CCPA – What You Need To Know Now

The CCPA or the California Consumer Privacy Act went into effect on January 1st, 2020 and is one of the most significant pieces of legislation regarding privacy in the United States.  Many people are familiar with the European Union’s GDPR or General Data Protection Regulation, which provides for similar protections for consumers in the EU. 

As data breach scandals continue to rock companies across the globe, consumers have begun to display increasing scrutiny of the companies they do business with, and with how the collect, use, share, and dispose of their personally identifiable information.  The CCPA is likely the first of many such laws that will emerge across the US in the next few years.  Following are some of the basic facts provided by the California Attorney General office[1] that every company should know, especially if they collect data on and from California residents.

The CCPA grants new rights to California consumers

 

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and by extension, a business’s service providers;
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

The CCPA applies to certain businesses

  • Businesses are subject to the CCPA if one or more of the following are true:
    • Has gross annual revenues in excess of $25 million;
    • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
    • Derives 50 percent or more of annual revenues from selling consumers’ personal information.
  • As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

The CCPA imposes new business obligations

  • Businesses subject to the CCPA must provide notice to consumers at or before data collection. Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
    • For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
  • Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
    • As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out
  • Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
    • As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
  • As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
  • As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
    • In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training

One thing is clear, the penalties (ranging from $2500 to $7500 per instance) can add up quickly.  If you haven’t invested the time to understand the risks to your organization, now is the time to act and to complete a CCPA (and GDPR) risk assessment.  Key steps in the process should include:

  • Understand what data (PII, or Personally Identifiable Information) you collect.
  • Understand every instance where you store this data.
  • Understand what entities you share or sell this data to.
  • Make sure your Privacy Policy is current and conspicuously posted on your website.
  • Create and document procedures to handle requests from consumers regarding the use of their data.
  • Develop and deploy employee training to ensure all staff is prepared to comply with the privacy regulations.

It’s important to note that privacy regulations are still developing rapidly across the globe.  Depending on the nature of your business and the location of your customers, it may be necessary to comply with any number of regulations in multiple jurisdictions.  If your organization does not have the expertise with analyzing and mitigating these privacy risks, consider finding and hiring an advisor that lead your team through the process of standing up a robust privacy compliance program

[1] https://oag.ca.gov/privacy/ccpa

He can be reached at prife@blaircarlisle.com or prife@holbrookmanter.com.