Setting aside the six-month grace period, January 1, 2020, is essentially D-Day in the privacy law world. It is the day the California Consumer Privacy Act of 2018 (CCPA) goes into effect. 

Consumer Rights Under the CCPA

At its core, the CCPA seeks to give California consumers additional safeguards and rights regarding their personal information, specifically the rights of:

  • Disclosure: A business must disclose the personal information collected, sold or disclosed for a business purpose about a consumer.
  • Access: A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.
  • Deletion: A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer’s personal information in response to a verifiable consumer request, subject to certain exceptions.
  • Anti-discrimination: A business must not discriminate against a consumer who exercises any of the consumers’ rights under the CCPA.
  • Opt-out: A business that sells consumers’ personal information to third parties needs to provide notice to consumers thereof and advise that consumers have the right to opt out of the sale of their personal information. A business must provide a “Do Not Sell My Personal Information” link on its internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer’s personal information.

Business Obligations

The CCPA also imposes certain obligations on businesses, including:

  • Privacy Policy. Businesses must describe in their online privacy policies or in any Californiaspecific description of any California consumer rights following: consumers' rights under the CCPA, including the consumer right to opt out of the sale of the consumer's personal information and a separate link to the “Do Not Sell My Personal Information” internet webpage; the methods for submitting consumer requests; and a list of the categories of personal information that the business has collected about consumers, sold about consumers and disclosed about consumers for a business purpose in the preceding 12 months.
  •  Website Requirements. A business must provide a “Do Not Sell My Personal Information” link on its internet homepage that links to an internet webpage that enables a consumer to opt out of the sale of the consumer's personal information.

Keys to CCPA Compliance

Given the varied rights afforded to consumers and obligations imposed on businesses under the CCPA, businesses should have a plan of action to ensure compliance. Below are five keys to compliance: 

  1.  Know what personal information you maintain, from whom it is collected, where it is stored, how it is processed and with whom it is shared.
  2.  Develop processes that allow adherence to the rights of disclosure, access and deletion.
  3.  Create a clear, simple and accessible process for consumers to opt out of the sale of their personal information.
  4.  Assess your business’s security posture and establish or strengthen security measures.
  5.  Update online privacy notices that specify what data is collected.