Article August 16, 2019

Four things you should know about the CCPA

The California Consumer Privacy Act (CCPA) is intended to give Californians the ‘who, what, where, and when’ of how businesses handle personal information.

Signed into law last year, the act puts the onus on certain types of businesses who collect, share, and sell the personal information of its consumers. Here are the answers to a few of the most frequently asked questions about it.

1. When does the act come into force?

The CCPA is currently set to come into force on 1 January, 2020.

2. Who does it apply to?

The CCPA applies to for-profit entities that collect and process the personal information of California residents and do business in the State of California. In addition, a business must fit one of the following criteria in order for the CCPA to apply to them: the business generates annual gross revenue in excess of $25 million; the business receives or shares the personal information of 50,000 or more California residents, households or devices on an annual basis; or the business derives 50% or more of its annual revenues from selling the personal information of California residents.

It doesn’t appear that a business would need a physical presence in California in order for the act to apply, only that it makes sales in the state.

3. What does the act do?

The CCPA gives consumers (defined as California residents) the right to know, the right to say no and the right to protections when it comes to their personal data. Here are five basics that the act covers:  

Knowledge: Consumers have a right to know what personal information is being collected from them, how its being collected and what it is being used for

Sale of personal information: Consumers must have the option to opt-out of having their personal information sold to a third party

Personal information removal: Consumers may request that a business deletes their personal information

Service equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA

Private right of action: Consumers will have a private right of action in the event their personal information is compromised and will be able to recover between $100 and $750 in statutory damages

4. What does a business need to do in order to comply?

Privacy specialist Centrl has put together a handy checklist to get companies started on the various actions they’ll need to take. Although not an exhaustive list, here’s a summary of the main responsibilities:

  • Identify what kinds of personal information is being collected by your business.
  • Understand how this information is used, confirm if it is sold to or shared with third parties, and the purpose of that sharing.
  • Review internal policies and procedures regarding the collection of personal information.
  • Review and update your internal and online privacy policies to comply with the requirements of the CCPA.
  • Prepare policies and procedures to ensure your business can respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information.
  • Ensure you have technological solutions in place that can process the consumer requests you receive.
  • Carry out staff training, especially for personnel who will be responsible for handling consumer personal information inquiries.
  • Review your contracts with third parties to whom you supply consumer personal information to.
  • Conduct third party audits on service providers who have access to your consumer personal information to ensure compliance with the CCPA.

There are number or resources available to help you get up to speed with the CCPA. Please find a selection below:

Californians for Consumer Privacy website
California Privacy Law, Third Edition