The window for getting up to speed on California Consumer Privacy Act requirements is rapidly closing. The state Attorney General’s final version of the regulations goes into effect on July 1. This article provides a practical checklist for your company to evaluate now.
By way of background, the CCPA has and will alter data use and protection for nearly all California consumers and businesses. For the latter, the law touches almost any personal data a company may have, whether provided by users (think online fillable forms for any purpose), or otherwise collected by tracking tools and related technology.
CCPA issues have likely been top of mind for businesses since the law went into effect January 1, 2020. This is because it casts a wide net, applying even to companies that are not obviously consumer-facing. Indeed, the statutory definition of “consumer” is extremely broad, as is the definition of “personal information.” They are wide enough, for example, to include employment-related information.
When considering how many companies are affected, the CCPA has huge implications—at least for those doing business in California (which could mean any business that collects data of California residents) that have: (1) $25M in annual revenue or (2) data on 50,000 consumers or devices annually. Non-compliance carries significant fines: up to $2,500 per violation, or $7,500 if the violation is found to be “willful.”
The following are some steps to help your business prepare:
Notices are critical under the CCPA, and the regulations dictate certain disclosures. Any policy must include information on how, what, and why you collect personal data. At minimum it should outline:
- What kind of information you collect and process (identifiers, geolocation, browsing activity, etc.);
- Why you collect and process information;
- How you collect and process information;
- The methods to request access, change, move, or delete consumers’ personal data;
- The method for verifying the identity of the person who submits a request; and
- Sales of users’ personal data and how they can opt out of the company selling their data.
The notice has to appear before you collect any personal information. Practically speaking, this means on a landing page of your website or on the landing page of a job application portal. It might also mean distributing notices during employee onboarding or with offer letters, as well as in employee handbooks (although it is unclear whether this will satisfy the “at or before collection” requirement). Put your company’s notice(s) front and center.
2. Review your data security measures. Under the CCPA, your business has an affirmative obligation to establish “reasonable security procedures and practices.” What that means is not clear—the statute does not define the procedures. In 2016, the Attorney General put out a report with 20 suggested control measures. These are a good place to start. Remember, businesses should review security with an eye not only on consumer data, but also on employment-related data—payroll, benefits, recruiting, direct deposit, background checks, etc. This also means evaluating what their third-party service providers are doing to protect personal information of employees, applicants, contractors, etc.
3. Make it easy for consumers to opt out of the sale of personal information. The key word here is “easy,” especially because the ability to opt out is arguably the most important—and most hotly debated—CCPA right. Businesses must establish an obvious method for requesting this. A common practice is including a “Do Not Sell My Personal Data” link on a website homepage. This might link to a pop-up or send the user to another landing page. Importantly, there has been much discussion of opt-out buttons, including size and appearance, in older versions of the regulations (you may have seen many of these ill-fated toggle buttons). Keep in mind that the Attorney General ultimately has rejected the use of toggles. Review the Attorney General’s final regulations carefully to ensure you’re not using outdated and insufficient methods.
You should also make sure people can contact you easily about their personal information—whether to request changes or to delete it. You have a duty to provide a means for submitting these requests. Consider an email address, toll-free number, mailing address, and online contact form. Note that you have to verify consumer requests by validating identities.
4. Don’t Forget Other California Privacy Laws. The CCPA is not the only law regulating consumer privacy in California, so don’t let it overshadow your other compliance efforts. In fact, the CCPA is meant to augment, not replace, privacy protections already on the books. The California Online Privacy Protection Act and the Privacy Rights for California Minors in the Digital World Act, as well as other personal data protection laws, still exist. The CCPA does not change your company’s duties under the provisions of those laws. Review these obligations and consult with an attorney if necessary.
5. Keep an Eye Out for CCPA 2.0 in November. The November 2020 ballot will include the currently titled California Privacy Rights Act (CPRA), commonly referred to as version “2.0.” It seeks to amend the CCPA and create new and additional privacy rights and obligations, including a new category of sensitive personal information and the right to correct inaccurate personal data held by a business. If passed, it will clarify the meaning of “data breach,” the subject of much confusion regarding what type of private civil suits consumers can bring. Whether it will pass is unclear, but if it does, companies will surely have to augment whatever privacy programs they have already built. Given the number of changes in the first round of CCPA regulations, expect that your company will have to quickly adapt and adjust to shifts in data protection and privacy measures.
The CCPA likely already has affected your businesses’ compliance efforts. It will continue to impact the way you do business as the law evolves and shapes this legal landscape over the next several years. Payne & Fears will continue to monitor this situation and provide more resources and alerts in the coming months on targeted issues.