Last Minute Tips for Procrastinators: What Your Company Needs to Know about the January 1, 2020 Effective Date of the California Consumer Privacy Act (“CCPA”)

If your company is like many, you have known about the upcoming effective date of the California Consumer Privacy Act (“CCPA”), but are still making last minute preparations in advance of it going into effect.

If you are one of many procrastinators out there just starting to think about the law, the Silicon Valley Software Law Blog wanted to recap some highlights for you.

  • Your business is subject to the law, regardless of its location,  if any one of the following is true:
    • Your company has gross annual revenues in excess of $25 million.
    • Your company buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
    • Your company derives 50 percent or more of its revenues from selling consumers’ personal information.
  • The CCPA creates new rights for California consumers: (a) the right to know; (b) the right to delete; (c) the right to opt out; and (d) the right to non-discrimination.
  • You must provide notice to consumers at or before the point of data collection of the personal information to be collected and the purposes it will be used.
  • You must provide clear and conspicuous notice to consumers of the right to opt out of the sale of personal information, which includes providing a “Do Not Sell My Personal Information” link on the website or mobile application.
  • You must respond to requests for consumers to know, delete, and opt-out within specified timeframes (generally 45 days).  Privacy settings to opt out must be treated as a validly submitted opt out request.
  • You must verify the identity of consumers who make requests to know or to delete, regardless of any password-protected account settings with the business.
  • You must disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how the value of the personal information is calculated, and explain how the incentive is permitted under the CCPA.
  • You must make available to consumers at least two or more designated methods for submitting requests, including at a minimum a toll-free phone number, and if you maintain a website, a website address by which to submit requests.  However, a business that operates exclusively online and has a direct relationship with the consumer from who it collects personal information is only required to provide an email address.
  • You must make your privacy policy accessible to consumers with disabilities, or to provide consumers with disabilities information on how they can access the policy in an alternative format.
  • You must make your privacy policy available in a format where consumers can print it out in a separate document.
  • You must ensure that the privacy policy explains how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
  • You must retain records of all requests and responses to requests for at least 24 months; provided that businesses that buy or sell personal information of more than 4 million consumers annually have additional reporting obligations.

Also, if your business qualifies as a “data broker” you are required to register with the Attorney General by January 1, 2020.  How do you know if your business is a “data broker”?  Your business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.  Three categories of businesses are excluded from these obligations:  (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.

The CCPA, its amendments, and regulations define more compliance obligations that businesses should be familiar with, but this list is a good starting point in advance of the effective date.

Obviously, even if your business is not subject to these laws, these privacy requirements will now constitute the best practices for doing business in California, so all businesses should seriously consider incorporating these privacy practices into their standard privacy practices and procedures.  The Silicon Valley Software Law Blog will continue to keep you updated as these new laws begin to be implemented.