California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, known as the CCPA, is a complex law that requires businesses to reconsider and adjust how they manage personal data. The first comprehensive privacy law enacted in the U.S., the CCPA has helped set the stage for other states to follow suit in shaping their own privacy legislation. The CCPA also includes accompanying regulations issued by the California Privacy Protection Agency (CPPA), the agency that also enforces the CCPA.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) sets forth a wide range of privacy rights for California residents, thereby placing significant data protection obligations on covered entities that do business with residents of the state. Considered one of the strictest data privacy laws in the United States, under the CCPA, businesses are tasked with:
- Data security safeguards. Establishing and maintaining proper security procedures, policies, and practices to protect consumer data from unauthorized access or use;
- Consumer privacy request mechanism. Creating a process for consumers to make privacy requests, including the deletion of consumer data and access to consumer data covering the prior 12-month period;
- Data processing agreements. Requiring businesses to enter into data processing contracts with service providers who process consumer data on behalf of the business and with third parties to whom the business sells, shares, or otherwise discloses consumer data;
- Consumer notices. Providing consumers with an easily accessible point of collection notice disclosing certain information related to consumer data collection, notice of sale or sharing of personal information, and, if applicable, a loyalty program notice; and
- Anti-discrimination. Preventing discrimination against consumers for exercising their privacy rights under the CCPA.
Whether intended or not, violations of the CCPA can bring steep consequences. In addition to penalties enforced by the CPPA and the attorney general, consumers are granted a limited private right of action for personal information security breaches and can therefore take legal action themselves. Businesses should maintain a procedure for handling notifications of consumer lawsuits under the CCPA, as there is just a 30-day cure window to address potential security breach violations.
An experienced attorney can provide further insight into which companies are subject to CCPA compliance regulations, and how these regulations can impact your business activities in the state of California.
Who has to Comply With CCPA?
The CCPA applies to any for-profit entity that engages in business in California, collects or stores information on residents of the state, is involved in the processing of personal data, and meets any of the following criteria:
- Has an annual gross revenue that exceeds $25 million;
- Annually buys, shares, or sells the personal information of over 100,000 consumers, households, or devices; or
- Generates 50% or more of its gross annual revenues from the sale or sharing of consumer data.
Achieving Compliance
All companies that collect data on California residents should be aware of the compliance regulations surrounding the CCPA. Protected data includes any personal information that identifies, describes, or could reasonably be linked to a particular consumer or household.
Given this broad definition of protected data, it is important for businesses to review and revise compliance procedures to ensure that they remain in good legal standing with CCPA requirements. We have worked alongside a multitude of businesses, ranging from startups to Fortune 100 enterprises, to help carry out compliance objectives. Some of the services we have provided to our clients include:
- Reviewing and updating private policy statements and notices
- Maintaining a comprehensive and secure data inventory
- Implementing data rights processes and protocols
- Assessing risk and fortifying cybersecurity systems
- Ensuring third-party due diligence
- Conducting ongoing internal data privacy training
CCPA compliance does not need to be a time-consuming or stressful effort within your company. We can help you adapt an existing program – or build a new one –to help achieve full compliance now and into the future.
Questions about the California Consumer Privacy Act or other data privacy laws? We can help. Let’s chat.