The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. One of the most talked-about consumer privacy laws, the CCPA applies to business entities within or outside the state of California which meet the below criteria:
- over $25 million in annual revenues;
- buy, hold, sell, or share personal information of 50,000 or more California consumers, households, or devices; or
- derive at least 50% of your revenue from selling residents' personal information.
About the CCPA
The CCPA creates one of the most significant and strict regulations around data collection and privacy practices in the United States. According to the Attorney General of California, the CCPA "gives consumers [the] right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed." It also "gives consumers [the] right to prevent businesses from selling or disclosing their personal information" and "prohibits businesses from discriminating against consumers who exercise these rights."
To comply with the CCPA, your organization's data collection practices will need to be carefully reviewed and your capability to respond to consumer data requests will need to be robust. For example, you will need to properly disclose what data you collect and sell and be able to properly delete it upon request (under certain conditions).
Penalties for non-compliance can be severe. For example, consumers may, under certain circumstances, have a private right of action against companies. The law also allows recovery of damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
Prepare for Compliance
To help prepare for compliance with the CCPA, we recommend taking the following actions:
- Audit existing privacy programs and leverage any work already completed in other compliance efforts (e.g., the EU General Data Protection Regulation, HIPAA, etc.).
- Review your contractual practices. CCPA compliance will need to be added to your contracts, as a result of your customers requiring it of you and/or you requiring it of your suppliers.
- Review current data archiving, collection, sale, and retention practices and strategies. Decide what practices can be eliminated or modified to minimize data retention, and where necessary, update the data retention, deletion, and archiving policies.
- Consider adding or amending your organization's insurance policies, premiums, and deductibles so they account for the additional compliance risk.
- Conduct periodic and regular data security incident preparedness exercises, Red Team drills, dry-runs, training, and policy upgrades. Document these events so compliance can be demonstrated in the event of litigation or enforcement actions.
- Build and implement employee training programs centered on data privacy. Document these events so compliance can be demonstrated in the event of litigation or enforcement actions.
- Establish processes and procedures to guide response when consumers exercise their CCPA rights. Update your incident response plan to reflect these processes and procedures.
- Create templates for responding to consumer data requests and ensure your internal policies agree with those templates.
We Can Help
Whether through advising on an assessment process, refreshing your policies and procedures, or determining if a CCPA exemption applies, our attorneys can help ensure your company takes the necessary steps to comply with the CCPA ahead of implementation on January 1, 2020. Contact us with your questions.