First, the disclaimer: I am not an attorney, and this is not legal advice!
As an update to the article we wrote back in September, we are sending out a reminder that the deadline for the California Consumer Privacy Act (CCPA) legislation is nearing. The CCPA goes into effect on January 1, 2020, with enforcement beginning July 1, 2020. Amendments to the law have been made as recently as October 11, 2019. Because the law is not yet enacted, it has also not been challenged in court.
As Paulsen is not a legal firm, the ways we can help our clients are limited to assisting with a few website-related tasks. However, that is only a small part of actual compliance.
Does this impact your business?
CCPA applies to businesses with customers in California that meet one of the following criteria:
- Annual gross revenues in excess of $25 million
- Annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Overview of CCPA
- Discloses collection of personal data, the categories of information collected, the purpose for collecting and selling data and the third parties with which data is shared
- Authorizes consumers to opt-out\
- Allows businesses to offer financial incentives for the collection of personal information
- Prohibits companies from selling the personal data of consumers under the age of 16 years
- Requires data breach notification
- Requires parental consent for collecting personal data of minors (under the age of 13) and requires the consent of minors 13-16 years old if requesting to share data
Compliance in Brief
- Display clearly on your site a way for consumers to opt-out of the sale of their personal data including providing a toll-free phone number for them to call and make the request
- Allow a period of 12 months after a California resident opts-out before requesting opt-in again
- Prepare internal leadership, teams, processes and systems for dealing with securing data and opt-outs
Business as usual?
There are exceptions to the right to have your data removed that involve normal business transactions. Businesses must be able to:
- Complete legal business transactions
- Retain data for legal and security purposes and prosecutions
- Exercise free speech
- Perform research that is scientific, historical or statistical
- Use data internally in a way that meet the expectations of the consumer and their relationship with the business
If you have consumer data from residents of California, the safest way to comply is to have legal counsel review this for you. If you want to read the legislation yourself, grab some stiff coffee and review the official text of the law.
A slightly easier-to-read version and interpretation can be found here but it does not have the updates to the most recent changes.
This is just the beginning of what will likely be multi-state privacy legislation that evolves into federal privacy protection. Please let us know if you want to discuss this with us!