The California Consumer Privacy Act: Are You Ready?

What is it?

The California Consumer Privacy Act (CCPA) is a law enacted by the California legislature on June 28, 2018.  It contains a number of similarities to the European Union’s General Data Privacy Regulation (GDPR).  To date, the CCPA is one of the most comprehensive privacy laws in the United States.  The law becomes effective January 1, 2020 with enforcement slated to start July 1, 2020.

 

Who does it impact?

The CCPA states it may apply to businesses directly or indirectly.  To qualify directly, there must be a for-profit entity doing business in the State of California that meets one of the following requirements:

  1. Has annual gross revenues in excess of $25 million;
  2. Buys, sells or shares for “commercial purposes” personal information of more than 50,000 consumers, households or devices; or,
  3. Derives 50% or more of its annual revenue from the sale of personal information.

To qualify indirectly, an entity must be the parent company or a subsidiary to an entity that directly qualifies and share common branding with that entity.

 

What are the key requirements?

Some of the key requirements related to consumer rights are:

  1. Notice: Businesses must provide notice of categories of personal information collected and how it will be used.
  2. Disclosure: Upon request, businesses must disclose categories of personal information collected, sources of the information, commercial purpose for collecting/selling the information, and third parties with whom the information is shared.  Consumers may request disclosure up to twice annually.
  3. Right to Be Forgotten: Consumers have the right to have all their personal information deleted (with exceptions).
  4. Protection Against Discrimination: Businesses are prohibited from discriminating against consumers who exercise rights under the CCPA.

There are a number of exceptions that apply including, by example, information protected by other California laws and subject to federal preemption.

 

Why should I care?

The CCPA states the law may be enforced by the California Attorney General (the “CAG”) or by private consumers (limited private rights).  The CAG may seek civil penalties up to $7,500 per violation.  Subject to the appropriate period to cure any alleged violation, consumers may seek statutory damages of $100-$750 per incident.[1]

 

How can Seal help?

Time is running out.  Businesses should assess whether the CCPA applies to them and, if so, complete an assessment of the personal information they collect, buy, sell or share (“Collected Information”); the agreements and other documents that authorize the Collected Information; and, the processes for obtaining & storing the Collected Information.  These businesses must also review their third-party contracts to ensure those contracts support CCPA compliance and where they do not, create a remediation plan to amend those contracts.

For most businesses, this means a time- and people-intensive review of large numbers of contracts and other such documents that are typically stored in multiple repositories throughout an organization.  AI tools like the Seal platform can decrease the time and people needed to complete such reviews.  Seal also offers the Data Privacy Insight Accelerator, Seal’s comprehensive answer for data privacy compliance.  By combining contract analytics and legal-AI industry expertise, the Data Privacy Accelerator delivers an unprecedented level of insight and automation into contract compliance and remediation. Whether you are looking for insight into general third-party data privacy and for specific regulatory agreement compliance such as the GDPR and the CCPA, our deep understanding of both the business and regulatory needs associated with data privacy can speed time-to-value.

If you would like to learn more about the remediation process in preparation for CCPA, join our live webinar discussing the CCPA requirements and what it means for your organization.

 

[1] https://www.mercurynews.com/2019/09/04/california-consumer-privacy-act-will-impact-businesses-that-collect-and-receive-personal-data/