California residents now have ownership over their personal information due to the California Consumer Privacy Act (CCPA), which went into effect in January of this year. The new law greatly enhances consumer protections and privacy rights for California residents. Companies that operate within the Golden State will have to take a close look at how they gather and handle data to stay compliant.
CCPA regulates what companies are allowed to do with personal information. It also gives residents rights to their personal data, including the right to have it deleted, with a few exceptions. In some ways, this legislation is similar to the European Union’s General Data Protection Regulation (GDPR) because it seeks to give citizens rights to their personal information.
Unlike GDPR, however, CCPA only impacts California residents and provides exceptions for non-profit entities. There are additional differences between the two regulations, including when personal data collection is allowed. So, even if a company is GDPR compliant, they should still examine their data handling practices to make sure that they are also compliant with CCPA.
Who is subject to CCPA?
Currently, CCPA only impacts businesses and for-profit entities that operate or conduct business within California, collect the personal data of California residents and meet one of the following conditions:
- Has an annual gross revenue in excess of $25 million.
- Possesses personal information of more than 50,000 California consumers, households or devices.
- Generates more than 50% of their annual revenue from selling the personal information of California residents.
CCPA also extends to companies that control or are controlled by an entity that shares common branding and meets any one of these criteria. (Section 1798.140(c)) While the language of the law is likely to be interpreted through further legislation, this stipulation increases the reach of CCPA. For instance, if you’re a smaller company, such as a subcontractor, that does work with general contractors that meets any of these conditions, you may be subject to CCPA regulations.
It might seem as though CCPA may have little impact on construction companies and other businesses that don’t handle consumer data, but that may not be the case. CCPA defines consumers under section 1798.140 as a “natural person who is a California resident.” This means that information collected by human resources in the process of hiring and managing employees falls under CCPA. Personal data connected to required payroll reporting may also be impacted. Although such broad language may be refined by legislators, companies will want to examine their policies and procedures to ensure they are compliant with the law as it currently stands.
What new obligations are created by CCPA ?
Under CCPA, companies have a new set of obligations and responsibilities regarding how they gather and handle personal information. This includes how companies respond to consumer requests to know what is being collected, opt-out of data collection or to delete their personal data.
According to the State of California Department of Justice, companies subject to CCPA are obligated to:
- Provide noticed to consumers at or before the point of data collection.
- Create procedures to respond to requests to opt-out of data collection, know what’s being collected or delete personal data.
- Respond to requests from consumers to know what’s being collected, opt-out or delete data with specific timeframes.
- Verify the identity of consumers that make requests to know what’s being collected, opt-out or delete data, even if the consumer doesn’t have an account with the business.
- Disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal info.
- Maintain records for 24 months which include all consumer requests to obtain information about their personal data, including how they responded.
Keep in mind that the law does create a path for enforcement that includes a potential injunction and civil penalty:
“Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”
This makes it especially important to understand your obligations and create a process to comply with all aspects of the CCPA.
How can companies comply with CCPA?
It’s important to examine how you currently handle data and compare it with the new standards created by CCPA. You’ll also need to create a process for responding to requests to opt-out of data collection, to know what’s being collected or delete personal data, when applicable. Additionally, you’ll need to be prepared to maintain records of all such requests, including your response, for 24 months.
Here are a few actions you may want to take to ensure you’re CCPA compliant:
- Create a process that allows you to comply with consumer requests regarding their personal information.
- Provide adequate disclosures regarding your data collection process and policies with asked.
- Create a process for deleting data upon request, with a few exceptions.
- Follow all guidelines regarding what can be collected and how long it can be kept.
- Create a process for complying with consumer requests to not share their information with third parties.
- Work to ensure that any data you do share with third parties meets all restrictions.
It’s also important that companies don’t discriminate against consumers because they exercise any of their rights under CCPA. This means you must provide the same level of service to those that opt-out of data collection, request to know how you use their data or requests that you delete their personal information.
CCPA contains some ambiguous language that is likely to be refined through legislation or even litigation. In the meantime, you can use guidance provided by the Department of Justice to comply with the current law and watch for updates to its language. You can download the CCPA Fact Sheet and read CCPA for additional information.
The material presented here is educational in nature and is not intended to be, nor should be relied upon, as legal or financial advice. Please consult with an attorney or financial professional for advice.