CCPA Cheat Sheet
Effective on January 1, 2020, the California Consumer Privacy Act (CCPA) represents a fundamental change in privacy law in California and the United States because of the Act’s nationwide reach. With limited exceptions, any for-profit company doing business with California residents and collecting personal data, including incidental website traffic via cookies, may be required to comply with the Act’s strict data privacy rights, including the right to know what personal information the business holds and with whom it is shared, the right to prohibit its sale, and the right to demand its deletion from the business’s records (i.e., the right to be forgotten). On October 10, 2019, the California Office of Attorney General introduced draft regulations under the Act.
CCPA requires changes in the manner by which companies collect, maintain, and share information. The Act also requires changes in company websites and vendor agreements, and it creates a private cause of action for those consumers whose information is compromised by a data breach. Companies need to have the correct policies and controls in place, including mandated employee training, to comply with these new requirements.
Provided below is a cheat sheet of CCPA requirements. Compliance counsel can help companies implement these requirements in an efficient and cost-effective manner by focusing on a company’s activities and operationalizing CCPA controls into the data environment.
I. What is CCPA?
CCPA creates new consumer rights relating to personal information of California residents collected by a business. CCPA is similar to GDPR, but has significant differences. Importantly, the California Attorney General has stated that GDPR compliance is not CCPA compliance.
II. What Businesses are Regulated by CCPA?
CCPA applies to all for-profit businesses doing business in California that collect consumer personal data. A consumer is any resident of California. “Personal information” is defined in part as “information that identifies, relates to … or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Employment-related data is exempted from CCPA for one year.
Exceptions to CCPA are not-for-profit organizations, and for-profit organizations that do not meet any of the following thresholds:
- Have annual gross revenue in excess of $25 million;
- Possess personal information of 50,000 or more consumers, households, or devices; or
- Earn 50% or more of its annual revenue from selling consumers’ personal information.
III. What Rights Does the CCPA Afford?
CCPA affords California residents the rights to request from businesses:
- What personal information the business has collected about them;
- Whether their personal information is being sold or disclosed for a business purpose to others;
- To prohibit the sale of their personal information;
- To delete their personal information; and
- To not be discriminated against for exercising their CCPA rights.
CCPA also creates a limited private right of action for any consumer whose “non-encrypted or non-redacted” personal information is compromised in a data breach.
IV. How Does CCPA Affect My Business?
V. What Can I Do to Prepare for CCPA?
- Make your key departments aware. CCPA becomes effective January 1, 2020. Don’t wait to the last minute to make required adjustments.
- Bring in outside counsel who focus on operations, costs, and efficiencies that support CCPA compliance. Outside counsel should work with your company’s IT, IS, General Counsel, Chief Privacy Officer, and the marketing/business development department;
- Review your business’s intake of information to determine (1) what information is governed by CCPA, and (2) what policies and processes are needed to enable your company to comply with a CCPA consumer request;
- Implement required methods to allow consumers to submit CCPA requests, and train appropriate personnel to respond to such requests – your company will have 45 days to respond to consumer inquiries;
- Review vendor contracts and forward necessary addenda to ensure that (1) they qualify as service providers to fall outside disclosure requirements, and (2) they have policies and procedures in place to respond to CCPA requests;
- The homepage must have “a clear and conspicuous link” titled “Do Not Sell My Personal Information”;
- Train, train, train, your company personnel.