The nation’s first and most comprehensive Consumer Privacy regulations will soon take effect in California, the world’s 5th largest economy. If your company conducts business in California or even so much as interacts with the private data of a California resident, YOU WILL BE IMPACTED!
Are you ready to comply?
Marashlian & Donahue, PLLC’s attorneys have identified the Top 10 operational impacts of the CCPA in the piece below. We ask our clients to review the list and determine if your business is, in fact, prepared to comply at an operational level. Clients having questions or concerns regarding the applicability of the CCPA to their specific business or seeking guidance on the implementation of compliance measures should contact Linda G. McReynolds, Esq., email@example.com or (703) 714-1318. Ms. McReynolds is a Certified Information Privacy Professional (CIPP/US) and leads the firm’s Information Privacy, Data Security and Consumer Protection practice and is available to help clients prepare for CCPA compliance.
Top 10 Operational Impacts of the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) will transform the way businesses collect, use, store, disclose, and otherwise handle customer personal information. The CCPA could affect your business if your business, any of its subsidiaries, or its parent company collects or receives personal information from California residents: even if your business is located outside California and does not specifically target California customers. https://www.ocregister.com/2019/09/03/california-consumer-privacy-act-will-impact-businesses-that-collect-and-receive-personal-data/. The CCPA takes effect on January 1, 2020, and covered businesses must comply by July 1 of the same year. Noncompliance may result in steep fines, which can add up quickly. The full text of the CCPA is available here.
In addition, the California Attorney General has recently released draft rules clarifying specific obligations of covered businesses. The Attorney General will accept public comments on the proposed rules until December 6, 2019, coinciding with the conclusion of several public hearings on the rulemakings. The proposed rules can be found here.
Here are the top 10 things you need to know/do to prepare for the transition:
- The CCPA Extends Beyond California
The CCPA will reach businesses throughout the United States and abroad. Subject to a number of exceptions, the CCPA will apply to a business if that business, its parent, or any of its subsidiaries collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following three criteria:
- has annual gross revenue exceeding $25 million;
- annually receives, buys, sells, or shares, directly or indirectly, the personal information of 50,000 or more California residents, households or devices; or
- half or more of its annual revenue comes from the sale of personal information about California consumers.
Because of California’s large population coupled with an increasingly interstate and global economy, the CCPA will have a sweeping impact on California and non-California businesses alike. https://www.forbes.com/sites/allbusiness/2019/09/07/california-consumer-privacy-act-could-affect-your-business/#5fa62db936ac. This includes not only businesses that operate primarily in other U.S. states, but also foreign companies who have access to personal information of California consumers. Marashlian & Donahue has experienced attorneys who can help you determine if your business is covered.
- Penalties for Noncompliance
Failure to comply with the CCPA could be very costly for your business. The CCPA allows fines of up to $2,500 per violation or $7,500 per intentional violation, and it sets no cap on the total amount of fines that can accrue as a result of noncompliance. https://www.ocregister.com/2019/09/03/california-consumer-privacy-act-will-impact-businesses-that-collect-and-receive-personal-data/. Thus, for example, an inadvertent violation impacting California consumers could trigger a $25 million penalty, while an intentional violation impacting the same number of California consumers could cost your business as much as $75 million. Therefore, it is crucial that covered entities understand and fulfill their CCPA responsibilities.
- Update Privacy Notices and Policies
- Update Data Inventories, Business Processes, and Data Strategies
Covered businesses will need to maintain a database to track their data processing activities, including the business processes, third parties, products, devices, and applications that process consumer personal data. This database must be able to track all consumer right requests, such as tracking a verified request for information, and it must be kept up to date. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law.
- Implement Protocols to Enforce Consumer Rights
Covered businesses will need to adopt internal procedures to ensure that California consumers can exercise all rights guaranteed by the CCPA, including:
- right to notice;
- right of access/right to request;
- right to know;
- right to delete;
- right to opt out;
- right to notification of financial incentive; and
- right to non-discrimination for exercising their CCPA rights.
