If Your Company Does Business in California, Read This
Prepare now to comply with this strict new privacy law
The California Consumer Privacy Act (“CCPA”) is arguably the most significant data privacy law in the country and goes well beyond what is typically covered by U.S. privacy laws. It creates substantial new privacy rights for consumers, comparable to many of the rights that European citizens enjoy under the EU General Data Protection Regulation (the “GDPR”).
And while the CCPA is a far cry from the GDPR, there are similarities. Companies that made significant updates for GDPR will be happy to know they’ve already contributed to their compliance with the CCPA, but they’re not done yet.
The CCPA goes into effect on Jan. 1, 2020, but organizations must not delay in considering the CCPA’s impact. Upon taking effect, consumers will be able to request that a business disclose specific pieces of information for the preceding 12 months — going back as early as Jan. 1, 2019. The CCPA will significantly impact data-driven businesses’ data practices, with new and burdensome compliance obligations regarding consumer data collection and use. Businesses that fail to comply with the CCPA may be subject to monetary penalties, regulatory enforcement actions, and private rights of action.
Does the CCPA apply to my company?
As a starting point, companies that do business in California for “profit or financial benefit” and collect personal information about California residents, may fall under the CCPA’s requirements. If these qualifications are met, the CCPA will apply if your business meets any one of three thresholds:
(1) Has greater than $25 million in annual gross revenue; or
(2) Annually handles personal information for 50,000 consumers; or
(3) Derives half of its annual revenue from selling consumers’ personal information.
The CCPA only imposes obligations on a business and not on service providers directly. The CCPA defines a “service provider” as a for-profit entity “that processes information on behalf of a business.” If your company does not qualify as a business, you may still be subject to the vendor management obligations that a business is required to impose on its service providers.
For example, a business that falls within the scope of the CCPA must require by contract that a service provider that is processing information on behalf of the business only retain, use, or disclose such personal information for the specific purpose of performing the services as specified in the contract.
What does my company need to do?
If the CCPA applies to your business, there are a number of functional policies and procedures that can help your business comply with the law. As mentioned, some of these updates are similar to the GDPR, but each will need to be reviewed for its own CCPA-specific obligations. The new requirements can be bundled into three areas:
- Data Security: Start by reviewing or updating your written information security program (WISP) and incident response plan (IRP). While there is no strict requirement that these documents be updated, having these documents in place will help businesses avoid the private right of action granted under the CCPA for businesses that suffer a data breach.
- Vendor Management: Review your company’s agreements with service providers. A business must be keenly aware of the additional compliance obligations placed on “selling” (broadly defined under the CCPA) personal information, because a business may be held liable for the actions of its service providers. For a business to not be considered as selling personal information when it discloses such personal information to a service provider for a specific business purpose, the service provider should be contractually obligated to not use such personal information except as necessary to perform the business purpose.
Additionally, these policies and procedures will need to be reviewed against a backdrop of numerous other state and federal data privacy requirements, such as data breach notification laws, data security laws and a host of other industry-specific data privacy and security laws. These additional U.S. data privacy and security laws may impose further requirements and may also offer key exceptions to the applicability of the CCPA.
With less than nine months to prepare and become compliant with the new law, businesses must make the CCPA a priority. Start by working with someone knowledgeable about the CCPA to determine how your organization, clients and vendors are defined under the law, then focus on the implications for your business.
Chris Achatz is an attorney with KO Law Firm who represents companies in structuring and negotiating complex technology and data-related transactions, including data privacy and security matters. He is a Certified Information Privacy Professional (CIPP/US) and a Colorado KnowledgeNet Chair for the International Association of Privacy Professionals. To learn more about the CCPA or for other data privacy and security questions, contact Chris at firstname.lastname@example.org or (720) 477-7140.