While the EU’s disruptive General Data Protection Regulation (GDPR) has garnered most of the privacy headlines over the past year, U.S.-based businesses should also be preparing to comply with California’s new California Consumer Privacy Act of 2018 (CCPA). The CCPA will likely impact more U.S.-based businesses than GDPR. Like GDPR, the CCPA requires companies to obtain clear consent prior to collecting, receiving, controlling, processing, storing, and/or sharing personal information, but unlike GDPR (which applies only to EU persons - a term that has not yet been clearly defined), the CCPA applies to organizations that conduct business in California (or control or are controlled by such an organization) and satisfy one of the following three conditions (each, a covered entity):

  • Has annual gross revenue in excess of $25 million;
  • Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or
  • Derives 50 percent or more of its annual revenue from selling consumers’ personal information.

What should you do to ensure your company complies with the CCPA? While the CCPA does not go into effect until January 1, 2020, and the California Attorney General has until July 1, 2020 to adopt regulations for implementation and enforcement of the CCPA (and the California AG may not bring enforcement actions under the CCPA until the earlier of six months after publication of such regulations or July 1, 2020), companies which qualify as a covered entity should start the long, arduous task of:

Reviewing and updating processes and procedures for collecting, receiving, controlling, processing, storing, and sharing data;

1. Updating and publicly posting a website privacy policy which expresses practices that comply with the CCPA and matches with the organization’s updated processes and procedures;

2. Reviewing and enhancing data mapping practices;

3. Adopting reasonable security measures to protect personal information;

4. Training all departments on proper data processing practices, including IT, accounting, business, legal, and marketing;

5. Creating a detailed plan to promptly respond to data breaches;

6. Tracking and complying with amendments and regulations to the CCPA; and

7. To the extent applicable, coordinating these efforts with any GDPR compliance efforts previously or to be taken by the organization.

What to watch for next:

1. The California AG has closed public comment on the CCPA and anticipates releasing a first draft of the implementing regulations in the Fall of 2019, which will be followed by another public comment period.

2. Various amendments to the CCPA are working their way through California’s Legislature, each of which is likely to impact CCPA compliance plans.