Should I Care About CCPA?
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This will likely impact your business. So, if your business has a website accessible to California residents, you need to pay attention to the CCPA.
Your business is subject to the CCPA if it annually buys, receives or sells the personal information of 50,000 or more consumers, households or devices in California; derives 50% or more annual revenue from selling consumers’ personal information; or has gross annual revenues of more than $25 million.
Non-compliance with the CCPA may cost your business revenue and hamper your legal department with suits. The CCPA imposes a potentially more severe penalty than the General Data Protection Regulation (GDPR) for non-compliance. Under the CCPA, a business will be liable for a civil penalty of up to $2,500 USD for each violation or $7,500 USD for each intentional violation if it fails to cure any alleged violation of the CCPA within 30 days.
In case of a data breach due to a business's failure to implement reasonable and appropriate security practices, class action lawyers are expected to take advantage of the CCPA to bring a civil action against the business. In that case, the CCPA allows recovery of up to $750 USD per consumer, per incident, or actual damages, whichever is greater. Furthermore, a data breach incident could ruin your business's reputation, discourage investors, drive away customers, overwhelm your legal department, and invite regulatory scrutiny.
How to Comply with CCPA?
Here are the key issues you and your legal department should consider in order for your business to comply with the CCPA.
a. Is your company collecting any personal data under the CCPA?
The answer is most likely to be “yes” because the CCPA defines “Personal Information” very broadly. It essentially covers any information that relates to a California resident or household. Under the CCPA, “Personal Information” includes, but is not limited to, the following: name, postal address, Internet Protocol (IP) address, email address, account name, race, gender, national origin, disability, purchase history, browsing history, geolocation, professional or employment information, and consumer profile.
(1) Consumer's rights under the CCPA, including right to access, right to erasure, right to portability, right to knowledge, right to opt out, and right to equal services and prices, and designated methods for submitting requests;
(2) The categories of consumers’ personal information that were actually collected by your company in the preceding 12 months and sold or disclosed for business purposes in the preceding 12 months, or the fact that the business has not sold or disclosed consumers’ personal information for business purposes in the preceding 12 months; and
(3) The categories of personal information to be collected about the consumer and the purposes for which the information will be used.
c. Are you going to sell or rent any personal data to a third party?
If you and your department decide that the answer is “yes”, you need to make available a clear and conspicuous link in your organization’s homepage (or a homepage designed specifically for California consumers), titled “Do Not Sell My Personal Information”, to a web page that enables a consumer to opt out of the sale of the consumer’s personal information. The business must wait at least 12 months before requesting to sell the personal information of any consumer who has opted out.
d. Have you taken steps to protect customers' rights under the CCPA?
- Develop internal procedures for responding to consumer rights requests, including setting up procedures for verifying the identity of a requester.
- Develop internal data privacy policies setting forth your data privacy practice, including how to avoid “discriminating” against consumers based on the exercise of their rights.
- Implement appropriate security controls to prevent potential data breaches.
- Revise your vendor contract template to impose CCPA obligations on your vendors.
The above is not an exhaustive list of steps you need to take to comply with the CCPA.
Author: Lena Kempe is Assistant General Counsel at Pitney Bowes, Inc.
You can contact her through Linkedin: https://www.linkedin.com/in/lena-kempe-16440aba/