The California Consumer Privacy Act is in Effect: What to do Now

Posted on 01-16-2020

By: Andrew L. Rossow, Esq.

WITH THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA) now in effect, is your firm and/or business ready for the new compliance requirements? The CCPA is codified under Cal. Civ. Code § 1798.100.

Background

On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) took effect, replacing the previous EU Directive. Under the GDPR, any individual in the EU who processes the personal data of an EU citizen is subject to the GDPR’s 99 articles setting forth privacy requirements.

However, the United States has lacked a comprehensive consumer privacy law—until now. California was the first state to enact such a law, granting California residents new rights regarding how their personal information is collected, managed, utilized, and distributed, while imposing various data protection obligations on certain entities conducting business in California.

While the CCPA incorporates several GDPR concepts, including rights of access, portability, and data deletion, as it rightfully should, the scope and territorial reach of the GDPR is much broader than the CCPA, and substantially different as to which parties are regulated.

What’s Been Added? (Amendments)

To date, the California legislature has passed seven amendments to the CCPA—AB 25, 874, 1130, 1146, 1202, 1355, and 1564. Collectively, these amendments modify the definition of personal information, alleviating many concerns surrounding a business’s ability to verify consumer requests under the Act.

Clarifying Personal Information

Under the GDPR, personal data is defined as any information relating to an identified or identifiable data subject. The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.

However, the CCPA gets more in-depth with its definition. Prior to the enactment of the amendments, the CCPA’s definition of personal information failed to include the use of the term reasonably in two locations and failed to clarify the definition of publicly available.

With the enactment of the amendments, personal information is defined as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.”

Checklist of Important Considerations

Do You Have An Opt-Out Clause Visible on Your Page?

Businesses must now enable and comply with a consumer’s request to opt out of the sale of personal information to third parties, subject to certain defenses. With the GDPR, there was no specific right to opt out of such sales, unless they involved processing data for marketing purposes.

Under the CCPA, businesses must comply with a consumer’s request to opt out of the sale of personal information to third parties by including a “Do Not Sell My Personal Information” link clearly and conspicuously enough on the website’s homepage so that it cannot be missed.

Does Your Business Qualify for an Exception Under the CCPA?

Two notable exceptions appear in the amendments adopted before the end of California’s legislative session on Sept. 13, 2019.

The Business-to-Business Exception

As of January 1, 2020, the CCPA will not apply:

  • When personal information is conveyed between a business and a consumer that is acting as an employee, owner, director, officer, or contractor of an entity
  • When that communication or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving, a product or service to or from the consumer that is acting as an employee, owner, director, officer, or contractor of an entity

The Human Resources Exception

Additionally, the amendments listed above provide a limited exception up and until January 1, 2021, by which the CCPA will not apply to:

  • Personal information collected by a business about a person acting as a job applicant to an employee, owner, director, officer, medical staff member, or contractor of that business
  • Personal information that is collected and used by the business solely within the context of the person’s role or former role as a job applicant

This exemption also applies to certain emergency contact information and information necessary to administer benefits.

Consequences

Like the GDPR, failure to comply with the CCPA purposely comes at an extremely high price and harsh cost. Once the California Attorney General begins to implement enforcement actions on July 1, 2020, individuals and/or businesses who fail to comply with the CCPA’s requirements could be fined at least $2,500 per violation. Of course, the enforcement penalties do lend favor to good faith and reasonable efforts to comply, but it is ultimately up to the California Attorney General’s office whether it chooses to seek civil penalties.

So, what do you and your firm need to do right now to ensure you don’t have to come into a conversation with the Attorney General in July?

Disclose, Disclose, Disclose!

Right now, go look at your firm’s website and privacy policies and check the language. Reviewing the company’s privacy policy is usually the first step a regulator (or consumer) will take to see if your business is complying with the CCPA.

Make sure you are posting plain, straightforward language that the average consumer would be able to understand—don’t pull a Facebook or any other social media company that buries those provisions in hundreds of thousands of words. Put it right there upfront, large enough for the consumer to see.

Prepare for a Crisis

The chances of something happening are high, almost inevitable. In preparation for this and avoiding both CCPA and GDPR penalties, you will want to:

  • Brainstorm potential crisis scenarios and appoint a person of contact to lead the initiative.
  • Put together a roundtable of people from the firm.
  • Identify your firm’s key audiences.
  • Determine who the lead contact will be to respond to the media and other audiences.

Create and Monitor Your Internal Data Privacy Team

The next step would be to grab your IT department, IT consultant, and/or technical consultant (preferably someone with Certified Information Systems Security Professional certification) and bring them into a meeting with your firm’s partners and create the internal data privacy team.

Begin by:

  • Appointing a director of crisis communication or your firm’s quarterback
  • Appointing a representative for your entire legal team
  • Establishing a 2-3 person group from the firm’s leadership team
  • Identifying and retaining internal subject matter experts, including a chief information officer, chief technology officer, and most importantly, a media spokesperson who knows exactly how to handle the never-ending media pressure

Create Your Incident Response Plan

Depending upon the federal regulations your firm is bound by, you will want to create and establish your firm’s internal incident response plan.

Before moving forward, identify whether you are bound by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and of course, California’s CCPA and privacy statutes.

Then you will want to:

  • Document how your firm’s data is stored and protected
  • Understand the cost and impact if that data were stolen (in whole or in part)
  • Create tailored policies, procedures, and guidelines for handling each type of information security incidents
  • Ensure visibility into the critical activity and behavior in the business environment
  • Practice and implement it.

Andrew L. Rossow is an internet attorney, licensed to practice law in Ohio, and an adjunct cybersecurity professor at The University of Dayton School of Law. Rossow focuses on helping individuals minimize harms caused through social media crime and ensures clients’ digital footprints are positively managed. He has been published in Law360, Forbes, and HuffPost, and regularly provides analysis for national news outlets, including Cheddar, ABC, CBS, FOX, and NBC. In addition, he is a Research Solutions Consultant with LexisNexis


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Articles

Related Content

For additional information on the General Data Protection Regulation (GDPR), see

> GENERAL DATA PROTECTION REGULATION (GDPR)

RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Practice Notes

For a comparison between the GDPR and the CCPA, see

> CCPA COMPLIANCE: COMPARING KEY PROVISIONS OF THE GDPR AND CCPA

RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Practice Notes

For an overview of the requirements of the CCPA, see

> CALIFORNIA CONSUMER PRIVACY ACT (CCPA) RESOURCE KIT

RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Practice Notes

For guidance on mapping data in anticipation of compliance with the CCPA, see

> CCPA COMPLIANCE: DATA MAPPING CHECKLIST

RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Checklists

For the steps to take to update a consumer-facing privacy policy, see

> CCPA COMPLIANCE: UPDATING A PRIVACY POLICY CHECKLIST

RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > California Consumer Privacy Act (CCPA) > Checklists