If you’re a business in the Golden State and you handle consumer’s private information, you should pay close attention to The California Consumer Privacy Act (CCPA), which is considered to be the most comprehensive data privacy law in United States history.
The CCPA goes into action on January 1, 2020 and is intended to enhance privacy and consumer protection for California residents, such as knowing what personal information a company has obtained, and the requirements to which it can use and disclose that data.
The CCPA will apply to thousands of businesses in California, and will require these businesses to comply with a host of new regulations on how to process and protect consumer information.
The law is not limited to entities that have physical operations in California. It could potentially apply to any for-profit company that is doing business in the state.
Who Must Comply
If your industry meets any one of the following prerequisites, your company must conform to CCPA Regulations:
- Your Organization’s annual gross revenue exceeds $25 million
- Your Organization receives, shares, or sells personal information of more than 50,000 individuals
- Your Organization earns 50 percent or more of its annual revenue from selling personal information of consumers.
If your business doesn’t reflect any of these conditions, you can probably stop reading now.
The CCPA is loosely influenced by the European Union’s General Data Protection Regulation (GDPR), and many experts believe that consumer rights in the United States will emulate the GDPR going forward, with California being the experiment.
The CCPA will empower California consumers to take a more active role in monitoring and protecting their personal information.
The CCPA’s new consumer rights can be categorized into five enactments:
- Businesses must inform consumers of their intent to collect personal information.
- Consumers have the right to know what personal information a company has collected, how they received it, how it will be used, and with whom it’s shared.
- Consumers have the right to prevent businesses from selling their personal information to third parties.
- Consumers can request businesses to remove the personal information that the business has or possesses.
- Businesses are prohibited from charging consumers different prices or refusing service – even if the consumer exercised their privacy rights.
The most significant term used in the CCPA is personal information. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This definition creates potential for extremely broad legal interpretation around what constitutes personal information, and what does not. This definition exceeds the traditional assumption that alluded to a consumer’s social security number, driver’s license number, bank account information, passport number and email address.
With this definition, the CCPA opens the capabilities to include internet activity, pixels and purchasing history as well. This means the liability associated with a company’s handling of consumer personal information has increased in significance.
What Do Businesses Need to Do?
So the important question: what should my company be focused on right now to comply with CCPA?
With enforcement expected to really take effect by July of 2020, the CCPA is most-likely going to be adjusted and amended in the upcoming months.
Because there is a lack of clarity from organizations across California on the Act’s broad language, there are still issues to be corrected by the amendments.
While these regulations are not finalized, there is still much to be done right now to ensure your company’s compliance:
- Create a program for Data Inventory – You can begin by documenting all the ways your company obtains personal information. This includes the types of personal information you collect and share, the purpose for receiving it, the third parties you share it with and why, and how you are securing this information from outsiders.
- Run an Internal Test – It would be optimal to run a test to see how efficiently your organization can identify and delete personal information. This will be important to see if you can verify the validity of deletion, as well as if you can provide the information needed for the attorney general in regards to a disclosure.
- Review Existing Contracts – It is important to review all contracts you have with third-party vendors in regards to personal information being shared. The CCPA includes complex rules regarding vendors and other recipients of personal information, and also includes the “do not sell” request from a consumer. Complying with the overall breadth of these rules can prove to be challenging. Review the contracts to make sure you are compliant with the CCPA until more clarification is enacted by the California State Legislature’s amendments.
- Implement Strong Risk Management Procedures – Ensure your company has implemented strong online security measurements to protect consumer information. As discussed earlier, the broadened definition of personal information will lead to more liability risk and potential fines that can lead to a significant loss in income. Purchasing a Cyber Liability Policy can help protect you from this exposure.
Are you curious about this topic or do you have questions about your own business in regards to CCPA? Feel free to contact me directly.