California Consumer Privacy Act: Is Your Business Ready?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This is the biggest privacy act established in the US to date and it could lead to further privacy legislation throughout the nation. 

What is CCPA?

CCPA is data protection and privacy legislation that gives California residents more control and transparency over the information that websites and applications collect about them. CCPA not only encompasses data collected via forms (e.g., email addresses and physical addresses) but also personal data collected by online tracking tools.

California residents will now have the right to know if a company is selling their data. They’ll have the right and ability to opt out of the sale of their data. And, they’ll have the right to gain access to the personal information that’s being collected. Additionally, they have a right to sue – both individually and via class-action lawsuit – if there is a data breach where personal data is compromised.

Who does CCPA affect?

All companies serving California residents with annual gross revenue exceeding $25 million must be CCPA compliant. Additionally, companies that store personal data pertaining to at least 50,000 people – or that collect more than half of their revenues from the sale of personal data – also fall under this law. A company does not need a physical location in the state of California, or even the United States, to be affected by the law.

Many companies that can’t distinguish California residents from their customer data (i.e., those who’ve only collected email addresses) might consider implementing CCPA compliance.

While widespread enforcement might not start for a few months, we advise clients and businesses to begin preparing now. Here are some tactics we suggest:

  • Update privacy policies to reflect the CCPA regulations via outside legal counsel. This new privacy policy may include:
    • List of the types of data being collected (e.g., form submissions, analysis, tracking pixels, etc.), how it is collected, and where it is stored.
    • Detail whether or not the data is being sold to third-party companies.
    • Language that states the consumer has the right to access their data, with a noted process and contact information for how to retrieve this information.
    • Language that states the consumer can ask to have their personal data deleted and to provide a method for doing so.
  • Spend time analyzing internal data flow and process.
  • Add prominent links/footer links that allow customers to request to opt-out of data sharing.
  • Assign an internal process for all of this (i.e., having an internal point person for managing customer requests, etc.).

While the California Consumer Privacy Act might not immediately apply to your business, it is a sign of upcoming sweeping privacy legislation. It would be wise for all businesses to revisit their individual privacy policies and have a better understanding of what customer data is stored.

Note: The editorial above is not meant to serve as legal advice. Please consult your counsel for further information.