Prepare now to comply with this strict new privacy law
Chris Achatz //April 29, 2019//
Prepare now to comply with this strict new privacy law
Chris Achatz //April 29, 2019//
The California Consumer Privacy Act (“CCPA”) is arguably the most significant data privacy law in the country and goes well beyond what is typically covered by U.S. privacy laws. It creates substantial new privacy rights for consumers, comparable to many of the rights that European citizens enjoy under the EU General Data Protection Regulation (the “GDPR”).
And while the CCPA is a far cry from the GDPR, there are similarities. Companies that made significant updates for GDPR will be happy to know they’ve already contributed to their compliance with the CCPA, but they’re not done yet.
The CCPA goes into effect on Jan. 1, 2020, but organizations must not delay in considering the CCPA’s impact. Upon taking effect, consumers will be able to request that a business disclose specific pieces of information for the preceding 12 months — going back as early as Jan. 1, 2019. The CCPA will significantly impact data-driven businesses’ data practices, with new and burdensome compliance obligations regarding consumer data collection and use. Businesses that fail to comply with the CCPA may be subject to monetary penalties, regulatory enforcement actions, and private rights of action.
Does the CCPA apply to my company?
As a starting point, companies that do business in California for “profit or financial benefit” and collect personal information about California residents, may fall under the CCPA’s requirements. If these qualifications are met, the CCPA will apply if your business meets any one of three thresholds:
(1) Has greater than $25 million in annual gross revenue; or
(2) Annually handles personal information for 50,000 consumers; or
(3) Derives half of its annual revenue from selling consumers’ personal information.
The CCPA only imposes obligations on a business and not on service providers directly. The CCPA defines a “service provider” as a for-profit entity “that processes information on behalf of a business.” If your company does not qualify as a business, you may still be subject to the vendor management obligations that a business is required to impose on its service providers.
For example, a business that falls within the scope of the CCPA must require by contract that a service provider that is processing information on behalf of the business only retain, use, or disclose such personal information for the specific purpose of performing the services as specified in the contract.
What does my company need to do?
If the CCPA applies to your business, there are a number of functional policies and procedures that can help your business comply with the law. As mentioned, some of these updates are similar to the GDPR, but each will need to be reviewed for its own CCPA-specific obligations. The new requirements can be bundled into three areas:
Additionally, these policies and procedures will need to be reviewed against a backdrop of numerous other state and federal data privacy requirements, such as data breach notification laws, data security laws and a host of other industry-specific data privacy and security laws. These additional U.S. data privacy and security laws may impose further requirements and may also offer key exceptions to the applicability of the CCPA.
With less than nine months to prepare and become compliant with the new law, businesses must make the CCPA a priority. Start by working with someone knowledgeable about the CCPA to determine how your organization, clients and vendors are defined under the law, then focus on the implications for your business.
Chris Achatz is an attorney with KO Law Firm who represents companies in structuring and negotiating complex technology and data-related transactions, including data privacy and security matters. He is a Certified Information Privacy Professional (CIPP/US) and a Colorado KnowledgeNet Chair for the International Association of Privacy Professionals. To learn more about the CCPA or for other data privacy and security questions, contact Chris at [email protected] or (720) 477-7140.