The California Consumer Privacy Act (“CCPA”) is Now Effective: What Does It Mean for Your Business?

Share

Did you know? 

The California Consumer Privacy Act of 2018 (the “CCPA”), one of the most stringent and far-reaching consumer privacy laws in the country, became effective as of January 1, 2020. The CCPA significantly expands the privacy rights of California consumers by imposing new requirements on businesses to disclose what categories of personal information will be collected, the purpose of the collection, and how the information will be used.

The CCPA will protect the “Personal Information” of California consumers and defines this term as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Accordingly, this information can include a name, address, web browsing histories, IP addresses, and commercial information relating to products or services purchased.  

Why is Compliance Important?

The CCPA’s long reach means it could apply to any business that processes the personal information of Californians, regardless of the company’s location. 

Does the CCPA Apply to My Business?

The CCPA will apply to for-profit businesses that collect California consumers’ personal information and meet one of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information.

How Could the CCPA Affect My Business’s Obligations?

The CCPA will give consumers expanded rights, including the right: (1) to know what personal information is being collected about them; (2) to know whether their personal information is sold or otherwise disclosed and to whom; (3) to say no to the sale of their personal information; (4) to access their personal information and request that it be deleted (some exceptions apply); and (5) to receive equal service and price, even if they exercise their privacy rights.

Businesses subject to the CCPA will need to be prepared to locate consumer’s  personal information in order to respond to consumer requests and will need to make certain notices and disclosures available.  For instance, the CCPA will require businesses to provide at least two methods for consumers to request information, including a toll-free telephone number and a website address (if the business maintains a website).  The business must “disclose and deliver” the requested information to the consumer for free within 45 days.  Businesses will also need to ensure that their online privacy policies and any statements relating to California consumers’ privacy rights are updated as needed to comply with the CCPA.

What are the Penalties for Non-Compliance?

The CCPA establishes both civil penalties for violations and a private right of action if a data breach of non-encrypted or non-redacted personal information occurs. The latter is likely to substantially increase litigation risk and exposure for companies that are subject to a data breach.

How can PorzioCS Help?

Companies concerned about their CCPA risk can use PorzioCS’s proprietary online Compliance Assessment Tool to identify their CCPA obligations and implement the appropriate compliance controls. Following the completion of the assessment, they will receive weighted results based on the criticality of the CCPA requirements to identify appropriate compliance controls. PorzioCS will then help them to develop a customized action plan that fits the organization’s budget, technology infrastructure, culture, and objectives.