Does the Newly Effective California Consumer Privacy Act (CCPA) Impact You?
Over the past few years data privacy has taken center stage. Personal data such as your name, shopping habits, location, and even the conversations in your own home are now being collected by countless companies and then sold, typically without your knowledge or consent. On January 1, 2020, California took the first major step in trying to protect personal data and clarify an individual’s rights over their data. While this legislation may be aimed at the Googles and Facebooks of the world, its application is certainly not limited to those public company behemoths. This legislation could impact many companies in Arizona that do business in California and impose new obligations on them. For individuals, you will see new procedures, links, and options that will be put in place by those companies subject to the California Consumer Privacy Act (“CCPA”).
The CCPA was enacted in 2018 and became effective January 1, 2020. The CCPA grants new rights to consumers whose data is collected and, for those companies subject to the CCPA, imposes new business obligations to comply with it. As a consumer, under the CCPA you will now have the right to know what personal information is being collected, used, or shared. You will have the right to delete any personal information that is held by a business or its service provider and have a right to opt-out of any sale of your personal information. For children under the age of 16, an opt-IN option must be provided, and for children under the age of 13, the parent or guardian must provide consent. Finally, as a consumer, you cannot be discriminated against in terms of price or service if you exercise one of these privacy rights.
From the business side, the first important step is to determine whether the CCPA applies to you or not. Luckily, California, at least initially, has made the bar somewhat high for application to businesses. In order for your business to be subject to the CCPA, one or more of the following must be true. Your company must have gross annual revenues in excess of $25 million, your company must buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices, OR your company must derive 50% or more of annual revenues from selling consumers’ personal information. The first threshold seems relatively clear, however, the second and third may require additional research by your company. The most concerning may be the second threshold as any company that purchases consumer data for its business, most likely is purchasing sets of data that include at least 50,000 consumers.
If you are subject to the CCPA, multiple safeguards must be implemented to remain in compliance. The business must provide notice to consumers at or before data collection. Procedures must be created, at the expense of the business, to respond to consumers’ requests to opt-out, know about, or have their information deleted, including providing a “Do Not Sell My Info” link on the company’s website. The company must respond to all consumer requests to opt-out, know about, or delete their data within specific time frames and the identity of these consumers must be verified by the company, even if the consumer does not have a password protected account with the company. Businesses must disclose all financial incentives related to the retention or sale of personal information and explain how the incentive is permitted under the CCPA. Finally, businesses must maintain records of all requests and how they were responded to for a period of 24 months to demonstrate compliance. If that business collects, buys, or sells the personal information of more than 4 million consumers, even more record-keeping and training obligations exist.
Despite all the new requirements under the CCPA, many questions still remain. The California Attorney General must provide regulations to clarify how the CCPA will operate. Draft regulations were released on October 10, 2019, but final regulations are not required until July 1, 2020 per a legislative amendment. That same amendment provided that the Attorney General may begin CCPA enforcement on July 1, 2020 or six months after final regulations are published, whichever is earlier. This allows a period of time for all businesses to implement the necessary compliance measures.
It is recommended that, at a minimum, all businesses evaluate whether they fall under one or more of the three requirements to be subject to the CCPA. If your business is subject to the CCPA, it is recommended to begin implementation of its obligations as soon as possible. Though the methods of enforcement by the California Attorney General are not yet clear, one item is clear – the issue of data privacy and protection is not going away. Ultimately, many if not all other states will begin the process to implement their own legislation regarding data privacy with the CCPA as a guide.
If you have questions, or you need assistance in determining what you should be doing in light of the recently effective California Consumer Privacy Act, please contact author Jefferson Hayden at jhayden@gblaw.com or (602) 256-4406.