The California Consumer Privacy Act (“CCPA”) went into force on January 1, 2020, with enforcement delayed until July 1, 2020. With this enforcement right around the corner, what key things should businesses be doing to minimize their risks?
- Confirm if your CCPA applies to your organization. If you haven’t done so already, assess if CCPA applies to your organization. CCPA applies to any for-profit business which (i) has prior year annual revenues in excess of $25million, or (ii) processes the personal information of 50,000 or more California residents (note that personal information includes digital information like device ID and IP address), or (iii) derives 50% or more of its income from the sale of personal information. Your business does not have to be located, or even have employees, in California for CCPA to apply to it.
- Understand what types of personal information your business processes, for what purposes, and to whom it is disclosed. CCPA doesn’t mandate data mapping or the preparation of a data inventory in the same way that other privacy laws (for example, the General Data Protection Regulation) do. Although it is not mandated, we strongly recommend building a data inventory; this will help you to comply with various aspects of CCPA in the most efficient way possible. It will be difficult, if not impossible, to ensure compliance without a detailed data inventory.
- Update your privacy notices. This is low hanging fruit! CCPA requires transparent notice (usually in the form of a written privacy notice posted to a business’ website) to be provided as to what, and how, personal information is collected, and for what business or commercial purpose it is used. Privacy notices also need to describe the rights available to California consumers under CCPA (including the right of access to, and deletion of, personal information, as well as the right to opt-out of the sale of personal information). Although not covered by CCPA (and the subject of a whole other alert), you should also make sure your website complies with Americans with Disabilities Act and other web accessibility requirements.
- Create a plan for recognizing and responding to consumer requests. Know how to recognize and respond to consumer requests. CCPA, via its proposed regulations, places requirements on businesses to respond to consumer requests to provide information about what data a business collects about them, and how it is used, along with requests to delete personal information and opt-out of its sale. Ensure your organization has a process in place to enable consumers to make such requests and internal process and procedure documents to enable timely responses within the mandated 45 day period. Your business should also understand its obligations around verifying the identity of a consumer who makes such a request.
- Review your rewards and incentive programs. Justify financial incentives such as loyalty or discount programs. CCPA requires a business to provide a good faith estimate of the value of a consumer’s data used in connection with financial incentive programs and must allow a consumer to opt out of the sale of their personal information without removing them from the financial incentive scheme, unless the business can show that the value of the scheme to the consumer is reasonably related to the value of the consumer’s data to the business.
- Security. Security, security, security. Probably the biggest risk to businesses under CCPA comes from the ability of consumers to bring a private right of action for damages in the event of a data breach. Consumers can claim up to $750 per violation if certain ‘protected classifications’ of personal information are compromised, unless the business can demonstrate that it implemented reasonable security measures to protect the personal information. Reasonable security measures will likely include physical and administrative measures, employee training, and vendor diligence.
This overview of CCPA compliance tasks is the first in a series of articles about the practical implications of CCPA, and how businesses can assess and mitigate their risk. Next week we will look more closely at the thresholds for CCPA applying to businesses, and what exceptions to compliance apply.