Implementing the California Consumer Privacy Act:
Changes for Your Business
Last Spring, we brought you an overview of the California Consumer Privacy Act of 2018 (CCPA), which law goes into effect January 1, 2020. Because of the broad, sweeping changes required by the law, and with many retail businesses struggling with compliance issues, we wanted to highlight how this law might affect your business and what areas you should focus on first and foremost.
The time to prepare your business is now, as many of the CCPA requirements will demand companies’ attention far before the law goes into effect.
Your CCPA To-Do List:
Notable requirements imposed by the current law require businesses to:
- Update their privacy notices to inform consumers about their new rights and to provide
information about the collection, use, and disclosure of their personal information. - Have processes in place to respond to consumer access and deletion requests.
- Businesses are advised to begin tracking their data (i.e., “data mapping”) as soon as
possible as consumer requests are subject to a 12-month look-back. - Give consumers the ability to “opt-out” of selling their personal information to third
parties. A clear and conspicuous “Do Not Sell My Personal Information” link should be
provided on the business’ homepage. - With respect to consumers between the ages of 13 and 16, businesses will need to
provide an “opt-in,” and for those under 13, such “opt-in” consent must be provided by
a parent or guardian. It’s important to note that the definition of “selling” is extremely
broad and includes any sharing or disclosure for valuable consideration.
It is important to note that currently, the application of the CCPA to employee data is an open question. The fact that CCPA’s definition of “consumer” — a natural person who is a California resident — is not qualified by language requiring such persons to have purchased goods or services, coupled with the fact that “professional and employment-related information” is an example of “personal information,” suggests that the CCPA intends to extend to the collection and use of personal information from employees. Forthcoming amendments and guidance may clarify this further, but for now, employers should be prepared to comply.
Also, watch for various amendments to the law. Presently, lawmakers are contemplating
the comments that have been filed to amend certain components of the CCPA. Due to its hasty
passage, a number of technical corrections bills were expected to clean up errors and
ambiguities in the CCPA.
SB 1121: Passed on August 31, 2018, this amendment made a few significant changes. Notably, it pushes the date by which the Attorney General must publish the implementing regulations meant to further the purpose and clarify the law to July 2, 2020. The Attorney General is precluded from bringing a CCPA enforcement action until six months after the publication of the final implementing regulations or July 1, 2020, whichever is sooner. Additionally, this amendment does away with the requirement for consumers who pursue a private right of action to notify the Attorney General within 30 days of filing such action. Finally, it clarifies carve outs for personal information collected by institutions covered by federal and state financial and health information privacy laws.
SB 561: Introduced by the Attorney General and Senator Hannah-Beth Jackson, this amendment is currently under committee review. If passed, SB 561 would make the CCPA even more consumer-friendly, by expanding the private right of action to any violation of the CCPA, rather than only in the event a consumer’s nonencrypted or nonredacted personal information is subject to breach because the business did not meet its duty to implement reasonable security safeguards. The proposed amendment also eliminates the right to cure an alleged violation within 30 days of being notified of noncompliance.
In the meantime, the Attorney General’s Office concluded a six-part series of public forums
that were part of its preliminary rulemaking activities. The office is currently considering the public comments it has received from interested parties such as attorneys, businesses, and activists.
Contact the attorneys at Khashayar Law Group and LOKK Legal for more information.