The California Consumer Privacy Act
As you may have heard, on January 1, 2020, a broad new privacy law protecting California consumers’ privacy rights goes into effect and is scheduled to be enforced within that year – the California Consumer Privacy Act (CCPA). While the specific rules that the California Attorney General will use to enforce this new law are still being commented on, we know a lot already about what the law will require and what businesses should be doing now to prepare for it. Businesses to which the CCPA will apply that wait until right before it goes into effect will likely be too late to position themselves for compliance.
The CCPA will give California consumers many new rights with regard to how businesses handle their personal information, defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is, of course, very broad and potentially applies to all of a company’s customers, clients and other individuals with whom it does business. These consumer rights include:
The right to access their personal information that the business has collected and/or processed and to learn how the business is using it;
The right of portability, meaning the right to receive a copy of all their personal information the business has;
The right to opt-in/opt-out of the sale of their personal information;
Requiring businesses to provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on the business’s homepage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information; and
The right to have their personal information deleted under certain circumstances.
Consumers can exercise these rights by request.
Second, businesses should set up procedures now to be complaint with the CCPA. This includes undergoing a data audit to determine what personal information is collected, how it is used, who processes it, where it goes, where it is stored, whether it is sold and if so, why and to whom, and how to retrieve it to comply with consumer requests. In addition, businesses should set-up a training program for all personnel who handle personal information, in particular those who will handle consumer requests (this is a requirement of the CCPA). Businesses should also have written internal procedures on precisely how to respond to consumer requests and verify the identity of the person making the request.
Finally, businesses should conduct an IT security audit, plug weaknesses and assure proper security protocols and limitation of access is in place. In addition, businesses should obtain appropriate cyber insurance that covers ransomware attacks and data breaches and have an action plan at the ready in case such an attack or breach does occur.
Finally, business need to be aware of other privacy laws and regulations that may apply to them, such as Europe’s General Data Protection Regulation (GDPR) and other state laws. There is currently no overarching federal law that governs all of these areas, so it is left to the states. California currently has what seems to be the most stringent and consumer protective law, so many businesses are planning to comply with it as a general matter and then look to any other state-specific privacy laws that may apply to them. Some states, like New York, have been discussing and commenting on legislation that is similar to, and in many ways, even more rigorous than the CCPA. It is not known whether any of this legislation will move forward or pass, but the trend toward such legislation is clear and businesses need to keep up to date on developments.
The bottom line is that businesses should be preparing now for the CCPA and similar laws. Finding an attorney and other professional resources with the experience and credentials to assist and guide in the process is critical.