Any company that collects data about California residents should start evaluating whether it is subject to new obligations and liabilities under the California Consumer Privacy Act (CCPA). Even businesses that meet the requirements of the EU General Data Protection Regulation (GDPR) will have more to do to prepare for the CCPA.
The CCPA will become operative on January 1, 2020. Enforcement by the California Attorney General can begin on July 1, 2020, or sooner if regulations are issued speedily. A "look back" period of 12 months for certain obligations, notably when responding to consumer requests for information, means that businesses should begin preparing for the CCPA much earlier. Below are 10 key tasks to get your business started now on the path to CCPA compliance.
- Check whether the CCPA applies to your business The CCPA generally will apply to businesses: (a) with over $25 million in annual gross revenues; (b) that receive or share personal information for 50,000 or more consumers, households or devices; or (c) that derive more than half of their annual revenues from consumer data sales. But, even if your business falls into one of these categories, there are exemptions that may apply.
- Inventory the personal data your business collects. Taking stock of your data collection will help determine how you apply the CCPA's new requirements. The CCPA covers a broader range of personal information than most U.S. privacy laws—among other things, it reaches any information that is capable of being associated with a consumer or household. As examples, IP addresses and other online identifiers, purchase history, browsing or search history, and inferences about a consumer can all be covered.
- Prepare to execute access and deletion requests. The CCPA grants sweeping new consumer rights over personal information—such as access and deletion upon request. Your business's ability to respond to these requests will depend on being able to locate personal information maintained across systems. Your business will also need to navigate a variety of operational issues, such as verifying the identity of the consumer making the request, and assessing what exceptions will be available to your business.
- Assess how you are sending personal information to other entities. Under the CCPA, businesses must allow consumers to opt-out of "sales" of their personal information and also inform consumers on request about sales and certain other disclosures. Any transfer of personal information, in exchange for something of value, can be a "sale" requiring an opt-out under the CCPA.
- Assess how you are sharing personal information with affiliates. A single "business" under the CCPA includes entities that control or are controlled by the same business, and also share common branding such as a shared name or mark. This means that affiliates with different branding, or that are not parents or subsidiaries, may be considered separate businesses under the CCPA. For example, some affiliate disclosures may be sales requiring a consumer opt-out.
- Preview contracts and update public disclosures. In order to take advantage of CCPA exceptions related to sharing data with vendors, your business's vendor contracts must contain specific provisions. Your business should assess whether it needs to amend existing contracts, as well as update standard terms. For public disclosures, the CCPA requires businesses to provide new notices such as telling consumers about their rights to access, delete, and opt-out of sales of personal information.
- Decide whether and how to modify services for consumers who exercise their rights. The CCPA prohibits businesses from discriminating against consumers who exercise rights under the law, but at the same time allows businesses to offer financial incentives for certain data practices, or to treat consumers differently where reasonably related to the value provided to the consumer by the information. Your business should carefully consider any existing incentive programs you offer, and how to respond to consumers who block sales of their personal information or exercise other rights.
- Review whether your company collects personal data from children under 13 and/or teenagers aged 13-15. The CCPA imposes special consent requirements when a business sells personal information of consumers known to be under 16. If relevant, your business will need to meet these CCPA requirements in a way that aligns with the federal Children's Online Privacy Protection Act.
- Review your company's data security practices and mitigate liability exposure. The CCPA boosts liability exposure for businesses by providing a private right of action, linked to statutory damages, for consumers whose personal information is subject to a security breach, as a result of the business's failure to provide reasonable security. Even though businesses will have 30 days to "cure" any alleged violation before they face statutory damages, this provision is likely to raise both the frequency and stakes of data security litigation. In addition to continued vigilance on data security, this may be a good time to review the cyber insurance coverage for your business.
- Stay up to date on CCPA developments. The basic contours of the CCPA are not likely to change, but important updates could come from a variety of sources—from California Attorney General regulations (which may affect the enforcement date)—,to potential legislative amendments, to the possibility of new federal law. Staying abreast of CCPA news will help your company adapt most efficiently to the new landscape.