California Consumer Privacy Act: A Priority for 2019

Locke Lord LLP

As reported in our last newsletter, California has enacted a game-changer in the U.S. privacy regime. Concepts imported from ‎the EU General Data Protection Regulation, such as the right to be forgotten, will be introduced to American shores for the ‎first time. Businesses that are subject to the California Consumer Privacy Act (California Code, Cal. Civ. Code tit. 1.81.5, the ‎‎“CaCPA”) need to plan now for the upcoming requirements. Even though additional amendments are expected in the com‎ing months, the basic concepts are not expected to change, and their requirements will impose significant obligations that ‎will require planning and preparation long in advance of the effective date of January 1, 2020, and the enforcement date by ‎July 1, 2020 (the law provides for an enforcement date of the earlier of July 1, 2020 or six months after the date that the Cali‎fornia Attorney General issues the final regulations). ‎

Rights and Obligations under the CaCPA

  • Notice of Rights Under the CaCPA. California Code, Cal. Civ. Code § 1798.100 requires businesses to provide consumers with a ‎notice of their rights under the CaCPA. These notices must be prepared in advance and provided to consumers at or prior ‎to the time when personal information is collected, on and after the effective date of January 1, 2020.‎
  • Disclosure Requirements. The CaCPA requires businesses to disclose a variety of information to consumers. California Code, ‎Cal. Civ. Code § 1798.100. When or before personal information is collected, the business must disclose to the consumer ‎the categories of personal information to be collected and the purposes for which the categories of personal information ‎will be used. In addition, upon request (up to twice in any 12-month period), businesses must disclose the categories and ‎specific pieces of personal information the business has collected from the consumer. These disclosure obligations re‎quire businesses to understand fully their data collection and use practices, map and control the sharing and transmission ‎of data, and craft appropriate disclosures in advance of the effective date. ‎
  • Right to be Forgotten. The CaCPA provides consumers with the right to demand that a business delete all personal infor‎mation collected by the business from the consumer – commonly referred to as the right to be forgotten. California Code, ‎Cal. Civ. Code § 1798.105. To respond to these demands, businesses will need to map their consumer data to be able to ‎identify all places within the organization where the data resides, including all of the business’s systems, paper files, and ‎third party vendor relationships. Compliance with this requirement will mean that the business can find and delete the in‎formation, and document and confirm its satisfaction of the demand. ‎
  • Opt-Out Right for Sales of Personal Information. If a business sells personal information, each consumer must be afforded the ‎right to direct the business not to sell the consumer’s personal information. California Code, Cal. Civ. Code § 1798.120. No‎tice of this opt-out right must be provided to consumers in accordance with prescribed requirements. California Code, Cal. ‎Civ. Code § 1798.135.‎

Planning for Compliance

In order to be in compliance with the requirements of the CaCPA, businesses will need to take the following actions, begin‎ning early in 2019:‎

  • Project Plan and Timeline. Right after the New Year, assemble a team responsible for CaCPA compliance. The team should ‎develop a timeline leading up to full compliance on January 1, 2020. The required activities, policies and procedures need ‎to be identified and planned for development, drafting and implementation. ‎
  • Data Mapping. Unlike other data mapping projects undertaken by many U.S. businesses, compliance with the CaCPA will re‎quire a deeper understanding of a broader set of data. Beyond prior definitions of personal information and nonpublic ‎information, the definition of personal information under the CaCPA requires business to understand all information iden‎tifiable to an individual, regardless of format (including paper), whether or not publicly available, including even simple ‎contact information. Therefore, new systems, operations, and third party relationships will need to be mapped to deter‎mine what information is collected, how and from whom it is collected, where it resides and how it is used, with whom it is ‎shared, and how it can be deleted. ‎
  • Processes for Responding to Consumer Requests and Demands. Each business must establish processes to receive, track, and ‎respond to consumer requests and demands to comply with the requirements of the CaCPA. California Code, Cal. Civ. ‎Code § 1798.130. For example, the CaCPA permits each consumer to request his or her information up to twice in any ‎‎12-month period. Businesses should decide how they will respond to additional requests that may be received within the ‎period, and plan their response accordingly. Protocols must also be established for third party service providers, in order ‎to identify those related to any particular request or demand, require their compliance with the various provisions of the ‎CaCPA (such as to delete particular consumer information), and control their further use or dissemination of the infor‎mation. ‎

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.