By Odia Kagan
The California Consumer Privacy Act (CCPA), is a broad-based law protecting information that identifies California residents. It took effect in January 2020, and creates a host of new data privacy obligations for companies that do business in the state.
To view or download a PDF of this article, click on the image to the right.
Estimated to affect more than 500,000 companies, the law includes comprehensive disclosure requirements, provides consumers with extensive rights to control how their personal information is used and shared, imposes statutory fines and allows individuals to sue under certain circumstances if their personal information is exposed as part of a data breach.
It has dramatically altered how many U.S.-based companies collect and process data. CCPA also includes a “12-month look back” provision requiring companies to respond to consumer inquiries about data collected or disclosed in the immediately preceding 12 months.
Who is subject to the CCPA?
Not only California-based entities. Any for-profit company or entity organized or operated for the profit or financial benefit of its shareholders or other owners that collects and processes California consumers’ Personal Information and does business in the state (even remotely) is subject to CCPA if it (or an entity it controls or is controlled by and shares common branding with) meets one of the following three thresholds:
- Generates at least $25 million in annual gross revenue
- Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices, per year
- Derives at least 50 percent of annual revenue from selling California consumers’ personal information
In addition, if you provide a service to a company that is subject to CCPA, your customer is likely to require you to comply with CCPA to continue doing business with them.
If your company or your customers fall under the scope of CCPA, here are five things you should do now to begin your compliance effort:
1. Map your Personal Information
Ask yourself the following questions about the Personal Information your company collects and processes to map out key aspects of your data handling practices.
- What Personal Information do you collect?
- From where do you collect Personal Information?
- Where and how is Personal Information stored?
- What business units are involved?
- Is any Personal Information held by third party providers?
- What protections are applied to this information?
- What do you do with the Personal Information?
- How long do you keep it? Why?
- With whom do you share it? And for what purpose?
- What financial incentives do you provide consumers?
2. Consider consumer rights
- Devise a process for handling the access/deletion requests of California employees.
- Devise a process for handling access/deletion requests of consumers (customers).
- Consider opt-outs from the sale of information.
3. Review incident response policies and procedures
- Do you have mechanisms and procedures in place to detect a security incident?
- Do you have an incident response team?
- Do you have “go-to” external resources like outside counsel, external forensics and security professionals, external public relations, identity theft protection, call centers and others?
- Do you know the potential states/ jurisdictions involved?
- Do you know your contractual reporting obligations?
4. Conduct CCPA employee training
5. Update your privacy notice and website
- Prepare California employee privacy notice.
- Revise online privacy notice to account for new requirements.
- Secure two methods of contact for the consumer rights.
- Add a “do not sell my information button.”
CCPA is enforced by the California Attorney General, whose office has published this helpful fact sheet on the law.
Odia Kagan is Chair of GDPR Compliance & International Privacy and a partner in the firm's Privacy & Data Security and Emerging Companies & Venture Capital practices. She can be reached at 215.444.7313 or [email protected].
National Emerging Companies & Venture Capital Practice Chair Elizabeth Sigety can be reached at [email protected] or 215.918.3554.