CCPA Becomes Effective January 1, 2020

The California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020. Many of our clients who are subject to this wide-ranging law have been moving forward to come into compliance. Even though the CCPA will not be enforced until July 1, 2020, complying is a complex and time-consuming process. The devil is in the details, of which there are many – and even with the recent amendments, the details are not final, since the California Attorney General recently released draft regulations that would change those details and make compliance considerably more onerous.

If your company is subject to the CCPA and fails to comply, it may be subject to enforcement actions by both the government and private litigants. The California Attorney General is authorized to pursue injunctive relief and civil penalties of up to $7,500 per violation. In addition, the CCPA provides consumers, either individually or as a class, with a private right of action that permits recovery of statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.

For those who have not yet taken steps to comply with the CCPA, those who think they have done enough to comply, and those who are not even sure whether they need to comply, following is a high-level list of some of the things you need to be thinking about and steps you may need to be taking.

1. Determine whether your organization is subject to the CCPA. This analysis is not just a matter of meeting a financial threshold. Your company may be subject to the CCPA if, among other things, it “collects” or “sells” personal information of 50,000 or more individuals, households or devices. “Personal information” is very broadly defined and includes items of information that you might not anticipate, including a person’s browsing activity. “Collecting” includes passively accessing someone’s online behavior. Even if you have a purely informational site, you may still be subject to the CCPA if you get 50,000 unique hits a year from California residents. (Geoblocking to block users located in California won’t help because the CCPA covers California residents who are outside of the state.) The definition of “selling” also is very broad: it includes almost any transfer of personal information for money or other valuable consideration. Providing your customers’ browsing history to a third-party ad network to facilitate the retargeting of ads to those customers, for example, arguably constitutes “selling” under the CCPA.
2. Determine whether exemptions apply. Assess whether your company’s processing of personal information falls into one of the statutory exemptions and whether any categories of personal data that you collect may be subject to statutory exclusions.
3. Map the personal data you collect, if you have not already done so. The CCPA entitles consumers to contact businesses to see what personal information the business has collected about them and request that the business delete their personal information. You must respond to a “data subject access request” (“DSAR”) within 45 days. Consumers also may opt out of the sale of their personal information. Your company will not be able to comply with these requirements unless you know what “personal information” your company collects, who has access to it, how it is used, and where it is within the company’s systems.
4. If possible, stop “selling” personal information. If your company does not actually depend on data monetization, your best bet is to stop “selling” personal information, as the CCPA defines it. Deciding to do this requires communicating with your vendors and updating your agreements with them to ensure that they are not engaging in activities that could constitute “selling” personal information that could be attributed to you (if they agree to such terms).
5. Set up a DSAR response procedure. Even if your company is just “collecting” and not “selling” personal information, you need to set up a detailed procedure for receiving and responding to DSARs within 45 days, as the statute requires, because it is virtually certain that, come January 1^st, those requests will start to come in. Among other things, you need to offer consumers two ways to make these requests. The statute offers some bases for denying a DSAR, but you need to be very sure that you are on firm legal ground before you do that (and even then, denying a request may still not be the best way to respond).
6. Establish a DSAR authentication process. You need to set up a procedure for verifying the identity of consumers who submit DSARs. People making DSARs may not be the people who they claim to be, and if your company provides Jane Smith’s personal information in response to a DSAR that does not actually come from Jane Smith, that in and of itself will be a violation of privacy laws.
7. Review and update your vendor agreements. In addition to the nature of the activity, whether a transfer of personal information constitutes a “sale” also will depend on whether the recipient of that data is a “third party” or a “service provider.” The statutory definition of “service provider” is very specific. You need to analyze which business partners may qualify as “service providers” and prepare appropriate amendments to your existing contracts with those vendors (or, if you are going to stop “selling” completely, you need to update your contracts to provide for that).
8. Update your privacy notice. The different sections of the CCPA impose very detailed notice requirements even if your company is just “collecting” and not “selling” personal information. For example, you need to disclose not only the categories of personal information that you collect, which presumably are already listed in your privacy notice, but also the categories of the sources from which you collect that personal information, such as advertisers or browsing activity on your site.
9. Set up an opt-out button and workflow. If you are “selling” personal information, you must put a button on your home page that says DO NOT SELL MY PERSONAL INFORMATION and figure out how to automate and streamline opt-out requests. Once the CCPA takes effect on January 1, 2020, it is absolutely certain that people will start to click on that button. You also will need to determine how to notify your downstream partners of specific deletion requests and make appropriate contractual adjustments.
10. Train your employees. The CCPA requires that anyone and everyone who is going to be involved in handling DSARs and opt-out requests know what the law requires in terms of compliance.
11. DOCUMENT EVERYTHING. Every step of the way, you need to document your actions and decisions, in case you have to justify your decisions to an individual seeking information or their attorney, a consumer advocate, or in the worst-case scenario, the California Attorney General.