This past summer the California legislature passed, and later amended, the California Consumer Privacy Act of 2018 (CCPA). The CCPA grants California consumers an unprecedented amount of rights regarding their personal information (PI) and an expansion of consumer privacy expectations. Although the CCPA does not go into effect until Jan. 1, 2020, a key provision known as the “look back” requires California businesses covered by the CCPA to begin preparing now. This article provides a brief overview of the key provisions included in the CCPA, the “look back” provision, how to take action for compliance now and the potential penalties for violating the CCPA.
Although the CCPA will go into effect on Jan. 1, 2020, it should be noted that many of the regulations related to key provisions, such as the scope of definitions, opt-out provisions and penalties remain unclear. The California Attorney General’s Office is currently soliciting public comments on the CCPA to help address these issues.
Is Your Business Affected by the CCPA?
The CCPA regulates businesses, defined as for-profit entities doing business in California that are the controllers of the data and that have either: gross revenue in excess of $25 million; or that annually buy, receive, sell or share the personal information of 50,000 or more consumers; or that derive 50 percent or more of their annual revenue from selling personal information.
What Kind of Information Is Protected?
The purpose of the CCPA is to protect the PI of all Californians. Under the CCPA, “PI” is defined broadly as “any information that … relates to … a particular [California resident] or household.” The CCPA provides a long list of examples of PI including: online identifiers, financial information and geo-location data. Some PI intersects with other California laws, including California’s Net Neutrality Act, which may still have an effect on the CCPA even if struck down. The CCPA’s protection applies to consumers, employees, individual representatives of businesses or any other California resident.
Under the CCPA, the obligations of a business to protect California residents’ PI fall under five general categories, which include: transparency; access; deletion; choice related to the sale of PI and nondiscrimination.
For example, a business must track PI collected and inform consumers at or before collection and provide them with the purposes for the collection. If the business later decides to use the information for other purposes it must provide further advanced notice to the consumer. In addition, businesses must also inform consumers of their rights under the CCPA, and have a “Do Not Sell My Personal Information” web-based opt-out tool and program that enable consumers to prevent the sale of their PI. Any party that is sold PI, even if not a regulated business, may not resell it without first giving the consumer notice of the right to opt out of sales and must accept and honor opt outs.
How Can Businesses Prepare Now for the ‘Look Back’ Provision?
The CCPA also includes a 12-month look back provision which gives consumers the right to access their individualized information for the past 12 months from the business. Upon a verified request from the consumer, a business must provide the following personal information to the consumer:
- The categories of PI collected about that specific consumer.
- The categories of sources from which the PI is collected.
- The specific pieces of PI collected about that consumer.
- The business and commercial purpose(s) for collecting or selling the PI.
- The categories of third parties with which the business “shares” PI.
- For PI that is sold, the categories of the consumer’s PI sold to what categories of third parties and the categories of the consumer’s PI sold to each applicable third party.
- For PI that is disclosed for a business purpose, the categories of the consumer’s PI that were disclosed.
Steps to Prepare Your Business for Compliance
Given that the CCPA becomes effective on Jan. 1, 2020 with the 12-month look back provision, consumers will have the right to access their PI dating back to Jan. 1, 2019. Therefore, in order to comply with the effective date of Jan. 1, 2020, businesses should have begun record-keeping as of Jan. 1, 2019.
Below are five operational steps for your business to take now in order to be ready for CCPA compliance:
Step 1: Initiate a readiness assessment—look at the regulations and procedures already in place at your organization in order to evaluate whether processes need to be updated or created altogether.
Step 2: Begin data inventory and record-keeping—map the processing of personal information of California consumers as of Jan. 1, 2019. If there is a clear process in place now, your business will be able to look back efficiently should you receive a request for information.
Step 3: Combine your internal process with the CCPA Data Subject Access Request (DSAR) procedure, to ensure complete and accurate handling of the consumer request.
- Create templates for responding to consumer requests and internal policies for compliances to follow and for consistency.
Step 4: Plan employee trainings—update employee training is mandatory for those who will be facing consumers and handing the consumer information.
Step 5: Update your online presence.
- Update your online privacy notices and policies (both GDPR and CCPA have specific requirements regarding the information to disclose to consumers/data subject.)
- Update and streamline your process for consumers to access the CCPA information.
- Provide an online opt-out mechanism for consumers.
What Are the Potential Penalties for CCPA Violations?
The California Attorney General can impose penalties of $2,500 per violation and up to $7,500 per intentional violation.
Additionally, companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages anywhere between $100 and $750 per California resident and incident, or actual damages, whichever is greater.
Many business and legal professionals believe that the current version of the CCPA will likely undergo additional revisions before its Jan. 1, 2020, enforcement date. Regardless of the likelihood of modifications to the CCPA, businesses should assume that the finalized law will substantially increase the required level of privacy transparency and choice for consumers. Given this likelihood and the 12-month look-back provision, businesses need to begin collecting consumer data and implement data management systems and practices that will enable compliance come Jan. 1, 2020.
Tarah Powell-Chen is an associate at Murphy, Pearson, Bradley & Feeney in their San Francisco office where she represents individuals and corporate clients with matters involving professional liability, commercial and business litigation, real estate, employment law and data privacy issues. She also serves as general counsel to various California businesses and law firms, providing advice and counsel on data privacy compliance, regulatory issues and general contract review. Powell-Chen can be reached at 415-962-2849 or email@example.com.