Careers

Experiences

Industries

Offices

Our Firm

Pages

Our People

Updates

Practices

Warner Norcross + Judd LLP is a corporate law firm with over 230 attorneys serving clients in nine offices throughout Michigan. Among the largest law firms in Michigan, Warner works in virtually all areas of business law.

Michigan Law Firm - Warner Norcross + Judd LLP

The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. While the governor of California has recently signed into law amendments to the CCPA, the law remains fundamentally unchanged, except now there is a one-year carve out for employment data and business-to-business contact information. Companies should take steps now to ready themselves for the CCPA before the January 1 deadline.&nbsp;

contentpilot/introduction

core/heading

The new law casts a wide net. It applies to any for-profit business (including entities that control or are controlled by the business and share common branding with the business) that:

core/paragraph

core/list

A business that is not directly subject to the CCPA may still have compliance obligations if it handles personal information about California residents or households on behalf of another business. This is because the term “sale” is broadly defined under the CCPA to include any sharing of data with another business or third party for monetary or other valuable consideration. &nbsp;

If a business subject to CCPA uses a third party to handle any personal information about California residents or households, the business must obtain certain contractual promises from the third party so that the third party’s handling of the data will not be deemed a sale for CCPA purposes. Specifically, the contract with the third party must prohibit sale of the information or use in any manner other than to provide the agreed upon services to the business and must also include a certification that the third party understands and will comply with those restrictions.

What Are a Business’s Obligations Under the CCPA?

The CCPA gives California residents certain rights with respect to their data. These rights will vary, depending on whether a business merely collects and processes information about California residents and households or if it also “sells” the information.

Any business that is subject to the CCPA must disclose to California residents at or before the point of collection the categories of personal information that it has collected over the last 12 months, the purposes for which it uses the personal information and with whom it shares the personal information. If the business also sells (or is deemed to be selling) personal information, then it must also disclose the fact that the information may be sold and include a “Do Not Sell My Personal Information” button on the homepage of its website and in its privacy policy.

All businesses subject to CCPA must have a website privacy policy that includes an explanation for California residents of their rights under the CCPA, which are:

The right to request&nbsp;disclosures of data collected about the California resident (also known as the “right to know”).

The right to access&nbsp;the personal information that the business has collected about the California resident.

The right to seek&nbsp;deletion of data that the business has collected, with certain exceptions (also known as the “right to be forgotten”).

The right to opt&nbsp;out of any sale of information—to the extent that the business sells (or is deemed to be selling) personal information.

The right not to be discriminated&nbsp;against with respect to the available goods and services or costs of goods and services if the California resident exercises any rights under the CCPA (also known as the “right to equal services”).

Rather than including the above information (such as a “Do Not Sell My Information” button) on the business’s general website and privacy policy, a business may comply with its disclosure obligations by redirecting California residents to a California-specific home webpage and a California-specific privacy policy. &nbsp;

If a California resident seeks to exercise any of his or her rights, the business must generally respond free of charge within 45 days – which includes any time needed to verify that the request is legitimate. The 45-day deadline can be extended an additional 45 days, provided the business provides notice to the individual within the original 45-day time period.

For steps on preparing your organization for the CCPA, read “<a href="https://www.wnj.com/Publications/How-to-Prepare-for-the-CCPA">How to Prepare for the CCPA</a>.”

Partner

Kelly R. Hollingsworth

Cybersecurity and Privacy

Data Analytics and eDiscovery

Data and Information Governance

An Overview of the CCPA

Warner Norcross + Judd LLP is responsible for the contents of our advertising and this website. Please read our full <a href="/privacy-policy/" aria-label="see privacy policy">privacy policy</a> available on our website. If you have any questions or comments about our website or our Privacy Policy please contact us at <a href="mailto:info@wnj.com">info@wnj.com</a> or 616.752.2000.

An Overview of the CCPA

professionals