Preparing for the California Consumer Privacy Act
The California Consumer Protection Act becomes effective Jan. 1. While the California Legislature recently passed amendments to the CCPA that we expect will become law, the CCPA remains fundamentally unchanged, except there is now a one-year carve-out for employment data and business-to-business contact information. Companies should take steps now to ready themselves before the Jan. 1 deadline.
Who must comply?
The new law applies to any for-profit business that:
1. Collects personal information about California consumers or households;
2. Determines the purposes for processing the personal information;
3. Does business in California or with any California resident; and
4. Meets any one of the following requirements:
a. has annual gross revenues in excess of $25 million;
b. alone or in combination, annually buys, sells, receives or shares personal information of 50,000 or more California consumers, devices or households; or
c. derives 50% or more of its revenue from selling California consumers’ personal information.
A business not directly subject to the CCPA still may have compliance obligations if it handles personal information about California residents or households on behalf of another business and likely will have to agree to contractual provisions restricting use of the personal information as a result.
Any business subject to the CCPA must disclose the categories of personal information it has collected over the last 12 months, the purposes of its use and with whom it shares the information. California residents also have rights to access the personal information a business collects and, with certain exceptions, to have personal information deleted. If the business sells personal information, it must give California residents the right to opt out of the sale. A business generally has 45 days to respond to such a request.
How to prepare
1. Map your data: Understanding the personal information your organization collects, retains and shares is a critical first step in assuring CCPA readiness. Because employee data and business-to-business contact information are carved out for 2020, you can prioritize your compliance efforts by first focusing on consumer data.
2. Review your current security controls: The CCPA allows individuals to file a lawsuit and obtain statutory damages if personal information is breached because a business fails to utilize reasonable security practices. Now is the time to review and update your data security and privacy policies to help mitigate the risk of a data breach and subsequent litigation.
3. Develop a process for handling requests to exercise individual rights: Because you must respond to requests within 45 days, you should develop procedures for handling individual requests, including rules for denying requests. Your process should include ways to verify the request comes from the data subject or its authorized representative. Although the CCPA does not allow you to require an individual to set up an account on your website to exercise individual rights, it does allow you to require any individual who has already set up an account to submit requests through that account. Furthermore, you should ensure your process allows for requests to be honored.
4. If you sell information about children under age 16, develop an opt-in process: While adults can opt out of the sale of their information, the CCPA requires an opt-in process for children under age 16. Children who are at least 13 years of age can opt in for themselves, but parents must opt in for children under age 13.
5. Update your vendor agreements: To avoid having data transfers classified as a “sale” of information, businesses need to ensure their agreements with third parties meet certain CCPA requirements. You will likely need to update your agreements with any organization that handles personal information on your behalf. Failure to update agreements before Jan. 1 may mean that you will be deemed to be selling information, which imposes opt-out and opt-in obligations.
7. Train your employees: Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests and the importance of following the organization’s data privacy and security policies and procedures.
Noncompliance with the CCPA may be costly. The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per consumer violation, and in the event of a data breach, consumers can sue for statutory damages of $100 to $750 per incident. You should begin compliance efforts well in advance of Jan. 1.
Norbert Kugele and Kelly Hollingsworth are attorneys at Warner Norcross + Judd who specialize in cybersecurity and privacy.