Teaser: The California Consumer Protection Act (CCPA) becomes effective January 1, 2020. Failure to comply with this Act risks regulatory and private action including fines of $2,500 per violation. The Act defines a consumer as a California resident, which includes your employees. We recommend a five-step plan for your business.

The California Consumer Protection Act (CCPA) becomes effective January 1, 2020. The information below is a simplified overview of the law. It provides you with a checklist of actions to take now so that you comply with the law.

First, the Act defines a consumer as a California resident, which includes your employees.

Second, the Act seeks to protect all personal information collected by a company or software program regarding a consumer. Personal information includes, at minimum, any data collected that can be uniquely linked to a person. In the case of your employees, personal information is a social security number, employment history, and a person’s name. In the case of your customers, personal information includes, at least, records of personal property, device numbers, and purchasing history.

Third, the Act applies to all businesses that collect personal information in California which:

  • Generate gross revenues over $25 million,
  • Alone or in combination, has annual purchases, receivables, or sells or shares the personal information of 50,000 consumers, households, or devices, or
  • Derives more than 50% of its annual revenues from selling personal information.

The purpose of this new law is two-fold:

  1. Codify the rights of consumers as to the use and storage of their personal information, and
  2. Enforce data collectors to increase their security measures to prevent breaches.

It is important that businesses create a data privacy implementation plan that complies with the Act. This includes:

  • Mechanisms for providing consumers at or before the point of data collection (e.g. making an order, or onboarding an employee) with a description of what information will be collected, how that information may be used, the identification of any third parties using the information collected,
  • Information about the consumer’s rights including:
    • The right to the information collected,
    • Copies of the information collected,
    • The right to request deletion of the information collected,
    • The consumer’s ability to opt in or out of the sale of the information collected,
    • Whether financial incentives are provided by your business or the third parties you may contract with regarding the information collected,
  • Mechanisms for annually auditing these policies,
  • Mechanisms for submitting requests to exercise rights (the bullets above) via a telephone number or website address, and
  • A link to a Do Not Sell policy that consumers can take advantage of when exercising their rights.

When a consumer submits a request to exercise any or all their rights as listed above, business need to:

  • Verify the identity of the consumer making the request,
  • Deliver the information requested free of charge via mail or electronically, and
  • Deliver the information requested within 45 days of the request.

You are not required to do this more than twice in a 12-month period per consumer.

Failure to comply with this Act risks regulatory and private action. The State Attorney General’s office has established fines of up to $2,500 per violation and up to $7,500 per violation if the violation is deemed intentional. In addition, the Act provides consumers with individual rights, outside of what the State’s office may bring, to sue in court.

So, we recommend at least the following next steps:

  1. Review your existing security policies and procedures to see if they comply with the Act effective Jan. 1, 2020,
  2. Draft updates to these policies as necessary,
  3. Send us a draft of these policies to assist you in compliance,
  4. Begin educating the customer-facing employees as well as those specific employees who focus on or work with employee personal information about the Act and your compliance measures.
  5. Annually review these policies.

Note that the law is likely to be amended and as courts interpret the law overtime, you may have ongoing compliance requirements. Additionally, we will watch the State Attorney General’s office for guidance documents on how businesses can comply with the law.

We at Garcia & Gurney are happy to assist you and can be reached at (925) 468-0400. Contact our office in Pleasanton, CA today.

Disclaimer: The contents of this article should not be construed as legal advice. This article is not an exhaustive list of issues that may arise in the operations of a business. Businesses should seek the assistance of an attorney who will analyze multiple factors unique to each kind and size of business.