New Year, New California Privacy Law Now in Effect
On January 1, 2020, the California Consumer Privacy Act (CCPA) became effective, broadly requiring companies that do business in California to restructure how they deal with consumers’ personal information. The law establishes sweeping new consumer rights and imposes a host of new obligations on covered businesses. Among other requirements, companies that collect the personal information of California residents must now provide various notices and disclosures before or at the time of collection.
Since the law was first passed in 2018, it has been amended multiple times by the California legislature. These legislative amendments have made the law somewhat of a moving target for companies trying to come into compliance. Additionally, the California Attorney General (AG) has not yet finalized the law’s implementing regulations, although the AG has published draft regulations. Accordingly, the exact scope and details of the new law remain difficult to discern. Despite these complications, the AG has made clear that AG enforcement (which can begin as of July 1, 2020) will be backward looking to the January 1 effective date.
Accordingly, it is critical now that businesses understand whether they are covered by the CCPA; if so, covered businesses should have in place a compliance program to operationalize the new law.
If your company needs assistance with its CCPA compliance approach, please do not hesitate to reach out to our Privacy Team, which has been assisting large and small companies across industries and across the country to navigate this complex new law. For general information about the CCPA and tips for compliance, you can listen to one of our several CCPA webinars from 2019:
- California Consumer Privacy Act (CCPA) Briefing
- Latest Update on State Privacy Laws: California and Beyond
- California Consumer Privacy Act: Latest Developments and Compliance Strategies
***
Does the CCPA Apply to Your Organization? The CCPA applies broadly to for-profit businesses that do business in the state of California, collect and control the personal information of California residents and meets one or more of the following qualifications: (1) has annual gross revenues (not restricted to California revenue) in excess of $25 million; (2) annually receives or discloses the personal information of 50,000 or more California consumers, households or devices; or (3) derives 50% or more of their annual revenues from selling the personal information of California residents. If you operate a business that interacts with California residents, there is a good chance that the law applies to you.
What Consumer Rights Does the CCPA Establish? To give California residents control over the collection, use, and sharing of their personal information, the CCPA grants consumers a wide range of rights, including:
- Right To Know: California residents have the right to request information about what data is collected and how it is used.
- Right To Data Portability: California residents have the right to request “specific pieces of personal information it has collected about that consumer.”
- Right To Request Deletion: California residents have the right to request that a covered business delete their personal information that the business has collected from the consumer.
- Right To Opt-Out From Sale: For businesses that sell personal information (as broadly defined by the CCPA), California residents may also opt-out from such sales, essentially restricting how their data may be transferred. For minors, this is a right to opt-in.
- Right to Non-Discrimination: Businesses may not discriminate against California residents who exercise their CCPA rights, including by denying goods or services or charging different prices or rates. The law does allow for certain financial incentive programs; however, there are complex requirements that govern how these programs may be offered, and the law sweeps in many common promotional practices.
What Business Obligations Does the CCPA Impose? Businesses covered by the CCPA must comply with very specific notice requirements. These obligations require extensive updates to typical privacy policies, and also extend beyond a standard privacy policy. Additionally, there are a number of obligations associated with facilitating and responding to consumer requests. For example, prior to honoring a consumer’s request to know or to delete, a business is obligated to verify the request. This may prove complicated depending on the type of information a business collects. The draft regulations call on businesses to establish a “reasonable” method that allows them to verify identity “to a reasonable degree of certainty,” but they also discourage a business from collecting any new information to verify identify. In general, businesses will be held to tight timelines to review, verify, and respond to consumer requests. The law and the draft regulations also impose new recordkeeping and training obligations. Finally, the law establishes a private right of action in the case of a security breach of certain information where a business has not implemented and maintained reasonable security procedures and practices.
What Steps Should My Organization Be Taking Now? The first step is to determine whether your organization is a covered “business” under the CCPA. If so, the second step is to develop and implement a compliance plan. Businesses should be careful to avoid some common pitfalls with CCPA compliance—whether they have fully implemented or are still working to operationalize new policies. For example:
- Selling Personal Information: The CCPA defines the term “sell” extremely broadly, and covered businesses should be careful to evaluate whether any transfer of personal information to a third party meets the law’s broad definition or falls into an exception, such as for transfers to service providers. In the case of service providers, disclosures of personal information must be made pursuant to a written contract with specific provisions to ensure that the disclosure will not be considered a sale, which triggers additional obligations under the law.
- Employees: At the end of 2019, the California legislature amended the law to create a partial exclusion for a business’s employees, among others. It is critical for covered businesses to understand that the CCPA does not contain a full employee exclusion and that there are still certain provisions that apply to employees and others, even though these individuals are not “traditional” consumers. Importantly, a covered business must still provide its employees, contractors, job applicants, owners, officers, directors, and medical staff members with notice “at or before the point of collection, [to] inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”
Finally, compliance programs will need to be reviewed and fine-tuned once the implementing regulations are finalized. In the meantime, covered businesses will need to make good-faith efforts to come into compliance with this law as written, which is now in effect.