News & Insights  |  Newsletters

California Consumer Privacy Act: Steps You Can Take Now to be Prepared

March 2019

Privacy in Focus®

The California Consumer Privacy Act (CCPA) takes effect January 1, 2020 (although AG enforcement will be delayed until July 1, 2020, or until six months after the implementing regulations are published – whichever comes first). While the law is still subject to change – the state legislature is considering various amendments to the current law and the Attorney General is just wrapping up the preliminary stages of the rulemaking process to develop implementing regulations – your business can and should start compliance efforts now.

The CCPA applies to a for-profit business that collects a California resident’s personal information, does business in California, and meets at least one of the following criteria: (1) has annual gross revenues in excess of $25 million; (2) receives or discloses the personal information of 50,000 or more consumers, households or devices per year; or (3) derives 50% or more of their annual revenues from selling the personal information of California residents. There are limited exceptions to the scope of the law, including for information that is governed by the HIPAA or the Gramm-Leach-Bliley Act.

While on initial glance, you may think your company does not “collect” “personal information” or “sell” that information, dig a little deeper because these definitions are broad.

  • Collecting personal information includes: “buying, renting, gathering, obtaining, receiving, or accessing any personal information.”
  • Personal Information is even more broadly defined to include traditional information such as name and address, as well as audio, electronic, visual, thermal, and olfactory information; commercial records (personal property, products, services purchased); biometric information; unique personal identifiers (IP addresses, cookies, beacons, etc.); internet information, such as browsing history and search history; geolocation information; professional or work information; and inferences drawn from any of that information to create a profile of the consumer. Basically, if you can directly or indirectly connect it to a natural person who is a California resident, it is likely personal information.
  • Finally, you may not think that you sell personal information, but the CCPA defines “sell” to include, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating (orally, in writing, electronically, or by other means) a consumer’s personal information for monetary or other valuable consideration.

If you still don’t think the CCPA applies to you, then you have made a lucky escape; for everyone else, keep reading.

The CCPA requires that you clearly communicate with consumers about what personal information you are gathering, what you are doing with it, who you are sharing it with, and that they have certain rights to their data. This information can all be communicated in your business’s privacy policy. Be sure to update your policy every 12-months – that’s also a CCPA requirement. The CCPA gives consumers certain rights to their personal information – including, among other things, the right to know what personal information you have collected about them during the past 12 months (the right to access) and the right to request that you delete it. If you are selling their data (remember the broad definition), then they also have the right to “opt-out” of that sale. Or, if they are a minor, you must have their guardian “opt-in” to the sale.

The CCPA is still subject to change, and the California legislature is currently considering multiple proposed amendments. Additionally, the state Attorney General is charged with drafting implementing regulations. The Attorney General just received comments following the preliminary stages of the rulemaking and expects to issue draft regulations by this Fall with final regulations on schedule for early next year (perhaps).

Even with this uncertainty as to the final law and how it will be implemented, there are important steps your company can take now to prepare for the CCPA.

  • Know your data. Take this opportunity to audit your data and create a data map. What data are you collecting, what purpose are you collecting it for, who are you sharing it with?
  • Review your privacy policy. Does it accurately reflect what data you are collecting and what you are doing with that data? Does it clearly communicate who you are sharing the data with and for what purpose?
  • Don’t leave your service providers and vendors out of the review process. Review your agreements with any third party. Make sure you understand how data is flowing between you and your vendors, and that your agreement reflects what data is being shared and for what purpose.
  • Start investigating how you can comply with the obligations to track and honor the various consumer rights. Could you quickly and accurately respond to an opt-out request or a request for deletion? What systems do you need in place to be able to do this?

While it is tempting to put off thinking about the CCPA until there is more clarity, no company that will be subject to its requirements has that luxury. It is important to start preparing now.

© 2019 Wiley Rein LLP