How to comply with the California Consumer Privacy Act (CCPA)

20 November 2019

The California Consumer Privacy Act (CCPA) goes into effect 1 January 2020. The Act, officially called AB-375, provides significant protections for consumer privacy in California. It will also affect many if not most U.S. businesses and indeed many companies worldwide. It takes a strict view of what constitutes private data and provides for a variety of penalties, some of them severe.

The U.S. lacks a national privacy act comparable to the European Union’s General Data Protection Regulation (GDPR). As a result, companies doing business with U.S. consumers are confronted with a range of state regulations governing data breaches, privacy and other related issues.

Of these state regulations, the CCPA is the most significant because of the power it gives consumers in controlling their own data, its penalties, and California’s large population and outsize economic significance. (If California were a country, it would be the fifth largest economy in the world, between Germany and the UK.)

The basic requirements of the CCPA

Under the CCPA, any California consumer can demand a record of all personal information a company has collected relating to them over the preceding 12 months, as well as any third-party companies that have had access to that information.

Businesses must inform all California consumers what their rights are under the Act, what categories of personal information they collect, the purposes for which it is collected, and what categories of private information they have sold or disclosed in the preceding 12 months. A business can accomplish this using its company website.

A new policy must be drafted carefully to be compliant with the new legislation. CCPA ecommerce privacy policies must include, for example, required disclosures that go beyond those required in existing California statute. A number of new specific elements will need to be referenced, including, for example, an explanation of consumer rights with regard to the CCPA, the business purpose of the information collected, categories of third parties that you share personal information with, and additional elements.

What businesses are affected?

The Act applies to for-profit organizations that do business in California, collect personal information and have at least one of the following qualifications:

  • Have gross annual revenues over $25 million
  • Annually receive or disclose personal information of 50,000 or more California residents
  • Derive 50 percent or more of annual revenues from selling California residents’ personal information

Many non-California businesses based inside or outside the U.S. will meet these requirements. If your company is in doubt about whether it meets the revenue threshold, you should conduct an audit to make a firm determination.

Penalties and curing the breach

For intentional violations of the Act, California’s attorney general can impose civil penalties of up the $7,500 per violation.

The Act also provides for a private right of action for violations of the law’s data security requirements. This allows consumers — individually or as part of a class — to seek statutory damages of $100 to $750 per consumer per incident, even if there was no breach. While the attorney general’s ability to impose civil penalties is typical of state data breach laws, this private right of action is not typical and should be noted well by companies doing business in California.

A consumer seeking statutory damages must provide the business 30 days’ notice of intent to sue before filing. If the business can demonstrate that they have cured the violation within 30 days of receiving the notice, and so inform the consumer, the consumer can then sue only for actual damages, a much higher standard.

The possibility of statutory class actions for violations, combined with as-yet-undefined standards for what will constitute an adequate cure, will result in significant litigation risk.

Steps you should take to prepare

In order to respond properly to consumer requests for information, your business will need to document internally:

  • How personal data is obtained
  • How it flows
  • Who it is shared with and under what conditions
  • How it is stored
  • How it is deleted or disposed of

You will also need to review any third party that data is shared with, review the third-party contracts, and mutually agree on amendments to cover the new requirements.

Review of your internal data controls and processes may reveal a wide variety of databases where personal information is stored. For example, marketing departments collect data on consumer behaviour in order to refine websites, emails and campaigns, and this may be separate from other operations. Ensuring that the report to the consumer is timely and complete may require significant work from IT.

At the same time, you must be able to reliably confirm that the individual making the request is the consumer whose data you are providing, and have response processes in place in the event of a misidentification.

You will also need to provide means for consumers to opt out of the sale of their information to third parties and ensure that you can manage the data of these consumers differently than the rest.

You may offer price discounts for those who allow their information to be shared. However, you can’t price-differentiate between people who have made a request for a report and those who have not.

None of this will be easy

Few companies are likely to be fully compliant with the Act by 1 January. That said, delaying compliance will increase the risks of financial and reputational damage, and we recommend putting related policies and procedures in place as soon as possible. Since a number of other U.S. states are basing their own proposed privacy acts on California’s new regulation, businesses that prepare early and well for the CCPA will be in a good position to comply with those other laws.