What Rights are Granted to Consumers Under the CCPA?
⦿ The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
⦿ The right to delete personal information held by businesses and by extension, a business’s service provider;
⦿ The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
⦿ The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
What businesses are covered by the CCPA?
By its terms, the CCPA appears to have specific application to companies above given revenue levels ($25M) and data collection levels (50,000 records), however, broad interpretation of these limitations, particularly the records requirement which includes IP addresses, could implicate a very broad array of businesses of all sizes. How courts will deal with this issue remains to be seen, however, common understanding and practical guidance is that compliance may well be required for the vast majority of businesses collecting information on California consumers.
What Must a Business Do To Comply?
Businesses subject to the CCPA must provide notice to consumers at or before data collection. Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete. (Businesses selling or trading information must provide a “Do Not Sell My Info” page on their website or mobile app to facilitate the opt-out. Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes. Businesses must treat user-enabled privacy browser settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request. Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. Businesses must explain financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA. Finally, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance. In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
What is involved in the process of bringing my company into compliance?
The CCPA is now one of the most comprehensive privacy laws enacted to date. Compliance can take many forms depending upon data that your company collects, whether it is sold or traded, and how your company decides to accomodate the individual rights granted to California residents. Our process involves guiding you step by step through investigation, policy making and communication with your customers and beginning in 2021 employees. The cost and length of the project is highly dependent upon the number of data classes your company has and your decisions as to how you wish to implement the newly established rights. We also review and update your Customer Acquisition Process to help ensure that your policies are properly implemented.
The compliance deadline is January 1, 2020. Am I in trouble and is it too late to comply?
The CCPA grants a set of specific rights to California residents. Only by going through the process of evaluating your data can you determine any specific violation and evaluate your risk. It is not too late to determine your need to comply or to comply if necessary. If there is a need to comply, the longer you wait to bring your company into compliance the greater risk there is any enforcement action resulting from any failure to do so.