by Todd Stanton

This past June, California’s governor signed the California Consumer Privacy Act (CCPA) into law—an early signal that the U.S. is beginning to move closer to the data use and consumer privacy regulations already in place in the European Union. The law doesn’t take effect until Jan. 1, 2020, but businesses are wise to start preparing long before then, even if they’re not headquartered in California.

But first, what does the CCPA actually do?

Essentially, it’s meant to protect California residents from potential data breaches by putting their data in their own hands. The act grants consumers four basic rights in relation to their personal information:

1. The right to know what personal information a business has collected about them, where it was sourced from, what it’s being used for, whether it’s being disclosed or sold, and to whom it is being disclosed or sold
2. The right to opt out of allowing a business to sell personal information to third parties
3. The right to have a business delete personal information (with some exceptions)
4. The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the act

Companies have a 45-day window to provide a comprehensive report to consumers who’ve requested their personal information. Stretching back 12 months, the reports will have to cover what data the company has, if it was sold, and who bought it.

My company isn’t based in California. Does the CCPA still apply?

Of course, the major Silicon Valley tech firms are probably the first to come to mind when considering the CCPA’s rollout. But companies based outside of California, and even those without any physical presence in the state, will still be affected. The CCPA applies to:

1. Any company that serves California residents and generates at least $25 million in annual revenue
2. Companies that have personal data on at least 50,000 people
3. Companies that collect more than half of their revenues from the sale of personal data

The CCPA is also pretty wide-ranging in what’s legally considered “data.” Your name, postal address, Social Security number, biometric information, records of products purchased, browsing and search history, and geolocation data all count, along with plenty of other types of information. Additionally, any profiles created reflecting your preferences, predispositions, or behavior fall under the law.

How can my company prepare for the CCPA?

The first step in preparing for the CCPA 2020 rollout is to determine if the law applies to you. If it does, you’ll need to audit your data collection practices, paying special attention to:

1. What you’re collecting
2. Where that data is coming from
3. How many people you’ve collected data from

You’ll also need a breach response plan. While the CCPA is lighter than the EU’s General Data Protection Regulation (GDPR) when it comes to breach response, it’s still important to be ready. You’ll want all your tracking and procedures in place by 2019. Once consumers start requesting their data on Jan. 1, 2020, the possibility for massive fines and legal fees begins. Businesses have 30 days to comply once regulators notify them of a violation. After that, there are fines of up to $7,500 per record if things aren’t dealt with promptly. Individuals also have the right to sue or join class action lawsuits.

If your business is preparing to comply with the California Consumer Privacy Act of 2018, you’ll need help understanding your risk and responsibilities. Contact Stanton Law at 404.531.2341.