Preparing for the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. While the governor of California has recently signed into law amendments to the CCPA, the law remains fundamentally unchanged, except now there is a one-year carve out for employment data and business-to-business contact information. Companies should take steps now to ready themselves for the CCPA before the January 1 deadline.

Who Must Comply With the CCPA?

The new law casts a wide net. It applies to any for-profit business (including entities that control or are controlled by the business and share common branding with the business) that:
  1. Collects information about California consumers or households (defined as “personal information”);
  2. Determines the purposes for processing the personal information, alone or jointly with others;
  3. Does business in California or with any California resident; and
  4. Meets any one of the following requirements:
    1. has annual gross revenues in excess of $25 million;
    2. alone or in combination, annually buys, sells, receives or shares personal information of 50,000 or more California consumers (or 50,000 or more devices or households); or
    3. derives 50% or more of its revenue from selling California consumers’ personal information.

A business that is not directly subject to the CCPA may still have compliance obligations if it handles personal information about California residents or households on behalf of another business. This is because the term “sale” is broadly defined under the CCPA to include any sharing of data with another business or third party for monetary or other valuable consideration.

If a business subject to CCPA uses a third party to handle any personal information about California residents or households, the business must obtain certain contractual promises from the third party so that the third party’s handling of the data will not be deemed a sale for CCPA purposes. Specifically, the contract with the third party must prohibit sale of the information or use in any manner other than to provide the agreed upon services to the business and must also include a certification that the third party understands and will comply with those restrictions.

What Are a Business’s Obligations Under the CCPA?

The CCPA gives California residents certain rights with respect to their data. These rights will vary, depending on whether a business merely collects and processes information about California residents and households or if it also “sells” the information.

Any business that is subject to the CCPA must disclose to California residents at or before the point of collection the categories of personal information that it has collected over the last 12 months, the purposes for which it uses the personal information and with whom it shares the personal information. If the business also sells (or is deemed to be selling) personal information, then it must also disclose the fact that the information may be sold and include a “Do Not Sell My Personal Information” button on the homepage of its website and in its privacy policy.

All businesses subject to CCPA must have a website privacy policy that includes an explanation for California residents of their rights under the CCPA, which are:

The right to request disclosures of data collected about the California resident (also known as the “right to know”).

The right to access the personal information that the business has collected about the California resident.

The right to seek deletion of data that the business has collected, with certain exceptions (also known as the “right to be forgotten”).

The right to opt out of any sale of information—to the extent that the business sells (or is deemed to be selling) personal information.

The right not to be discriminated against with respect to the available goods and services or costs of goods and services if the California resident exercises any rights under the CCPA (also known as the “right to equal services”).

Rather than including the above information (such as a “Do Not Sell My Information” button) on the business’s general website and privacy policy, a business may comply with its disclosure obligations by redirecting California residents to a California-specific home webpage and a California-specific privacy policy.

If a California resident seeks to exercise any of his or her rights, the business must generally respond free of charge within 45 days – which includes any time needed to verify that the request is legitimate. The 45-day deadline can be extended an additional 45 days, provided the business provides notice to the individual within the original 45-day time period.

+1.616.752.2714

Email