Business Owners: Your Grace Period for Compliance with the California Consumer Protection Act Ends July 1

On January 1, 2020, the California Consumer Protection Act (Act) became effective securing private rights of action for California consumers and residents, and separate opportunities for the state to bring legal action against your business. In our blog published on October 4, 2019 and found here, we provide an overview of the Act, your obligations as a business owner, and the consequences for failing to comply. In a nutshell, the Act provides consumers with i) the right to know what data is being collected about them while they are on your website, ii) how to request that their data be deleted from your data collection process, and iii) how to opt out of the sale of their data to third parties.

Two important details for business owners

There are two important details for you to know and prepare for in your business this week:

1. The state’s six-month grace period for enforcement of the Act expires on July 1, 2020. If your business is subject to the Act (read more at our blog linked above), then you need to ensure your website is in compliance with the Act immediately!

The State Attorney General’s office has established fines of up to $2,500 per violation and up to $7,500 per violation if the violation is deemed intentional. Businesses which are in violation of the Act will receive notices from the Office of the California Attorney General and be given a 30-day period to correct such violations. Failure to comply with this Act risks regulatory action and fines.  In addition, the Act provides consumers with individual rights, outside of what the State’s Office may bring, to sue in court.

Silicon Valley giants like Zoom have already been sued under the Act for data breaches and violations of consumers’ personal information. Do not leave your business vulnerable to regulatory or private litigation. See below for our recommended next steps for your business.

2. The Office of the California Attorney General has proposed additional revisions to the Act which are currently under a 90-day consideration period by the California Office of Administrative Law. A few of the revisions since the Act went into effect (all of which can be found at this link) include:

• Both a notice that personal information is being collected and a separate privacy policy be housed on your website.
  • TIP: The notice could easily be a popup or banner alerting visitors when they arrive at your website.
• Use the state’s designated “Do not sell” language on your website.
  • TIP: Use this language as a button where consumers can opt out and have that button link to a form that allows the consumer to fill out information opting out of your use, sharing or selling of their information.
• Businesses are required to maintain a record of consumer requests to opt out for at least 24 months.
  • TIP: Have your website administrator/designer set up an automatically generated database.

Recommended next steps

1. Review your existing security policies and procedures to see if they comply with the Act,
2. Draft updates to these policies as necessary,
3. Send us a draft of these policies to assist you in compliance,
4. Begin educating the customer-facing employees as well as those specific employees who focus on or work with employee personal information about the Act and your compliance measures.
5. Annually review these policies.

Note that the law is likely to be amended as the state and courts interpret the law overtime. You may have ongoing compliance requirements.

Contact Garcia & Gurney in Pleasanton to learn more

We at Garcia & Gurney are happy to assist you and can be reached at (925) 468-0400. You can also contact us by using our online form.

Disclaimer: The contents of this article should not be construed as legal advice. This article is not an exhaustive list of issues that may arise in the operations of a business. Businesses should seek the assistance of an attorney who will analyze multiple factors unique to each kind and size of business.