The California Consumer Privacy Act (CCPA) is set to take effect January 1, 2020, with enforcement beginning July 1, 2020. If you do business or have customers (or potential customers) in California, and you meet one of the following criteria, your company must conform to CCPA regulations:
- Your annual gross revenue is more than $25 million.
- Your organization receives, shares, or sells personal information of more than 50,000 individuals.
- Your company earns 50% or more of its annual revenue from selling personal information of consumers.
The CCPA will enable individuals to take a more active role in monitoring and protecting their personal information:
- Businesses must inform consumers of their intent to collect personal information.
- Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
- Consumers have the right to prevent businesses from selling their personal information to third parties.
- Consumers can request businesses to remove the personal information that the business has on them.
- Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.
For those businesses that will be required to comply with CCPA it is imperative that they work with legal counsel now to implement strategies that ease the burden of the new law:
- Evaluate your business’ current capabilities by identifying and classifying personal data.
- Review company’s data-governance capabilities.
- Create a strategy to monetize data in a way that meets CCPA privacy regulations.
- Take stock of your business’ privacy controls. Then prioritize the processes and technologies that need to be updated.
- Be proactive and set up a CCPA program management office to handle regulations accountability, remediation, and implementation.
- Implement regulation monitoring procedures to ensure your business continues to be in compliance.
With its comprehensive information privacy requirements and extensive reach, businesses need to take a hard look at their personal data-governance capabilities and processes. For many CCPA compliance will require sweeping changes.
The information presented is not intended to be, and does not constitute, “legal advice.” Because each situation varies, and only brief summary information is provided here, you should not use this information as a basis for action unless you have independently verified with your own counsel that it applies to your particular situation.
Leave a Reply