In May 2018, when the General Data Protection Regulation (GDPR) became effective, it had repercussions across businesses all over the world, not only those located in the European Union (EU). The United States does not have a federal law that parallels the GDPR. The first comprehensive law governing data privacy is the California Consumer Privacy Act (CCPA) that became effective on January 1, 2020 and enforceable on July 1, 2020. The CCPA is positioned to affect businesses throughout California, the nation, and world.
The CCPA gives California consumers the right to know what personal information a business has about them; right to request the business to delete that information; and right to opt-out of the sale of their personal information. It regulates how organizations can collect data of California residents and how that personal information can then be used or shared.
CCPA applies to all businesses operating in California, whether or not they are domiciled there, if they fall into one or more of the following categories:
- Have gross annual revenues of more than $25 million;
- They buy, receive, or sell personal information of 50,000 or more consumers, households or devices; or
- They earn 50% or more of their annual revenues from selling consumers’ personal information.
Business Requirements
Businesses that are subject to the CCPA are required to provide California residents with access to personal data the business has collected or sold about them in the past 12 months. According to the CCPA, personal information includes information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.
Specifically, consumers may request that the business disclose:
- The categories of personal information collected.
- Specific pieces of personal information collected.
- The categories of sources from which the business collected personal information.
- The purposes for which the business uses the personal information.
- The categories of third parties with whom the business shares the personal information.
- The categories of information that the business sells or discloses to third parties.
- Consumers must be given the right to opt-out of having their personal information sold to third parties without any change to their level of service or price structure.
As a result of these requirements, company websites are required to have an opt-out link.
Nonprofits and Government Agencies
The CCPA does not apply to nonprofit organizations or government agencies.
Collecting Information
It is important you understand the data your company has and is collecting. What are the data points? Why is that information being collected? Where is it housed? Who has access to it? To be CCPA compliant, that information must be available on a rolling 12-month basis. As a company, you should ask whether you really need all the data being collected. Why collect data that is not useful to your business and increases your risk exposure?
Data Security
Cybersecurity is a concern across the board. To be CCPA compliant, ensure that your consumer and employee data are secure and all security procedures are documented. Do not forget data that are held by outsourced vendors such as human resources or payroll vendors. Make sure the contracts you have with those vendors have CCPA-compliant provisions. Your company can be held liable if they are not compliant.
Establish and put in place access and deletion systems. This process is complex. Among other things, it includes knowing where the data are, having processes in place to delete, training the people who are responsible for executing the requests, updating your online privacy policy, and adding appropriate methods for opting-out.
Many states are considering comprehensive data privacy laws, and others such as Nevada and Vermont have adopted more limited protections.
CCPA 2.0 Ballot Measure
On June 24, 2020, the California Secretary of State announced that county election officials had validated enough signatures through the random signature validation process to make the California Privacy Rights Act of 2020 (aka CCPA 2.0) eligible for the November 3, 2020 ballot.
The measure will now move to the November ballot. Polling previously released by the Californians for Consumer Privacy, the advocacy group that submitted the California Privacy Rights Act of 2020, indicated that 88% of California voters supported the measure.
This information is for educational purposes only and does not constitute legal advice or opinions. Contact legal counsel with questions.