The California Consumer Privacy Act of 2018 (CCPA)
New Consumer Privacy Requirements Demand New Solutions
On January 1, 2020, while some of us reflect wistfully on the prior year, start tackling those New Year’s resolutions, or nurse hangovers, others will be hard at work helping their companies prepare for and respond to the first wave of consumer requests under the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100-1798.199).
Enacted on June 28, 2019, and effective January 1, 2020, the CCPA grants California consumers additional rights with respect to their personal information and requires certain entities that conduct business in California to take steps to track, grant access to, manage and report on this data. The CCPA is similar in some ways to the EU General Data Protection Regulation (Regulation (EU) 2016/679), also known as GDPR, which took effect on May 25, 2018, but still requires GDPR-compliant organizations to commence new data protection efforts. In the United States, California isn’t alone in its move to enhance consumer privacy protection—numerous states, including Maryland, Massachusetts and New Mexico, are considering similar legislation.
Who Is Affected
For-profit businesses and their affiliates must comply with CCPA if they hold data pertaining to California consumers (defined broadly to include any California income tax payer) and: (a) have gross revenues of more than $25 million; (b) buy, sell, share or receive for commercial purposes the personal information of at least 50,000 households, devices or consumers on an annual basis; or (c) receive at least 50 percent of their annual revenues from the sale of such consumers’ personal information. Companies that receive credit card payments or operate websites will quickly surpass this 50,000-consumer benchmark. Furthermore, as written, the Act currently extends to the personal information of employees and to individuals in their employment capacity when they engage in business-to-business transactions.
Among its many provisions, the CCPA gives California consumers the right to receive transportable copies of their personal information (defined broadly to include information that, “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”) and to require businesses subject to CCPA to delete their personal information, refrain from selling their personal information, and provide information about how the business collects and shares personal information. Businesses must respond within 45 days of a verifiable consumer request (with limited rights to extend this period) and provide the requested information free of charge. A consumer may receive personal information requested pursuant to the CCPA from a given business up to two times in any 12-month period and, under the CCPA, a company’s record-keeping obligations extend back to January 1, 2019, as the Act provides for a 12-month look back period.
Covered businesses’ obligations include, but are not limited to, tracking the collection of any personal information and informing consumers as to the type of data collected and the purpose of each data type (and limiting the use of the data to those stated purposes). In order to comply with these requirements, companies must track the data they collect on a subject-specific basis.
Companies should not take their obligations under the CCPA lightly, as the Act empowers the California Attorney General, in enforcing the Act’s privacy provisions, to assess civil penalties ranging from $2,500 – $7,500 per violation. In addition, the Act provides for a private right of action (both on an individual and class-wide basis) in connection with data security incidents.
Get Ready to Comply
With only a few months remaining until the CCPA goes into effect, what can companies do now to ensure compliance as of January 1, 2020? In addition to carefully reviewing the requirements of the CCPA legislation, businesses should take steps to fully inventory and map the personal information they collect and maintain. Onspring can help by allowing your company to centrally view CCPA requirements, track CCPA requirements in the context of your internal control environment, identify gaps, assign issues to individuals within your company and hold such individuals responsible for completing the appropriate corrective actions, and, using live dashboards, report on progress and compliance issues.