Preparing for the Inevitable: It’s Time to Begin Planning for the CCPAPrint PDF
The California Consumer Privacy Act of 2018 (“CCPA”), the most comprehensive privacy law in the United States, is scheduled to take effect on January 1, 2020. Though the CCPA protections only apply to California residents, it will affect businesses across the country. Much is still murky about how the law will be implemented, but it is already clear that companies must start preparing now to comply with the CCPA.
How does a business prepare for the CCPA? The answer to that question is complicated by the fact that the law is still evolving. Indeed, its regulations have yet to be written. That said, given the short time period expected between the publication of these regulations and the implementation of the law, companies should start their preparations to meet the law’s obligations. Initially, companies should consider the threshold question: Will the CCPA apply to my organization?
The CCPA covers for-profit entities (or entities that are controlled by, or control, a for-profit business) wherever they are located if the entity:
- collects and determines the purpose and means of processing personal information of California residents and
- meets one or more of the following criteria:
(1) has annual gross revenues of $25 million
(2) obtains, on an annual basis, personal information of 50,000 or more consumers, households, or devices
(3) derives 50% or more of its annual revenues from selling personal information
If the CCPA, as currently drafted, will apply to your business, you should consider:
- What “personal information” the company collects: The CCPA defines “personal information” much more expansively than the definition of personally identifiable information (PII) that has become common in state data breach statutes. “Personal information” includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes, but is not limited to, a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or similar identifiers.
- How to respond to requests for disclosures: The CCPA grants California consumers the right to request disclosure of the specific pieces of personal information, including the categories of personal information that has been collected about them, the purpose for which had been collected, and the categories of third parties to whom the information has been disclosed or sold. Answering these questions can prove quite complicated and will likely require most companies to create a process in advance to collect and analyze the necessary information. Companies should use the time before the law goes into effect to ensure that they can respond appropriately to these kinds of requests.
- Shared information with third parties: In some circumstances, consumers will be able to prevent the sale of their personal information to third parties or request deletion of personal information. Indeed, the CCPA contemplates a standard “Do Not Sell My Personal Information” link on company websites. Companies should consider whether any of their current business practices will implicate this provision, consider whether any of contracts need to be revised to ensure that data transfer is not considered a sale of personal information, and, if necessary, plan how to implement a “do not sell” feature.
The California legislature is considering a series of amendments to the CCPA that may well change how it is implemented and even when it comes into force. At the same time, the California attorney general is working on regulations that will clarify what covered companies need to do to comply with the law. These regulations are expected to be finalized in the fall. Nutter will continue to monitor these developments and will provide further updates as the effective date of the law approaches.
This advisory was prepared by Seth Berman, the leader of Nutter’s Privacy and Data Security practice group, and Sa’adiyah Masoud and Charles Pierre, associates in the firm’s Litigation Department. For more information, please contact Seth or your Nutter attorney at 617.439.2000.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.