Keeping Our
Clients and
Business Partners
Informed

New California Privacy Law Set to Go Into Effect in 2020: How Your Business Should Prepare

The California Consumer Privacy Act (“CCPA”), which will affect many businesses doing business in California, is set to go into effect beginning on January 1, 2020. In order to enforce the provisions of the CCPA, the state empowered the Attorney General to impose hefty fines for violations, including a $2,500 fine per violation which is not cured within thirty days. In order to avoid such fines and the legal expenses that go along with fighting a legal action by the state, it is important that your business become familiar with the requirements of the CCPA and be sure to implement business strategies to ensure compliance by 2020.

Must Your Business Comply?

The CCPA applies to all businesses who conduct business in the state of California who (1) are for profit business entities; (2) have at least $25 million in annual gross revenue; (3) buy, sell, or receive for the business’s commercial purposes the personal information of 50,000 or more consumers, households of devices per year; or (4) produces at least ½ of its annual revenue in the sale of personal data.

What Does the CCPA Require?

Assuming that CCPA applies to your business, then upon request by a consumer, you disclose certain information relating to that consumer’s personal information, including (1) what information is being collected, sold or disclosed; (2) the source of the consumer’s information (i.e. where you obtained it); (3) the business purpose for the information; and (4) the categories of third parties that the information is shared with, if any. The law defines “personal information” very broadly; It is any information about a California resident that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This would include just about anything, including telephone numbers, addresses, purchase history, geographical data, and even inferences drawn about a California resident (i.e. the fact that they purchased a new home and may want to remodel or require insurance).

If asked by a consumer, your business would have to provide the consumer with the above-information in a format which would be “readily useable” and would allow the consumer “to transmit [the] information to another entity.” In other words, your business couldn’t merely transmit the information in the form that it had it in if it was not “readily useable” (i.e. legible), but rather would have to convert it to a form that a reasonable person could review and understand.

The CCPA also requires businesses that fall under the act to protect “private” consumer information, including social security numbers, driver’s license numbers, financial/accounting information, medical information, email addresses, username passwords, and security questions/responses.

How Should Your Business Prepare?

Because there are fines associated with the CCPA, it is important that you prepare your business to meet the requirements of the new law as soon as possible. This would include implementing processes and procedures to quickly and economically produce the information in compliance with the CCPA upon request by a consumer.

Perhaps more importantly, your business should implement appropriate security measures to protect the private information that you collect, purchase, or otherwise maintain. This may include encryption and/or redaction of personal information which your business keeps on consumers, restricting employee access to consumer database(s), and implementing regular reviews of your data security
policies.

Questions relating to the applicability of the CCPA to your business and compliance with the terms of the new law can be answered by the attorneys at Vogt, Resnick & Sherak, LLP.