In less than two months, a new California law will affect businesses well beyond the borders of that state. The California Consumer Privacy Act (CCPA) is the most consequential privacy legislation the United States has seen and is often compared to the EU General Data Protection Regulation (GDPR) for its comprehensive approach to privacy protection, as well as the impact it will have on businesses worldwide.
The CCPA goes into effect on January 1, 2020 — less than 45 days from now. It creates expansive new consumer rights for California residents, including the right to demand that company-held personal data be shared with them or deleted. A business has 45 days to respond to a CCPA “data subject request” or possibly face enforcement action and possible fines levied by California’s attorney general. The law also grants consumers the right to seek statutory damages for certain types of data breaches. It is a safe prediction that this new private right of action will prompt a cascade of lawsuits.
The CCPA applies to any for-profit business that handles “personal information” of California residents or business-to-consumer contacts, or has California-based employees, and that meets any of the following thresholds: (a) has annual gross revenues of more than $25 million; (b) receives or shares the personal information of at least 50,000 consumers, devices, or households within any calendar year; or (c) derives 50% or more of its annual revenue from consumer data sales. While the first trigger would exclude many small and midsize businesses, a company could meet the second threshold if its website attracts only 140 California-based unique visitors per day.
Meanwhile, many emerging companies may find that the CCPA applies to them if their business depends on web commerce. As these businesses grow, they could well hit one of the thresholds. Also, companies that are third-party vendors to California-based businesses will be receiving requests from their business-to-business customers to show that their processing and handling of personal information supports their CCPA compliance.
For now, any company that conducts business with California consumers (or even if Californians visit its website) should take time to determine whether the CCPA affects it — whether it meets one of the above thresholds and is a business engaged in collecting or selling consumers’ personal information. If the answer to these questions is yes, the business should quickly take steps to determine how it will comply with the law as the effective date rapidly approaches. Compliance steps include:
- Updating (or creating) privacy policies
- Preparing a protocol for responding to data subject requests (including becoming familiar with exceptions based on statutory exclusions)
- Identifying and evaluating service providers to assess their compliance
For instance, the exercise of updating your company’s privacy notice will likely require a different evaluative approach from that taken when it first created its privacy policy. It involves addressing statute-specific transparency obligations that relate to the personal information that is being collected and possibly sold or marketed to third parties. Compliance with this requirement also implicates company practices that may not have been a previous focus. At a minimum, if you determine that the CCPA applies to your business, a new approach to data storage and retention will be important.
Bottom line: any business engaged in collecting or sharing data from California consumers is in the crosshairs.
Even companies with very limited contacts with California that are exempt from the application of the new California statute should become informed about the CCPA because it is likely a harbinger of future challenges, as several other states are considering similar consumer privacy measures. On the federal level, privacy protection is a regular topic of discussion, although legislation is likely years away. Many think that when it comes, it will be modeled after California’s law. So even if your business manages to avoid the effects of the CCPA, turning attention to privacy compliance now could pay returns in the future.