The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. We are counting down 10 practical measures you can take to begin down the path for CCPA compliance:
10. Determine whether your business must comply with the CCPA.
- You must comply with the CCPA if:
- You are a for-profit entity with over $25 million in gross revenues that conducts business in the state of California and collect the personal information of California residents
- You annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more California residents, households, or devices
- You derive 50 percent or more of your annual revenue from selling California residents’ personal information.
Please note that various exemptions to compliance exist, but they are narrow and do not cover all uses of personal information from California residents, households, or devices.
9. Catalog the categories of personal information you collect from California residents, the sources of the personal information, the purpose for which you use the personal information, and determine whether you sell or disclose consumer information as to third parties as defined by the CCPA so that you are prepared to respond to consumer requests made pursuant to the CCPA.
6. Create a process to accept consumer requests and identify individuals responsible for promptly responding to such requests.
5. Provide minors with a “right to opt in.” Businesses are prohibited from selling personal information of consumers between the ages of 13 and 16 without first obtaining affirmative opt-in consent (i) from the consumer for the ages of 13 to 16, or (ii) from a parent or guardian where the consumer is under the age of 13.
4. Provide training for employees on the CCPA’s prescribed consumer rights.
3. Review existing vendor agreements to ensure that contracts limit the service provider’s use of personal information as strictly as the CCPA prescribes, and revise as needed.
2. Create and maintain a robust incident response plan. The CCPA’s new statutory damages and civil penalties underscore the need for a thoughtful and comprehensive approach to breach response because the act will almost certainly lead to a spike in data breach–related litigation in California.