Editor’s Note: With the increasing focus on compliance requirements for companies doing business in California based on the California Consumer Privacy Act of 2018 (CCPA), the following four article extracts are provided to help legal, business, and information technology professionals better understand and prepare for the requirements and risks associated with the CCPA when it becomes effective on January 1, 2020.
On The Road Again: Practical First Steps On Your Way to Compliance with the CCPA
Extract from an article by Odia Kagan as published by Fox Rothschild
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, will take effect in 2020. The law includes detailed disclosure requirements, provides individuals with extensive rights to control how their personal information is used, imposes statutory fines and creates a private right of action. It is expected to dramatically alter the way U.S.-based companies process data.
Yes – it is true that CCPA will only go into effect in 2020, and some changes in the law are expected.
However, CCPA also has a “12-month look back” which requires companies to be able to provide information to consumers about information collected or disclosed in the immediately preceding 12 months. Couple that with some “behind the scenes” preparation which will likely be necessary whatever form the law takes — to allow you to do expanded disclosure or to address the consumer rights of access or deletion — and you have good reasons not to take a “wait and see” approach.
Here are the top five steps you can start taking already to prepare for CCPA.
CCPA – What is it and What Does Your Business Need to Know?
Extract from an article by Deborah George as published by Robinson+Cole
One of the most critical facts to know is that the CCPA not only applies to consumers but also applies to for-profit businesses that do business in the state of California. A business is defined as one that collects consumers’ personal information, has more than $25 million in revenue, alone or in combination, and annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices or derives 50% of its annual revenues from selling a consumer’s personal information. Cal. Civ. Code §1798.140. A key fact to note from this definition is that the CCPA applies to any business does that “does business in the State of California” not just businesses residing or incorporated in California.
The CCPA is a consumer-directed law that empowers a consumer to determine how a business can store, retain and use their personal information. The CCPA gives consumers a set of rights about the personal information that businesses collect about them, and the CCPA then directs those businesses that possess that personal information what the business can or must do with a consumer’s personal information. It’s quite empowering for a consumer to be able to tell a big corporation: I don’t want you to sell my personal information or I want you to delete my personal information. The rights of consumers and the obligations of the businesses are distinct, but intertwined in this law: on one side are the rights of consumers, and on the other, the obligations of businesses to comply with the directions of their customers and consumers.
What Marketers Need to Understand About Fines Under The New California Privacy Act
Extract from an article by Sam Bocetta as published on Marketing Land
It did not take long for the Golden State to borrow a page from the European Union’s consumer privacy rule book. And because of this, marketers need to take note about what’s happening with changes in data protection right now.
It was only a few months after Europe adopted the General Data Protection Regulation in March 2018, that California Governor Jerry Brown approved Assembly Bill 375, commonly referred to as the California Consumer Privacy Act.
These two jurisdictions are more than 5,600 miles apart, but their views on consumer privacy happen to be very similar.
The reason brands suddenly revised their privacy policies earlier this year can be traced to a massive fined imposed upon an American internet advertising giant: Google.
If You’re Not First, You’re Last: Risks of Delaying CCPA Compliance
Extract from an article by Kevin Kish as published by Security Boulevard
The CCPA mandates that organizations provide consumers with an accurate look-back at the data that was collected, sold, or disclosed during the business relationship or service delivery. Organizations should avoid the temptation to rely solely on existing processes resulting from the GDPR without further analysis or not preparing at all. Prior to the effective date in January 2020, businesses should take the opportunity to develop a comprehensive data inventory to ensure that all relevant personal information assets are identified in accordance with CCPA’s new requirements. At the same time, it’s important that this process be able to scale with business operations to ensure both internal and external visibility and consistency while data collection, sharing, and sales operations change. Due to the increased focus on data privacy and the implications of the regulatory environment, early preparation will pay off in the form of a well-trusting customer base and, through the intrinsic, marketplace advantage offered to those who establish themselves as a reputable, privacy-conscious business partner.
- California Consumer Privacy Act: A Compliance Guide (Skadden, Arps, Slate, Meagher & Flom LLP)
- Start Aiming Now: The CCPA Is A Moving Target And GDPR Compliance Isn’t Enough (King & Spalding)