Now is the Time to Get Compliant.
California passed what many describe as the most sweeping and comprehensive consumer privacy law in the country. The law is called the California Consumer Privacy Act (the "CCPA" for short), and it becomes effective January 1, 2020.
The law creates many new requirements for businesses worldwide that collect or maintain information about California consumers and involves new rights for consumers. The new consumer rights include a consumer’s right to know what categories of personal information are being collected, used, shared, and/or sold, the right to know what third parties the personal information is shared with or sold to, , and the right to force a business to delete certain personal information about the consumer. This information must be provided in the company’s privacy policy, and further detail must be provided upon individual request by a consumer, with limited exceptions.
Consumer consent to the collection, sharing, and sale of their personal information is a key component of the CCPA. This is true whether the information is knowingly and voluntarily provided by the consumer (such as through a web form on registration) or whether it is collected through cookies and other technological means. Additional consent is required when the personal data is passed through a chain of third parties. Moreover, where the consumer’s information is sold, the CCPA requires express consent as well as a means of opting out of such sale, whether at the time the information is provided, or down the road. This is accomplished through the inclusion of a "Do Not Sell My Personal Information" web form, links to which are required to be included on the footer of the homepage of the website and in the privacy policy. Thus, in addition to an updated privacy policy, businesses are required to add consent and opt-out mechanisms to their site.
For many businesses, getting compliant with this law is time-consuming and labor-intensive, and for that reason businesses need to start on their compliance efforts now in order to make certain they are compliant by the deadline.
The first thing businesses must ask is whether the law even applies to them. The law states that it applies to businesses:
- That have annual gross revenues over $25 million; or
- That annually buy or receive the personal information of 50,000 or more California residents; or
- That derive 50% or more of their annual revenue from selling consumers’ personal information, which includes renting, transferring, making available, or disclosing consumers’ personal information.
If the law applies to a business, the next step is to engage in so-called data-mapping or a data impact assessment, which is to identify every point at which a business collects or shares information about consumers and thereafter to break each of those data collection/sharing events down into categories. This information will be vital to drafting the key disclosures that will be placed in a revised privacy policy and a template response to consumers who request further detail, to be later customized based on the request. Also, as part of this data mapping process, businesses need to analyze all consumer data in their possession that they did not collect and for which they did not get consent from consumers.
As the result of the data mapping process, a business may determine whether to maintain a separate privacy policy and forms for California consumers compared to consumers from other states, or whether it makes the most sense to afford all of the business’s consumers the same rights as those located in California.
After making this key decision, the next step is to create or revise website consent language, in order to obtain consent from consumers for all types of data collected and the uses for such data. If a business is not the entity that originally collected the consumer information, then a business much analyze whether this data may be used or even stored.
Business must also prepare to permit California consumers to exercise their rights to confirm what personal information of theirs a business maintains, and to demand that a business delete personal information of the consumer. This preparation involves developing new internal business processes, training staff, and putting agreements and procedures in place with third-party clients, service providers, and other vendors to ensure such requests are honored in a compliant manner. The business must also provide at least two methods for the consumer to contact the business and exercise such requests, and the requirements of such methods differ for online-only businesses.
The CCPA and the written guidelines from the California Attorney General about the CCPA are dense and complex. Fortunately, Kronenberger Rosenfeld can help your business get compliant with the CCPA by helping you do your data-mapping, draft website disclosures and edits to privacy policies, and provide guidelines for staff training. We also offer fixed fees for our CCPA legal services.
If you need assistance getting compliant with the CCPA, contact one the firm’s attorneys or email us at [email protected].