Publications & Presentations
September 30, 2019

The final countdown to California Consumer Privacy Act (CCPA) compliance is upon us, with the law going into effect on January 1, 2020. The law is broad in scope and imposes many new obligations on companies that collect “personal information” from California residents. To make matters worse, the penalties for non-compliance are steep.

Polsinelli is working with many of our clients to help them get prepared and has developed a streamlined process to make CCPA compliance efforts effective and efficient.

What does CCPA require companies to do?

Companies must provide notice about the data it collects about a person, and what it does with that data. Companies must also create a process by which individuals can exercise the rights created by CCPA. Finally, companies must ensure that the vendors that they send personal information to protect the information and comply with their CCPA obligations.

What rights does CCPA create?

CCPA creates the following rights:

  • Transparency - Identification and discloses to consumers of the information being collected and the purpose of information collection.
  • Access - Consumers have the right to access the information a company collects and maintains about them. 
  • Opt-Out - Consumers are able to opt-out of having their information sold.
  • Deletion - Consumers can have their information deleted (in some circumstances). 
  • Portability - Consumers have a right to get a copy of the information a company has about them. 
  • Equal Service - Companies cannot discriminate against consumers who exercise their rights, including access to information rights

What are the penalties for non-compliance?

CCPA gives the California Attorney General the power to enforce the law and issue fines of up to $7,500 per violation. This means that if a company does not provide 100 people with their rights, it could face a $750,000 fine.  

Additionally, CCPA gives individuals the right to sue the company in the event of a data breach, which could result in a large settlement or judgment against the company. 

What counts as “personal information?”
 
CCPA defines “personal information” very broadly. It includes any information that identifies, or could be used to identify, a person. This includes not only things like a name, email, and address, but also IP address, geolocation data, username and biometric information.
 
Are there exceptions?

Yes, information that is subject to HIPAA, Gramm-Leach-Bliley and some California state laws is exempted from CCPA compliance.
 
What should companies be doing?
 
Polsinelli recommends breaking CCPA compliance into four phases and these phases will tackle six discrete work streams. Click here to view the phases.