Top 10 Operational Impacts of the California Consumer Privacy Act |
The California Consumer Privacy Act (CCPA) will transform the way businesses collect, use, store, disclose, and otherwise handle customer personal information. The CCPA could affect your business if your business, any of its subsidiaries, or its parent company collects or receives personal information from California residents: even if your business is located outside California and does not specifically target California customers. https://www.ocregister.com/2019/09/03/california-consumer-privacy-act-will-impact-businesses-that-collect-and-receive-personal-data/. The CCPA takes effect on January 1, 2020, and covered businesses must comply by July 1 of the same year. Noncompliance may result in steep fines, which can add up quickly. The full text of the CCPA is available here.
In addition, the California Attorney General has recently released draft rules clarifying specific obligations of covered businesses. The Attorney General will accept public comments on the proposed rules until December 6, 2019, coinciding with the conclusion of several public hearings on the rulemakings. The proposed rules can be found here. Here are the top 10 things you need to know/do to prepare for the transition:
- The CCPA Extends Beyond California
The CCPA will reach businesses throughout the United States and abroad. Subject to a number of exceptions, the CCPA will apply to a business if that business, its parent, or any of its subsidiaries collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following three criteria:
- has annual gross revenue exceeding $25 million;
- annually receives, buys, sells, or shares, directly or indirectly, the personal information of 50,000 or more California residents, households or devices; or
- half or more of its annual revenue comes from the sale of personal information about California consumers.
Because of California’s large population coupled with an increasingly interstate and global economy, the CCPA will have a sweeping impact on California and non-California businesses alike. https://www.forbes.com/sites/allbusiness/2019/09/07/california-consumer-privacy-act-could-affect-your-business/#5fa62db936ac. This includes not only businesses that operate primarily in other U.S. states, but also foreign companies who have access to personal information of California consumers. Marashlian & Donahue has experienced attorneys who can help you determine if your business is covered. 2. Penalties for Noncompliance Failure to comply with the CCPA could be very costly for your business. The CCPA allows fines of up to $2,500 per violation or $7,500 per intentional violation, and it sets no cap on the total amount of fines that can accrue as a result of noncompliance. https://www.ocregister.com/2019/09/03/california-consumer-privacy-act-will-impact-businesses-that-collect-and-receive-personal-data/. Thus, for example, an inadvertent violation impacting California consumers could trigger a $25 million penalty, while an intentional violation impacting the same number of California consumers could cost your business as much as $75 million. Therefore, it is crucial that covered entities understand and fulfill their CCPA responsibilities. 3. Update Privacy Notices and Policies The CCPA will require that “at or before the point of collection” covered companies provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company. The notice must also explicitly set forth the categories of personal information that is collected, disclosed, or sold, and that consumers have the right to opt out of having their information sold. Additionally, covered businesses will need to update their privacy policies to include a description of the other consumer rights granted by the CCPA. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. Marashlian & Donahue is happy to work with you to ensure that your new privacy policy is CCPA-compliant. We can also advise on the advantages and disadvantages of establishing a universal privacy policy over maintaining separate policies for California and other jurisdictions. 4. Update Data Inventories, Business Processes, and Data Strategies Covered businesses will need to maintain a database to track their data processing activities, including the business processes, third parties, products, devices, and applications that process consumer personal data. This database must be able to track all consumer right requests, such as tracking a verified request for information, and it must be kept up to date. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. Implement Protocols to Enforce Consumer Rights Covered businesses will need to adopt internal procedures to ensure that California consumers can exercise all rights guaranteed by the CCPA, including:
- right to notice;
- right of access/right to request;
- right to know;
- right to delete;
- right to opt out;
- right to notification of financial incentive; and
- right to non-discrimination for exercising their CCPA rights.
We are happy to explain these rights and advise on their likely practical implications for your business upon request. 5. Make Security Updates The CCPA requires covered businesses to protect personal information with “reasonable” security. “In practice, this standard has led companies to take a risk-based approach toward addressing threats to the confidentiality, integrity, and availability of personal data. They assess the threats to data, rank the risks of the detected vulnerabilities, and address the high-risk gaps first.” https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. 6. Update Third-Party Processor Agreements Businesses that hire other companies to process their data will need to update their third party contracts to comply with the CCPA, including “inserting standard-contractual clause language; requiring vendor data inventories; using due diligence questionnaires; providing records of processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfers that qualify as ‘selling’”. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. Our attorneys have extensive experience preparing and reviewing such agreements and are happy to help. 7. Training The CCPA requires that employees handling consumer inquiries be informed of all of its requirements. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. According to data privacy consultant Jay Cline, “Businesses preparing for large volumes of requests will be most impacted, as they will now have to train their workforce on CCPA requirements.” https://www.linkedin.com/pulse/seven-new-proposed-ccpa-regulations-biggest-impact-jay-cline. However, because the legal consequences of noncompliance are so severe, we recommend supplemental training in addition to the mandatory training. Our attorneys are happy to prepare personalized training materials tailored to your business’s unique needs and to otherwise assist with CCPA training. 8. Deletion of Personal Information The CCPA grants consumers the right to request the deletion of their personal information. While businesses must generally honor such requests upon receipt of a verified request, they need not do so under certain circumstances, such as when they need the personal information to provide a good or service requested by the consumer, or when they must retain it to comply with other laws. Moreover, the proposed rules clarify that if a business cannot verify the identity of the requester seeking deletion of personal information, the business may deny the request and must instead treat the deletion request as a request to opt out of the sale of personal information. § 999.313(d)(1). Marashlian & Donahue can help your business navigate the various exceptions to the personal information deletion requirement to prevent accidental “overcompliance” and/or inadvertent violation of other laws as a result of wrongfully honoring a deletio9n request. 9. Coexistence with Other Privacy Laws The CCPA’s relationship with other privacy laws is complex. For example, the CCPA does not apply to information that is already covered by federal privacy laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act. However, even if your business handles personal information covered by these or other privacy laws that preempt the CCPA, the CCPA may still apply to your company to the extent it collects and processes other consumer data. Therefore, consulting an experienced attorney is crucial to compliance with the correct law(s). 10. Recent Amendments While CCPA obligations are not expected to change significantly, the California legislature has recently passed six amendments that will introduce minor modifications. These amendments include the exclusion of employee information and certain business-to-business communications and transactions for one year, the elimination of a toll-free number as one of the two methods for consumers to submit requests for businesses that operate exclusively online, and giving the California attorney general additional rulemaking authority concerning verifiable consumer requests. https://www.natlawreview.com/article/california-ccpa-amendment-update-here-s-what-passed. California Governor Gavin Newsom signed the amendments into law on Friday, October 11, 2019. https://www.adlawaccess.com/2019/10/articles/ccpa-update-california-governor-signs-six-amendments-to-the-ccpa/. Conclusion As summarized above, the CCPA’s requirements are sweeping and complex: reaching businesses well beyond California borders. As California legislators and the state’s Department of Justice is now focusing closely on strengthening consumer control over their personal information, it is critical that covered businesses be aware of, and comply with their new obligations. As discussed above, violators will be subject to steep fines and other sanctions. Marashlian & Donahue, PLLC has experienced attorneys that can answer any questions you may have regarding these changes, and help guide you through the labyrinth of these new, highly-technical requirements. For further information, please contact Linda G. McReynolds, Esq., lgm@commlawgroup.com or (703) 714-1318. |
