The California Consumer Privacy Act Comes of Age

I’ve written about privacy regulation before. But on Jan. 1, 2020, when the California Consumer Privacy Act takes effect, the importance of managing privacy for California residents and entities will take on a whole new level of seriousness. Aside from some federal obligations contained in HIPAA (Health Insurance Portability and Accountability Act, (HIPAA), Financial Credit Reporting Act (FCRA), and the Children’s Online Privacy Protection Act (COPP), for the first time, a state (one may be the loneliest number, but it won’t be the only one for long) will be taking definitive steps to secure the private information of its citizens. The European Union’s rules, called GDPR (General Data Protection Regulation, EU Regulation 2016/679), have been in place since May 2018. While the coverage and approaches are different, there are some useful similarities. This guide from Data Guidance and the Future of Privacy Forum provides a good comparison of the two.

 

However, now that we’re past Thanksgiving, it’s time to start thinking about year-end preparation (of course, after the company holiday party and family fun planning) completed. With the new year quickly approaching, individuals, enterprises, and government officials should all be keenly focused on the obligations and protections of the California Consumer Protection Act (SB-1121) whose obligations may have already been triggered. Since California is thus far the only state to have taken formal action with a firmly committed start date, but as other states step up in this area of great concern to consumers nationwide, implementation and management of the privacy and data protection rules that the new state law require, in some cases, significant steps to protect sensitive information. Visit the California Legislative Information website for the full text of the bill.

 

On the off chance that an enterprise isn’t prepared, what follows are some high-level questions that should be addressed today (better yesterday, but never mind).

 

First, does the CCPA apply to your firm? Is the enterprise selling personal data? If so, and if it’s a for-profit entity that collects California residents’ data, are annual gross revenues over $25 million? Does the enterprise receive personal data of 50,000 individuals, devices, households, or more? Does the enterprise earn 50% or more of its annual revenues from its sale of private consumer data? If any of these three apply, it’s time to get to work on ensuring compliance.

 

Secondly, once you’ve figured out that CCPA does apply, contracts with customers and vendors must be updated to limit liability and provide the necessary notifications to customers. Having a clear understanding of whether or not an entity qualifies as a “service provider” is critical. Once this determination is made, contracts with such entities should clearly address the following circumstances: the business purposes under which the personal information will be processed; a clear prohibition that forbids the service provider from selling the personal information it receives; and a clear prohibition keeping the service provider from retaining, using, or disclosing personal information outside the direct business purpose specified in the contract. (Contracts with third parties who may not qualify as “service providers” should also be updated with respect to personal information, but that’s another topic for another day.)

 

Thirdly, enterprise privacy policies, like bylaws, or any other document designed to manage current corporate circumstances, should be updated regularly. A clear description of what information must be disclosed, as well as what types and frequencies of disclosures, should be understood by those who will be held accountable. This policy should include consumers’ rights to both access and eliminate personal information, as well as its ability to opt out of sales and other unsolicited information. Also, there should be a description of the process for submitting requests of this type, including a website where such requests can be fielded and directed for response.

 

In crafting these policies, which should be modifiable by nature, it’s important that all relevant players are part of the drafting. This should include, at a minimum, attorneys, risk managers, and those responsible for the collection and use of information that is considered private. Time is truly of the essence. For more guidance and information, I recommend this step-by-step guide from The IAPP.

 

While California is the first state where these rules will become effective, other states are likely to follow with similar but not identical provisions. The sooner enterprises can get their collective arms around the key definitions and processes that California requires, the easier it will be when other states—if not the federal government—come to the table with their own rules.