Practical GuidanceFree Trial
Learn More AboutPractical Guidance
By: Andrew L. Rossow, Esq.
WITH THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA) now in effect, is your firm and/or business ready for the new compliance requirements? The CCPA is codified under Cal. Civ. Code § 1798.100.
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) took effect, replacing the previous EU Directive. Under the GDPR, any individual in the EU who processes the personal data of an EU citizen is subject to the GDPR’s 99 articles setting forth privacy requirements.
However, the United States has lacked a comprehensive consumer privacy law—until now. California was the first state to enact such a law, granting California residents new rights regarding how their personal information is collected, managed, utilized, and distributed, while imposing various data protection obligations on certain entities conducting business in California.
While the CCPA incorporates several GDPR concepts, including rights of access, portability, and data deletion, as it rightfully should, the scope and territorial reach of the GDPR is much broader than the CCPA, and substantially different as to which parties are regulated.
To date, the California legislature has passed seven amendments to the CCPA—AB 25, 874, 1130, 1146, 1202, 1355, and 1564. Collectively, these amendments modify the definition of personal information, alleviating many concerns surrounding a business’s ability to verify consumer requests under the Act.
Under the GDPR, personal data is defined as any information relating to an identified or identifiable data subject. The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.
However, the CCPA gets more in-depth with its definition. Prior to the enactment of the amendments, the CCPA’s definition of personal information failed to include the use of the term reasonably in two locations and failed to clarify the definition of publicly available.
With the enactment of the amendments, personal information is defined as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.”
Do You Have An Opt-Out Clause Visible on Your Page?
Businesses must now enable and comply with a consumer’s request to opt out of the sale of personal information to third parties, subject to certain defenses. With the GDPR, there was no specific right to opt out of such sales, unless they involved processing data for marketing purposes.
Under the CCPA, businesses must comply with a consumer’s request to opt out of the sale of personal information to third parties by including a “Do Not Sell My Personal Information” link clearly and conspicuously enough on the website’s homepage so that it cannot be missed.
Does Your Business Qualify for an Exception Under the CCPA?
Two notable exceptions appear in the amendments adopted before the end of California’s legislative session on Sept. 13, 2019.
The Business-to-Business Exception
As of January 1, 2020, the CCPA will not apply:
The Human Resources Exception
Additionally, the amendments listed above provide a limited exception up and until January 1, 2021, by which the CCPA will not apply to:
This exemption also applies to certain emergency contact information and information necessary to administer benefits.
Like the GDPR, failure to comply with the CCPA purposely comes at an extremely high price and harsh cost. Once the California Attorney General begins to implement enforcement actions on July 1, 2020, individuals and/or businesses who fail to comply with the CCPA’s requirements could be fined at least $2,500 per violation. Of course, the enforcement penalties do lend favor to good faith and reasonable efforts to comply, but it is ultimately up to the California Attorney General’s office whether it chooses to seek civil penalties.
So, what do you and your firm need to do right now to ensure you don’t have to come into a conversation with the Attorney General in July?
Make sure you are posting plain, straightforward language that the average consumer would be able to understand—don’t pull a Facebook or any other social media company that buries those provisions in hundreds of thousands of words. Put it right there upfront, large enough for the consumer to see.
The chances of something happening are high, almost inevitable. In preparation for this and avoiding both CCPA and GDPR penalties, you will want to:
The next step would be to grab your IT department, IT consultant, and/or technical consultant (preferably someone with Certified Information Systems Security Professional certification) and bring them into a meeting with your firm’s partners and create the internal data privacy team.
Depending upon the federal regulations your firm is bound by, you will want to create and establish your firm’s internal incident response plan.
Before moving forward, identify whether you are bound by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and of course, California’s CCPA and privacy statutes.
Then you will want to:
Andrew L. Rossow is an internet attorney, licensed to practice law in Ohio, and an adjunct cybersecurity professor at The University of Dayton School of Law. Rossow focuses on helping individuals minimize harms caused through social media crime and ensures clients’ digital footprints are positively managed. He has been published in Law360, Forbes, and HuffPost, and regularly provides analysis for national news outlets, including Cheddar, ABC, CBS, FOX, and NBC. In addition, he is a Research Solutions Consultant with LexisNexis
To find this article in Lexis Practice Advisor, follow this research path:
RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Articles
For additional information on the General Data Protection Regulation (GDPR), see
> GENERAL DATA PROTECTION REGULATION (GDPR)
RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Practice Notes
For a comparison between the GDPR and the CCPA, see
> CCPA COMPLIANCE: COMPARING KEY PROVISIONS OF THE GDPR AND CCPA
For an overview of the requirements of the CCPA, see
> CALIFORNIA CONSUMER PRIVACY ACT (CCPA) RESOURCE KIT
RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Practice Notes
For guidance on mapping data in anticipation of compliance with the CCPA, see
> CCPA COMPLIANCE: DATA MAPPING CHECKLIST
RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Checklists