The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Act.
Quick Overview
The right to opt-out refers to the ability of a person to direct that a company that sells personal information to third parties, cannot sell the personal information that the company holds about them.
Comparison to Other Privacy Laws
The CCPA is not the first law to confer upon individuals a right to opt-out form an organization’s use or disclosure of their information. Other federal laws, including Gramm-Leach-Bliley Act (“GLBA”) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”) contain certain opt-out requirements. Similarly, the GDPR confers a limited right to object to processing of personal data in certain circumstances. Notably, however, none of these privacy laws specifically address selling personal information.
To Do List
To comply with the CCPA companies should:
-
Review existing privacy notices and verify that they meet the new requirements of the CCPA.
-
Ensure websites include a “Do Not Sell My Personal Information” link.
-
If no methods exist, establish appropriate methods for submitting opt-out requests to your organization that comply with the CCPA.
-
Draft an appropriate policy for the authentication of individuals that make opt-out requests.
-
Draft a “play book” that provides standard communications that can be sent to individuals that make opt-out requests.
-
Train employees on how to handle opt-out requests.
-
Verify that the policies in place facilitate the fulfillment of opt-out requests for the period of time required by the CCPA.
Cross References
CCPA Provisions
|
GDPR Provisions
|
Cal. Civil Code 1798.120
|
Recital 69
Recital 70
Article 21
|
[View source.]