The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. We are counting down 10 practical measures you can take to begin down the path for CCPA compliance:

10. Determine whether your business must comply with the CCPA.

  • You must comply with the CCPA if:
    • You are a for-profit entity with over $25 million in gross revenues that conducts business in the state of California and collect the personal information of California residents
    • You annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more California residents, households, or devices
    • You derive 50 percent or more of your annual revenue from selling California residents’ personal information.

Please note that various exemptions to compliance exist, but they are narrow and do not cover all uses of personal information from California residents, households, or devices.

9. Catalog the categories of personal information you collect from California residents, the sources of the personal information, the purpose for which you use the personal information, and determine whether you sell or disclose consumer information as to third parties as defined by the CCPA so that you are prepared to respond to consumer requests made pursuant to the CCPA.

8. Revise your website’s home page by posting a “clear and conspicuous link” or button on your website’s home page titled “Do Not Sell My Personal Information,” describe the right to opt out, and include a link to the “Do Not Sell My Personal Information” page in your privacy policy.

7. Revise your privacy policy. The CCPA and Attorney General Guidelines have outlined what information needs to be included in your privacy policy. For example, you must disclose the rights afforded to consumers under the CCPA, a list of the categories of personal information you have collected about California residents in the preceding 12 months, and provide instructions on how a consumer can submit a verifiable request. This list is not exhaustive and we encourage you to contact us should you have questions regarding your privacy policy.

6. Create a process to accept consumer requests and identify individuals responsible for promptly responding to such requests.

5. Provide minors with a “right to opt in.” Businesses are prohibited from selling personal information of consumers between the ages of 13 and 16 without first obtaining affirmative opt-in consent (i) from the consumer for the ages of 13 to 16, or (ii) from a parent or guardian where the consumer is under the age of 13.

4. Provide training for employees on the CCPA’s prescribed consumer rights.

3. Review existing vendor agreements to ensure that contracts limit the service provider’s use of personal information as strictly as the CCPA prescribes, and revise as needed.

2. Create and maintain a robust incident response plan. The CCPA’s new statutory damages and civil penalties underscore the need for a thoughtful and comprehensive approach to breach response because the act will almost certainly lead to a spike in data breach–related litigation in California.