Passed more than a year ago, the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. It is considered the most comprehensive privacy law in the United States to date. If corporate legal operation professionals have not taken steps to comply with these new privacy and data protection rules, it is essential to now focus intently on getting your organization ready.
The CCPA was passed in response to growing consumer concern about data protection and privacy and to provide residents of California some level of control over the personal information that companies collect. In mid-October, the California Attorney General’s Office also published proposed regulations designed to help implement the new law and clarify some of the law’s requirements
What is your organization doing to comply? Below is a summary that may prove helpful.
For-profit companies doing business in California that collect the personal information of consumers are required to comply with the CCPA. It is worth noting that your organization need not be headquartered in California to be subject to the law. The CCPA applies to businesses operating in California for which any of the following are true:
- Annual gross revenues over $25M;
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices; or
- Derives at least 50 percent of its annual revenue from selling California residents personal information.
Clearly, Facebook and Google are implicated here. But companies — even those outside of the Golden State — need to evaluate whether they fall within these parameters.
The protections that the CCPA grants to consumers are fairly broad in scope. California residents will now have the right to know the “what, who, and why” of their personal information, including:
- The categories of information collected, shared, or sold;
- The sources from which their personal information was collected, with whom it was shared, and to whom it was sold; and
- The specific personal information that has collected about that consumer and why it was collected.
California consumers will also be able to request that a company delete the personal information it has collected about them. And residents will also be able to direct a company to not sell their personal information to third parties.
Most regulatory schemes like the CCPA are enforced by the government. But the CCPA also creates a private right of action to consumers. Any consumer may bring an action under the law.
In many companies, legal operations professionals are likely to be asked for input to lead the CCPA compliance efforts. Compliance could also fall to information governance professionals.
In order to meet the obligations of the CCPA, companies will need to begin by (1) analyzing the requirements of the CCPA; (2) identifying the scope of the impact on existing and new processes; (3) assigning specific stakeholders to own the new process; (4) creating a project plan for complying with the law and the new regulatory requirements identified by each organization; and (4) implementing monitoring processes to ensure compliance.
Penalties for noncompliance with the CCPA will range from civil penalties of up to $7,500 per violation to be imposed by the government or $750 per consumer violation for breach of the law in a private action.
The CCPA has been amended to provide a grace period for businesses to come into compliance. The California Attorney General cannot bring an enforcement action until six months after publication of that office’s regulations, or July 1, 2020, whichever comes first. This grace period does not apply, however, to the private right of action consumers can bring under the CCPA.
Earlier this month, the California AG’s office proposed clarifying regulations that mostly outline procedural issues for consumers and the manner in which businesses affected by the law will need to provide notice, respond to consumer requests, and comply with the CCPA.
It would be prudent for companies doing business in California to assess whether they understand the data they are collecting and their internal ability to respond to data subject requests that will inevitably flow from the CCPA. Better yet, perhaps now organizations will begin to evaluate the data they have, why they collect it, and whether they may be able to dispose of it sooner.
There are additional amendments to the CCPA that are still pending in the California legislature. Readers will need to stay tuned to see exactly what the final law looks like.
Mike Quartararo is the managing director of eDPM Advisory Services, a consulting firm providing e-discovery, project management and legal technology advisory and training services to the legal industry. He is also the author of the 2016 book Project Management in Electronic Discovery. Mike has many years of experience delivering e-discovery, project management, and legal technology solutions to law firms and Fortune 500 corporations across the globe and is widely considered an expert on project management, e-discovery and legal matter management. You can reach him via email at mquartararo@edpmadvisory.com. Follow him on Twitter @edpmadvisory.