We are happy to explain these rights and advise on their likely practical implications for your business upon request.
- Make Security Updates
The CCPA requires covered businesses to protect personal information with “reasonable” security. “In practice, this standard has led companies to take a risk-based approach toward addressing threats to the confidentiality, integrity, and availability of personal data. They assess the threats to data, rank the risks of the detected vulnerabilities, and address the high-risk gaps first.” https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law.
- Update Third-Party Processor Agreements
Businesses that hire other companies to process their data will need to update their third party contracts to comply with the CCPA, including “inserting standard-contractual clause language; requiring vendor data inventories; using due diligence questionnaires; providing records of processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfers that qualify as ‘selling’”. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. Our attorneys have extensive experience preparing and reviewing such agreements and are happy to help.
The CCPA requires that employees handling consumer inquiries be informed of all of its requirements. https://www.dickinson-wright.com/news-alerts/californias-data-privacy-law. According to data privacy consultant Jay Cline, “Businesses preparing for large volumes of requests will be most impacted, as they will now have to train their workforce on CCPA requirements.” https://www.linkedin.com/pulse/seven-new-proposed-ccpa-regulations-biggest-impact-jay-cline. However, because the legal consequences of noncompliance are so severe, we recommend supplemental training in addition to the mandatory training. Our attorneys are happy to prepare personalized training materials tailored to your business’s unique needs and to otherwise assist with CCPA training.
- Deletion of Personal Information
The CCPA grants consumers the right to request the deletion of their personal information. While businesses must generally honor such requests upon receipt of a verified request, they need not do so under certain circumstances, such as when they need the personal information to provide a good or service requested by the consumer, or when they must retain it to comply with other laws. Moreover, the proposed rules clarify that if a business cannot verify the identity of the requester seeking deletion of personal information, the business may deny the request and must instead treat the deletion request as a request to opt out of the sale of personal information. § 999.313(d)(1). Marashlian & Donahue can help your business navigate the various exceptions to the personal information deletion requirement to prevent accidental “overcompliance” and/or inadvertent violation of other laws as a result of wrongfully honoring a deletion request.
- Coexistence with Other Privacy Laws
The CCPA’s relationship with other privacy laws is complex. For example, the CCPA does not apply to information that is already covered by federal privacy laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act. However, even if your business handles personal information covered by these or other privacy laws that preempt the CCPA, the CCPA may still apply to your company to the extent it collects and processes other consumer data. Therefore, consulting an experienced attorney is crucial to compliance with the correct law(s).
While CCPA obligations are not expected to change significantly, the California legislature has recently passed six amendments that will introduce minor modifications. These amendments include the exclusion of employee information and certain business-to-business communications and transactions for one year, the elimination of a toll-free number as one of the two methods for consumers to submit requests for businesses that operate exclusively online, and giving the California attorney general additional rulemaking authority concerning verifiable consumer requests. https://www.natlawreview.com/article/california-ccpa-amendment-update-here-s-what-passed. California Governor Gavin Newsom signed the amendments into law on Friday, October 11, 2019. https://www.adlawaccess.com/2019/10/articles/ccpa-update-california-governor-signs-six-amendments-to-the-ccpa/.
As summarized above, the CCPA’s requirements are sweeping and complex: reaching businesses well beyond California borders. As California legislators and the state’s Department of Justice is now focusing closely on strengthening consumer control over their personal information, it is critical that covered businesses be aware of, and comply with their new obligations. As discussed above, violators will be subject to steep fines and other sanctions.
Marashlian & Donahue, PLLC has experienced attorneys that can answer any questions you may have regarding these changes, and help guide you through the labyrinth of these new, highly-technical requirements. For further information, please contact Linda G. McReynolds, Esq., firstname.lastname@example.org or (703) 714-1318.