What is the California Consumer Privacy Act and How will it affect me? With Jill M. Williamson, Senior Attorney in Seattle, WA.
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, will take effect on January 1, 2020, creating a host of new data privacy obligations for many companies that do business in the state.
The CCPA includes comprehensive disclosure requirements, provides consumers with extensive rights to control how their personal information is used and shared, imposes statutory fines and allows individuals to sue over certain violations. It is expected to dramatically alter how many companies collect and process data. Even companies who already consider themselves compliant with GDPR must review and revise their compliance programs in light of the new requirements of the CCPA.
Who is subject to the CCPA?
Not only California-based entities. Any company that is a for-profit business, collects and processes California consumers’ Personal Information and does business in the state (even remotely) is subject to CCPA if it (or an entity it controls or is controlled by and shares common branding with) meets one of the following three thresholds:
- Generates at least $25 million in annual gross revenue
- Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices, per year
- Derives at least 50 percent of annual revenue from selling California consumers’ personal information
If your company is subject to the CCPA, you will need to have a comprehensive compliance program that includes:
- Notice to consumers at or before data collection.
- A data policy that informs consumers of the data collected, used, shared or sold by the business, by category, for the last 12 months. As well as information about their rights, two methods of contact for consumers for the rights, as a “Do Not Sell” link. Consumer rights under the CCPA include:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of the sale of personal information.
- The right to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
- Procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- Third-Party Risk management – review contracts with third parties that have access to your company’s data and ensure that they include requirements necessary to comply with CCPA.
- Training employees on CCPA obligations.
The regulations implementing the CCPA are not yet final; however, the proposed regulations contain a few notable additional requirements:
- Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- If a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
12-Month Look Back
CCPA includes a “12-month look back” provision requiring companies to respond to consumer inquiries about data collected or disclosed in the immediately preceding 12 months. This means that a response to a request filed in July 2020 will need to contain information dating back to July 2019. In order to be able to respond, you will likely need to undertake considerable preparation, so it is a good idea to consider starting now.
Steps to Take Now
Step One: Determine whether the CCPA applies to your business, if yes:
Step Two: Map the Personal Information your company collects, uses and shares and/or sells
Ask yourself the following questions about the Personal Information your company collects and processes to map out key aspects of your data handling practices.
- What Personal Information do you collect?
- From where do you collect Personal Information?
- Where and how is Personal Information stored?
- What business units are involved?
- Is any Personal Information held by third-party providers?
- What protections are applied to this information?
- What do you do with the Personal Information?
- How long do you keep it? Why?
- With whom do you share it? And for what purpose?
- What financial incentives do you provide consumers?
Step Three: Build your Compliance Program – In addition to what is required by the CCPA, consider:
- Reviewing your data security measures to ensure you have systems in place to prevent and detect data breaches.
- Designing an incident response plan, including determining what the breach notification requirements are in the jurisdictions relevant to your business.
- Ensuring you have the right resources to turn to in case of a breach or other data incident, including outside counsel experienced in data privacy, and forensic and security professionals.
About the Author: Jill M. Williamson, Senior Attorney in Seattle, WA.
Jill Williamson is the Senior Attorney in the Seattle offices of the Corporate Transactions Group of Gravis Law, PLLC. Jill brings a breadth of experience and a practical business-oriented approach to her work, which focuses on helping entrepreneurs and leaders of established businesses maximize shareholder value growth while minimizing legal risks. She acts as an advisor and outside general counsel for several Seattle-based companies. She also assists clients in conducting internal investigations, defending government investigations and provides compliance advice in the areas of anti-money laundering, anti-corruption, export compliance, sanctions, data privacy and compliance and risk management. In particular, Jill is highly skilled in blockchain usage and compliance with laws and regulations in global cryptocurrency and is active in securing the release of assets blocked pursuant to Office of Foreign Assets Control Sanctions.