Below is a piece I put together with Dayle Duran, CIPP/US, a contributing DMC Law blog author, as a brief guide to key aspects of the CCPA. Of course, the CCPA is a complex set of rules and requirements, so this post is intended only to be a very basic and high-level overview of important considerations.
Enforcement of the California Consumer Privacy Act (CCPA) began on July 1, 2020. What does your business need to do to be ready?
1. Determine whether the CCPA applies to your business. Does your for-profit organization: collect the personal information of California residents AND bring in an annual gross revenue of $25 million or more OR collect, sell, or share for commercial purposes the personal information of 50,000 or more consumer, households or devices OR derive 50% or more annual gross revenue from selling consumer information?
2. Identify whether your business collects personal information. The CCPA broadly defines personal information as any information that identifies or could reasonably be linked to a person. This includes but is not limited to: name; alias; email or postal address; account name; SSN; driver’s license or passport number; professional or employment information; unique personal identifiers such as cookies, browsing history, web tracking data, and IP addresses; geolocation data; and biometric information.
3. Provide required notices. Depending on the information your business collects and how it uses that information, it must provide notices to consumers disclosing those uses and making clear applicable consumer rights. Businesses must fully understand the types of data it collects and how it uses (including sharing and selling) that data to determine the types of notices required. Whether or not the CCPA applies to your business it is always a good idea to revise and update your online privacy notice to anticipate questions your consumers may have regarding your organization’s privacy practices.
4. Create a process for addressing consumer requests. Be sure to designate a point person to receive, track and oversee the response to consumer requests that your business may receive. This person must understand your organization’s responsibilities under the CCPA, even if it means simply telling consumers the law is not applicable. Also, provide consumers with appropriate methods to contact your business with questions or requests relating to their personal information (e.g., email address, on-line request form, telephone number, etc.).
5. Be aware of additional requirements for “selling” data and offering financial incentives in exchange for personal information. The CCPA broadly defines the “sale” of data. If your business is getting something of value in return for the data, it could be engaging in a sale. Businesses that “sell” personal information must follow specific notice and consent rules and must provide a conspicuous “Do Not Sell My Info” link on its home page. If your business provides any financial incentives to consumers in exchange for personal information, special notice and consent rules apply.
6. Determine whether any contractual agreements require your business to comply with CCPA provisions. Even if your business is not required to comply with the CCPA by law, you may do business with an organization that contractually requires your compliance with CCPA rules. Review your agreements carefully to understand your obligations fully.
7. Train your employees. Train your employees on relevant provisions of the CCPA. All individuals responsible for handling consumer inquiries about your business’s privacy practices as well as those responsible for CCPA compliance must receive training. The CCPA does not indicate whether this training should occur once or on an ongoing basis. As a best practice, your business should provide recurring CCPA training, as well as general privacy training.