CCPA Compliance: What Your Company Needs to Know
Any company that does business in California should evaluate its obligations to comply with the California Consumer Privacy Act (CCPA). Enacted in response to a growing concern regarding data privacy, the CCPA provides California residents with rights to the data that companies collect about them. The effective date of the CCPA was January 1, 2020. Unfortunately, the California State Legislature rushed the CCPA into law with broad language and limited guidance. Thus, it is crucial for companies doing business in California to understand how to comply with the CCPA. While the CCPA only applies to California residents, it is expected that similar laws will be enacted in other states in the coming years.
Three Important Steps to Mitigate CCPA Liability
1. Determine Whether the CCPA Applies to Your Company
The CCPA applies to for-profit entities doing business in California that collect or process personal information on customers and meet at least one of the following criteria:
- Generate annual gross revenue of $25,000,000; or
- Alone, or in combination, annually buy, receive, sell, or share the personal information of 50,000 or more consumers (that are California residents), households, or devices for commercial purposes; or
- Derive 50% or more of their annual revenue from selling consumers’ personal information.
There is a common misconception that a company is exempt from complying with the CCPA if it complies with other federal privacy laws, such as the Gramm-Leach-Biley Act (“GLBA”) or the Health Insurance Portability and Accountability Act (“HIPAA”). This is not entirely accurate.
Many categories of consumer information typically collected by companies (such as biometric data, geographic data, and internet activity information) are arguably not subject to GLBA and HIPAA but likely fall within the purview of the CCPA. Further, many companies are not subject to the GLBA or HIPAA but may be subject to the CCPA. Accordingly, complying with the CCPA would be the most efficient manner to service data on such accounts.
3. Devise a Strategy in Response to “Verifiable Consumer Requests”
There are two key consumer protection features of the CCPA: (1) consumers have the right to request disclosure of what data is being collected about them; and (2) consumers have the right to request that their information be deleted. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for information or deletion within 45 days (with one 45-day extension).
Notably, a company must only respond to a “verifiable consumer request.” Thus, it is crucial that a company be able to verify the consumer’s identity before responding. Further, companies are exempt from responding to a “verifiable consumer request” to the extent that it requests:
- Data needed to complete a transaction;
- Data necessary to comply with legal obligations; and
- Data used in a lawful manner that is compatible with the context in which the consumer provided the information.
Every company doing business in California should immediately implement a strategy for responding to such consumer requests for disclosure or deletion in a matter that conforms to the law. While individual review of each consumer request is required, if your company anticipates response to consumer requests will be identical, templates for responding to consumer requests in writing, and scripting for responding to consumer requests by phone, may be a prudent way to ensure consistency.