We are 100 days away from the California Consumer Privacy Act (“CCPA”). Are you ready? The CCPA, the first comprehensive United States privacy law takes effect on January 1, 2020, with an enforcement date of July 1, 2020.
Does CCPA Apply to My Business?
In short, the CCPA will apply to businesses that receive personal data from California residents. However, the CCPA will not apply to every business that engages in commerce in California. Rather, it will apply if a business, or businesses’ parent company meets one of the following three thresholds then the CPPA will apply: (1) has annual gross revenues > $25 million; (2) obtains personal information of 50,000 or more California residents, households or devices annually or; (3) 50% or more of the company’s annual revenue is from selling California residents’ personal information. While 50,000 California residents sounds like a high number, to meet this threshold, a business would only need 137 visits to its website per day to reach that number.
What Is Personal Information Under the CCPA?
Under the CCPA, the definition of personal information is very broad. Specifically, personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
What Other Rights Does the CCPA Provide?
The CCPA provides the following rights to individuals, which will require businesses to put measures in place in order to comply:
Notice Requirement: At or before the point of collection of personal information, your business will need to provide notice of categories of information to be collected, and the purposes for which they will be used.
Disclosure Requirement. If a covered consumer requests, your business will need to disclose the following:
- categories and specific pieces of the consumer’s personal information that your business has collected;
- categories of sources from which personal information is collected;
- business or commercial purpose for collecting or selling personal information (if applicable); and
- categories of third parties with whom your business shares personal information.
Delivery of Personal Information. A consumer may request his or her personal info, up to twice in a 12-month period from your businesses. Upon such request, your business must deliver the consumer all of his or her personal information that your business has collected and retained.
Right to be Forgotten. Your business must notify consumers of their right to request that your business delete all of the consumer’s personal information. (Certain exceptions apply).
What Steps Should My Business Take?
We recommend that businesses subject to the CCPA take the following actions.
Data Mapping. In order to implement CCPA compliance, a business must understand all of the data and personal information it collects and maintains, how it processes such information, where it stores such information, and to whom it transmits the information.
Policy Drafting. Examine and revise current privacy policies to determine whether any additional notices and disclosures need to be implemented.
Handling Consumer Requests. Build a process to handle and respond to consumer requests, including a reliable procedure for personal information deletion. Completing a data map is key to building out these procedures.
Employee Training. Devise a training program to ensure that all of your businesses employees who handle consumer information are trained on CCPA compliance.