DOES IT APPLY TO YOU? Do you do business in California, or otherwise collect personal information from California residents? (Hint, if you operate a website, this likely applies to you). Note that the CCPA does not apply to non-profits.
It has been a year since California passed the most comprehensive data privacy laws in the U.S., and those laws go into effect in January of 2020. Is your business ready for this??? Many have been waiting for amendments to pass, but as this hasn’t happened yet (and may not for many months) the time has come to make sure your business is in compliance.
Even if it applies to you, the CCPA has some important exceptions, designed to keep small businesses exempt from what can be pretty significant compliance requirements. CCPA only applies to businesses that fall into one of these three categories:
1. Buys, sells or shares personal information of 50,000 consumers [or devices]; or
2. Has gross revenue in excess of $25 million; or
3. Derives 50% of its annual revenue from sharing personal information
Under the law a California “consumer” has the right to: (1) request access and details about the personal information that has been collected about him or her over the last year; (2) request that this data be deleted; (3) tell the business that it can’t sell the personal information; and (4) be free from adverse action for exercising these rights. There are exceptions that apply.
At present the term “consumer” means resident. This of course means that the rules would apply to every person living in California regardless of WHY the data was being kept. One of the biggest issues then is how this impacts employers, who are generally obligated (by law or good business practices) to maintain data about employees. Although an exception to the law carving out employment data was passed by the California Assembly, it has to be approved by the California Senate and signed into law by the governor before it will take effect. So, for now, employment data is covered by this law.
Your first step may be knowing information your company collects, and how that information is used and disclosed. This may be a complicated question and a burdensome task, but it is the key to knowing what steps you need to take to be compliant. In fact, it may be that your company will need to dedicate specific staff to CCPA compliance.
Let’s say you do have personal information on California residents in your system. In determining how to comply with CCPA you will have to determine if you are selling the data. In some states (like Nevada) money needs to be exchanged before a sale will be deemed to have occurred. The CCPA has a very broad definition of sale though – no actual money needs to change hands, although there must be some value given for the data. If you are selling data – you need to provide notice and the opportunity for the consumer to opt out.
When do you have to delete data? And what if another law requires that you maintain it (employment law for instance)? There are several notable exceptions to the requirement that you delete data if directed by the California consumer. If the information is needed to comply with a legal obligation (such as a statute that requires documentation to be kept) then the business is not required to delete the data even if the consumer requests that this be done.
The CCPA also requires businesses to review their privacy policies to include specific content, to make sure that service providers are under contracts (with specific terms), and train their personnel. Your online privacy policies will need to be updated, and your data response plan as well.
The above is a very general summary, do not rely on it in deciding how to and whether you comply with the CCPA.