The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. While the governor of California has recently signed into law amendments to the CCPA, the law remains fundamentally unchanged, except now there is a one-year carve out for employment data and business-to-business contact information. Companies should take steps now to ready themselves for the CCPA before the January 1 deadline.
Who Must Comply With the CCPA?
The new law casts a wide net. It applies to any for-profit business (including entities that control or are controlled by the business and share common branding with the business) that:
A business that is not directly subject to the CCPA may still have compliance obligations if it handles personal information about California residents or households on behalf of another business. This is because the term “sale” is broadly defined under the CCPA to include any sharing of data with another business or third party for monetary or other valuable consideration.
If a business subject to CCPA uses a third party to handle any personal information about California residents or households, the business must obtain certain contractual promises from the third party so that the third party’s handling of the data will not be deemed a sale for CCPA purposes. Specifically, the contract with the third party must prohibit sale of the information or use in any manner other than to provide the agreed upon services to the business and must also include a certification that the third party understands and will comply with those restrictions.
What Are a Business’s Obligations Under the CCPA?
The CCPA gives California residents certain rights with respect to their data. These rights will vary, depending on whether a business merely collects and processes information about California residents and households or if it also “sells” the information.
The right to request
disclosures of data collected about the California resident (also known as the “right to know”).
The right to access
the personal information that the business has collected about the California resident.
The right to seek
deletion of data that the business has collected, with certain exceptions (also known as the “right to be forgotten”).
The right to opt
out of any sale of information—to the extent that the business sells (or is deemed to be selling) personal information.
The right not to be discriminated
against with respect to the available goods and services or costs of goods and services if the California resident exercises any rights under the CCPA (also known as the “right to equal services”).
If a California resident seeks to exercise any of his or her rights, the business must generally respond free of charge within 45 days – which includes any time needed to verify that the request is legitimate. The 45-day deadline can be extended an additional 45 days, provided the business provides notice to the individual within the original 45-day time period.
For steps on preparing your organization for the CCPA, read “How to Prepare for the CCPA