California Consumer Privacy Act (CCPA)
Key Considerations
The CCPA went into effect on January 1, 2020 and requires businesses to provide California consumers several new privacy rights, including:
-
The right to know what information has been collected, how such data is used, and with whom it is shared;
-
The right to opt-out of the sale of personal information;
-
The right to delete personal information;
-
The right to data portability; and
-
The right to not to be discriminated against for exercising data privacy rights.
Achieving compliance requires both internal and external changes. Internally, the way your company collects, processes, shares, retains, and disposes of data must be reviewed. Externally, your privacy policy must be updated to include the CCPA's required elements and provide consumers mechanisms for exercising their rights.
Whether your business is subject to the CCPA depends on a number of factors, including how much revenue your company generates, how much personal information you collect, and whether your company "sells" personal information. Many SMBs, especially those who do business with Californians or have an online presence, are affected.
Determining whether your company is a "business" or a "service provider" as defined by the CCPA is critical, although the analysis is not always straightforward and many common business relationships blur the lines, making determining the scope of your company's actual responsibilities more complex.
Likewise, determining whether your company "sells" personal information (basically, transfers personal information to a third party for commercial value) or whether your company's sharing of personal information fall within an exception to sale are often difficult to determine without a thorough analysis.
In either case, your commercial agreements with third parties, including customers and vendors, may require added language to allocate CCPA and other data privacy related risks and responsibilities. Often these can be in the form of service provider agreements or data processing addendums.
Before processing privacy requests by covered consumers, you must implement certain methods to verify the identity of requesting consumers. The manner and timing in which you respond to requests is important and governed by law. Several indications suggest that the CCPA will be aggressively enforced by the Attorney General.
Given several ambiguities in the statutory language, uncertainties about how the law will be enforced, and the added regulations promulgated by the California Attorney General, interpreting and applying the CCPA to your business may be more challenging than anticipated.
Our approach is to find the least burdensome path to compliance while ensuring your company is protected from regulatory penalties. Please contact us today for a free consultation and assessment.
We work with businesses in all industries, including other professional services firms that handle highly sensitive personal information.
Have questions or want more information? Call (248) 579-9537 for a free consult.