On January 1, 2020, the online world changed for Californians and for many who do business in California. That’s because the California Consumer Privacy Act, or the CCPA, went into effect. This means that those business entities that are affected must adhere to CCPA compliance requirements or risk legal exposure for violations. Those who are not already in compliance need to research CCPA information and take immediate steps to abide by the new legislation.
Those who face uncertainty should also seek the help of a business attorney who understands not only the steps to CCPA compliance, but also how to minimize the risk of future problems in this regard. Below you’ll find a CCPA compliance checklist that will provide some basic guidance for your situation before you seek specific legal advice.
1. Determine if the CCPA Applies to You
The first step with any CCPA compliance strategy is figuring out if the law even applies to your business. The CCPA applies to any business that:
- Generates annual revenue of at least $25 million;
- Obtains or stores personal information from at least 50,000 California residents, households or devices on an annual basis; or
- Derives at least 50 percent of its annual revenue from selling California residents’ personal information.
If even one of these tenets applies to your business, then you need to take steps towards CCPA compliance immediately in order to protect your operation from potential liability.
2. Do You Collect Data Covered by the CCPA?
If your business falls under the jurisdiction of the CCPA, your next step should be to define whether or not the type of information you collect is governed by the language set out in the law. The CCPA covers any “personally identifiable information” of California residents. Examples of information that would be considered personally identifiable include:
- Phone number
- Email address
- IP address
- Passport number
- Social security number
- Driver’s license number
The above is not an exhaustive list, but any type of data that could lead to the identification of a person would be protected by the CCPA, and therefore anyone collecting this type of information would need to be in CCPA compliance.
3. Define How You’re Sharing Data With Third Parties
If your business deals with personally identifiable information of California residents, then you should examine how you’re sharing this information with third parties. For instance, if you exchange this information for money with another company, that constitutes selling this information and would, therefore, be governed by the statute. The key word in this instance is “sale” of information.
Even if no money changes hands, but your company exchanges this information for some other type of value, such as for promotion or other benefits, that could still be considered a “sale” under the law. If that’s occurring, your CCPA compliance strategy needs to include an “opt-out” option for those affected parties.
4. Prepare Your Public Disclosures to Consumers
If, at this point, you fall under each of the points discussed in the CCPA compliance checklist, you need to prepare your public disclosures to the parties whose data you sell. These public disclosures include:
- The Right to Disclosure – You must inform the party that you’re collecting data from that they are protected by the CCPA at the time of or before it’s collected. This can be done by way of a pop-up message on the screen.
- The Right to Access – Up to twice per year, a consumer can request a readable file that tells them the type of information you collect, the sources of your personal information, the purpose for collecting this information and the types of third parties you sell their information to. This disclosure must occur within 45 days of the consumer’s request.
- The Right to Disappear – A consumer can request that a business delete any personal information that falls under the statute. This basically requires the business to delete this information and be able to prove that it was done.
- The Right to Opt-Out – Businesses falling under the CCPA must provide a page for consumers to request that their information not be sold to third parties.
5. Prepare Your Opt-Out Functionality
Your CCPA compliance strategy should also include functionality that’s built into your website such that you won’t have to concern yourself with taking proper steps under the statute. For instance, you should consider having prefabricated messages ready for when requests to opt-out and disappear, arrive. You should also have proper tracking in place. CCPA compliance is something that you may need to prove at some point.
The CCPA requires that all businesses falling under its jurisdiction update their privacy policies at least once every 12 months. In addition, these privacy policies need to be accessible to users, so either they need to be displayed prominently on a Website, clear links need to be provided to these privacy policies, or both. Your business should track and record when their privacy policies are updated so that they can prove that this was done.
7. Employee Training
While CCPA compliance requirements do not specifically state that businesses need to train their employees on how the law applies to their work, it would be a good idea in most situations for a company affected by the law to properly train all employees who may be affected by it. That’s because there could be situations that arise that require decisions to be made and steps to be taken and having records of this training could help protect a business. You should also have an attorney work with you on putting this training together.
8. Establish an Internal Tracking Protocol
The CCPA allows parties who feel they have been damaged by companies that control their data to bring civil actions against them under the statute. The potential penalties that a company found to have violated the CCPA are substantial. Therefore, it is necessary for any business that handles personal information to document how it’s being handled as well as any steps taken in pursuit of CCPA compliance requirements. This evidence could prove critical if your business faces a claim.
9. Deal With Minors Properly
The CCPA deals with minors differently than adults whose information falls under the statute’s jurisdiction. CCPA compliance requires that companies obtain affirmative, “opt-in” consent from minors between the ages of 13 and 16 before selling this information. The consumer can provide consent if he or she is between these ages. Anyone younger than 13 must provide consent from a parent or guardian.
10. Update Your Data Security Practices
Perhaps the most important CCPA compliance strategy is to make sure that your data is as protected and secure as possible. The law requires every business that falls under the statute’s jurisdiction to take “reasonable steps” to protect personal data. Any attorney can tell you that the word “reasonable” is open to interpretation within the context of litigation, so every business needs to do whatever it possibly can to (a) secure personal data and (b) document what’s been done. These security practices should be reviewed regularly and updated when necessary.
CCPA compliance is a must for companies across California and for those that do business in California. No CCPA compliance strategy is exactly like another, so the best way for you to proceed is to seek the legal advice of a San Diego business lawyer who understands how to protect clients from liability as much as possible. Contact Kam Law Firm today to schedule a complimentary 30-minute consultation.