natural to compare the CCPA to Europe’s General Data Protection Regulation (“GDPR”). While it is less onerous than the GDPR in some respects, it goes even further in others.

Whether you have a business that is physically located in California or are collecting the data of California residents, it is vital to understand what the CCPA is and how you can best comply with this new piece of legislation. You and your businesses must prepare now, as the law is set to take effect on January 1, 2020.

CCPA Basics

To start, the CCPA, also called AB 375, is notable for granting Californians several new rights concerning their data that is collected online. According to the legislation, those rights include the right to know what personal information is collected about Californians, the right to know whether their personal information is sold or disclosed (and to whom), the right to say no to the sale of their personal information, the right to access their personal information, and the right to equal service and price, even if these Californians exercise their privacy rights.

As you can tell, these new rights are quite extensive. The whole objective, like the GDPR, is to let Californians have tighter control over their data. The legislation drastically expands this definition of personal data to include things like geolocation, internet browsing history, personal identifiers, psychometric data, and inferences about consumers made by companies. While businesses should have already been creating privacy policies and placing them on their websites, the CCPA requires even more detail about why businesses are collecting data, why they collect that data, who they are sharing it with, and the rights that consumers have concerning those business practices.

Like the GDPR, the CCPA also makes businesses let consumers opt-out of the sale of their information to third-parties. They can do this through a link on their homepage. Businesses cannot hide this opt-out link in their privacy policies. Along with this, the CCPA states that businesses cannot discriminate against any user who exercises any of their rights under this statute.

The penalties for noncompliance can be quite onerous. If a business does not cure alleged noncompliance within 30 days of notification, that business can be charged a civil penalty of up to $7,500 per CCPA violation. In addition, any business that is operating in California that does not comply with the CCPA can be subject to civil damages of $750 per violation, per user. While this penalty is less per user compared to the GDPR, these numbers can still add up—especially if you work at a large corporation.

This is just a brief overview of some of the most important CCPA provisions. To read the text of the legislation itself, click here.

How Businesses Can Comply with the CCPA

Considering these basics about the CCPA, the natural question is how you and your business can comply with this new legislation. At the outset, we’d like to know that this is not official legal advice. We recommend that you speak with your company’s in-house legal counsel to develop a specific compliance plan.

Having said that, there are some general principles to keep in mind in the months leading to the CCPA going into effect.

First, and most critically, you should determine whether you are subject to this new law. This is clearly an important question. If you are not subject to the CCPA, you can avoid costs and significant headaches. If you are, however, you will have no choice but to comply.

The bottom line? You are subject to the law if you work for a for-profit entity “doing business” in the state of California to which any of the following apply:

• Your company’s gross annual revenue is above $25 million.
• Your company annually buys, receives for commercial purposes, or sells or shares for commercial purposes the personal information of 50,000 or more California consumers, households, or devices.
• Your company derives 50 percent or more of its annual revenue from the sale of California consumers’ personal information.

These are the basic eligibility requirements under the CCPA. Along with this, the law applies to any entity that (1) controls, or is controlled by, a business that meets the criteria listed above, and (2) shares common branding with that business. Regardless of the size of your business, you are going to want to review these requirements before January 1. If you suspect that you meet these requirements, you will need to develop a compliance plan.

From here, think about setting up a schedule to ensure compliance. January 1 is rapidly approaching and you certainly have other tasks on your plate. Gather all relevant actors in your organization, whether they are decisionmakers in your IT department, legal department, or some other department. Sit down and determine what it will take for you to comply with this new legislation. From there, chart out a schedule and delegate responsibilities. Being proactive and planning now will make compliance that much easier. It is much better to take these meetings and do the work now than scramble during the holiday season.

Next, review and revise your online privacy policy. You’ll need to ensure that it complies with all of the requirements listed in the CCPA. For instance, you should review and update your categories of information collected, third-parties that receive your customer data, and include the rights that are available to consumers under this legislation.

Finally, it is critical to train your employees. Compliance isn’t just the responsibility of the C-suite or of compliance professionals in your organization. It is the responsibility of everyone who is somehow connected to Californians’ consumer data. Whether you organize mandatory trainings or hold an in-person meeting on the CCPA, all members of your organization should be aware of the CCPA and their obligations.

Take Action Now

The CCPA is a significant new law that will significantly alter the way that certain businesses operate. If you collect the user data of Californians, there is a real chance that you will need to comply with the law by January 1.

Ultimately, it’s worth your time to take a closer look at the law. Don’t hesitate to speak with your company’s attorney. And if you do need to comply, ensure that everyone handling consumer data in your organization is fully aware of your compliance obligations. Taking all of these proactive steps will certainly be worth your time.