Effective on January 1, 2020, the California Consumer Privacy Act (CCPA) represents a fundamental change in privacy law in California and the United States because of the Act’s nationwide reach. With limited exceptions, any for-profit company doing business with California residents and collecting personal data, including incidental website traffic via cookies, may be required to comply with the Act’s strict data privacy rights, including the right to know what personal information the business holds and with whom it is shared, the right to prohibit its sale, and the right to demand its deletion from the business’s records (i.e., the right to be forgotten). On October 10, 2019, the California Office of Attorney General introduced draft regulations under the Act.

CCPA requires changes in the manner by which companies collect, maintain, and share information. The Act also requires changes in company websites and vendor agreements, and it creates a private cause of action for those consumers whose information is compromised by a data breach. Companies need to have the correct policies and controls in place, including mandated employee training, to comply with these new requirements.

Provided below is a cheat sheet of CCPA requirements. Compliance counsel can help companies implement these requirements in an efficient and cost-effective manner by focusing on a company’s activities and operationalizing CCPA controls into the data environment.

I. What is CCPA?

CCPA creates new consumer rights relating to personal information of California residents collected by a business. CCPA is similar to GDPR, but has significant differences. Importantly, the California Attorney General has stated that GDPR compliance is not CCPA compliance.

II. What Businesses are Regulated by CCPA?

CCPA applies to all for-profit businesses doing business in California that collect consumer personal data. A consumer is any resident of California. “Personal information” is defined in part as “information that identifies, relates to … or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Employment-related data is exempted from the definition for “personal information” for one year.

Exceptions to CCPA are not-for-profit organizations, and for-profit organizations which:

• Have annual gross revenue less than $25 million;
• Possess personal information of less than 50,000 or more consumers, households, or devices; and
• Earn less than half of its annual revenue from selling consumers’ personal information.

III. What Rights Does the CCPA Afford?

CCPA affords California residents the rights to request from businesses:

• What personal information the business has collected about them;
• Whether their personal information is being sold or disclosed for a business purpose to others;
• To prohibit the sale of their personal information;
• To delete their personal information; and
• To not be discriminated against for exercising their CCPA rights.

CCPA also creates a limited private right of action for any consumer whose “non-encrypted or non-redacted” personal information is compromised in a data breach.

IV. How Does CCPA Affect My Business?

A company’s online Privacy Policy has always been important. However, to be compliant with CCPA, off-the-shelf Privacy Policies do not work. The Privacy Policy must have significant details about the internal working of your company (see below). And, you need to have the appropriate policies and procedures, including technical changes, to back up what you state in the Privacy Policy.

V. What Can I Do to Prepare for CCPA?

• Make your key departments aware. CCPA becomes effective January 1, 2020. Don’t wait to the last minute to make required adjustments.
• Bring in outside counsel who focus on operations, costs, and efficiencies that support CCPA compliance. Outside counsel should work with your company’s IT, IS, General Counsel, Chief Privacy Officer, and the marketing/business development department;
• Review your business’s intake of information to determine (1) what information is governed by CCPA, and (2) what policies and processes are needed to enable your company to comply with a CCPA consumer request;
• Implement required methods to allow consumers to submit CCPA requests, and train appropriate personnel to respond to such requests – your company will have 45 days to respond to consumer inquiries;
• Review vendor contracts and forward necessary addenda to ensure that (1) they qualify as service providers to fall outside disclosure requirements, and (2) they have policies and procedures in place to respond to CCPA requests;
• Amend your company’s website and online Privacy Policy, including:
  • The homepage must have “a clear and conspicuous link” titled “Do Not Sell My Personal Information”;
  • The Privacy Policy also must have the “Do Not Sell My Personal Information” link;
  • The Privacy Policy must describe a consumer’s rights under the CCPA, and multiple methods for submitting verifiable consumer requests, including a toll-free telephone number and a link;
  • The Privacy Policy must disclose categories of personal information collected and shared;
• Train, train, train, your company personnel.