Your law firm finally completed the measures necessary to ensure client compliance with the European Union’s General Data Privacy Regulation (GDPR), and now the California Consumer Privacy Act (CCPA) is looming on the horizon. Although the CCPA doesn’t actually go into effect until January 2020, there is no time like the present to determine what the obligations are regarding the Act and what it will take to be compliant with its provisions.
According to a recent report issued by TrustArc, most companies are aware of the CCPA and some have begun to address issues regarding compliance. However, most companies that it applies to have not started the process yet, particularly those who did not have to ensure compliance with the GDPR.
What is the CCPA and who will it affect?
The CCPA is a consumer privacy law that will establish guidelines on the collection of personal information and post-data acquisition data usage by businesses. Under the CCPA, personal information includes names, addresses, Social Security numbers, email addresses, geographic locations, IP addresses, shopping/browsing history, psychological profiles, consumption behaviors/attitudes, and consumer preferences.
In other words, pretty much everything.
Organizations inside and outside of California will be affected by the Act’s requirements because it applies to any business that operates in California (whether or not it is a California business), so don’t make the mistake of assuming that the CCPA does not apply to you because your firm is not located in the state. Companies will be required to comply with the CCPA if they meet any of the following criteria:
- Exceed annual gross revenue of $25 million
- Obtain the personal information of 500,000 or more California residents, households, or devices each year
- Acquire half or more of their gross revenue from the sale of California residents’ personal information
Most U.S. companies have customers in California and will likely be required to comply with the CCPA if they want to continue to gather information from California customers.
Preparing for compliance with the CCPA
Here are some crucial steps that organizations need to take in preparation for CCPA compliance:
- Determine what data they are collecting.
- Understand how the information is being used – is it being shared or sold to third parties?
- Review and potentially update privacy policies to comply with the Act.
- Implement solutions to process customer requests for opt-out.
- Ensure that the data being collected is critical to the needs of the organization.
Many businesses within the legal industry will be affected by the CCPA, and in-house counsel at tech companies will likely be kept especially busy ensuring compliance with the Act.
The first logical step for these companies will be mapping their data collection processes and then sharing that information with their information technology departments, a process similar to the one they probably followed in preparation for GDPR.
Consumer rights under the CCPA
The CCPA will give California residents the right to:
- Know exactly what personal information is being collected about them
- Find out if their personal information has been disclosed and to whom
- Say no to a business selling or sharing their personal information
- Ask what information a business has collected about them
- Request that their personal information be deleted
A business will be required to comply with these requests or risk penalties of up to $7,500 per incident.
Put another way, this means that a data breach involving 20,000 customers could cost a business up to $150 million. Businesses will also be required to collect opt-in for children under age 16, and for those under age 13, a parent or guardian must provide the opt-in.
However, before the law takes effect, there are a few issues that still need to be addressed. For example, Section 1789.125 (b) allows businesses to offer alternate prices and other incentives to customers who allow data collection, which is in direct contrast to Section 1798.125 (a) that forbids charging or suggesting different price rates or quality levels to consumers based on opt-in.
California leads the way, many states to follow
California is one of the first states to implement many of these regulations, but have introduced comparable measures. By 2025, more states are expected to enact similar legislation, which will give virtually every U.S. consumer the right to know how their data is being used.
Ultimately, if your firm does not share or sell customer data, then you should have nothing to worry about. Still, these best practices for improving awareness of how your firm manages client data are a good place to start.