On January 1, 2020, California will become the first state to implement comprehensive legislation relating to data privacy for consumers. Reminiscent of the European Union’s General Data Privacy Regulation, the California Consumer Privacy Act of 2018 gives California residents greater control over how businesses use their personal information.
As the California legislature pointed out, “It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.” In turn, it might be almost impossible not to be subject to CCPA requirements. Entities covered by the CCPA have four months to finalize (or create) procedures for informing consumers about what information they’ve collected, how they use it, and how it can be deleted.
The first step in any compliance program is, of course, determining whether you must comply at all. Given the CCPA’s broad scope, many businesses would probably be better safe than sorry.
A “covered” business under the CCPA does business in California, collects or determines processing procedures for the personal information of California residents, and meets one of the following:
The Act characterizes personal information as anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” So, virtually any identifying information might apply, such as names, mailing addresses, email addresses, Social Security numbers, credit card numbers and more. The CCPA also provides a non-exhaustive list of examples covering everything from biometric data, to race, to browsing history.
The regulation’s definition of “consumer” is also quite broad, meaning it could cover job applicants, business-to-business partners, and employees in addition to a business’s customers.
First, determining how the business gathers and uses consumer information will steer GCs and other executives in the best direction for complying with the CCPA. This practice is often called data mapping or data inventory.
Next, a business operating in multiple states will have to decide whether to adopt a CCPA-compliant policy across the board, or only for its California operations. Those following CCPA requirements must update any consumer-facing privacy notices to alert customers of their new privacy rights.
Finally, and perhaps most importantly, businesses expecting to receive requests for disclosure, opt-out, or deletion should create a structure to handle such requests. Training employees on exceptions to CCPA rules and other obligations will be crucial.
The CCPA provides no clear-cut guidance on complying with the new regulation; instead, businesses should approach these new obligations according to existing compliance structures and risk aversion. The DOJ’s guidance on corporate compliance acts as a good jumping-off point for many. Remaining flexible will help ease the transition, especially as proposed amendments to the CCPA adjust its scope.