California Consumer Privacy Act, CCPA, Personal Information

CCPA Enforcement – How to Prepare for the July Deadline

July 1, 2020 is fast approaching and with it, the California Consumer Privacy Act of 2018 (CCPA) deadline. Despite all of the issues that business are facing with the COVID-19 pandemic, the California State Attorney General remains committed to and enforcement date of July 1, 2020. It’s estimated that the CCPA will impact about 75% of California businesses. The Attorney General may enforce CCPA violations after a 30-day notice and cure period seeking penalties of up to $2,500 per violation, or up to $7,500 per intentional violation. While the definition of a “violation” under the CCPA is not entirely clear, it is possible that each consumer and each request under the CCPA will be individually treated as a “violation.”

For example, if a business fails to provide adequate notice when it collects Personal Information, and it collects the Personal Information of 2,000 consumers before revising its notice procedure, the statutory penalty could be up to $5 million. That is a crushing blow to any vendor.

Therefore, time is of the essence for companies to make final preparations for the possibility of CCPA enforcement beginning in July.

Key Considerations

Privacy Notice and Website Terms

  • Businesses must provide sufficient notices to a consumer identifying categories of Personal Information and disclose their practices around the collection, use, and sharing or potential sale of the Personal Information. As well as:
    • The categories of sources from which the personal information is collected may include: advertising networks, Internet Service Providers, data analytic providers, government entities, social networks and data brokers
    • The commercial or business purpose for which the personal information was collected or sold
  • Additional requirements include things like: description of the consumer’s rights, how the consumer can exercise those rights, methods by which the business will verify the consumers’ identity and how consumers can opt-out of the sale of their information
  • If the business sells Personal Information, it is required to post a “Do Not Sell My Personal Information” link to allow consumers to opt-out of the sale of their information as well as:
    • An explanation that consumers have the right to opt-out of the sale of their personal information, and include (on their websites, at their physical location points of sale, and/or in their apps) contents of the notice of the right to opt-out or a link to the notice and
    • Instructions on how authorized agents can exercise rights on behalf of consumers
  • Notification that consumers have the right to request that their personal information be deleted, and instructions on how to submit a verifiable consumer request to delete such information
  • Disclosures should cover the past 12 months and be updated every 12 months at least – sometimes more frequently to account for any new practices
  • All of these disclosures must be presented in plain, straightforward language that is easy to read and understandable to consumers
  • Additionally, CCPA Privacy Policies must be reasonably accessible to consumers with disabilities as outlined in version 2.1 of the Web Content Accessibility Guidelines (“WCAG”)

Data Inventory

  • The CCPA provides all California consumers the right to know what Personal Information related to the consumer is held by a business and the categories of third parties to whom the business has disclosed or sold such Personal Information to
  • Business should maintain a data inventory, updated regularly, to ensure that the companies can fully and accurately respond to requests

Internal Processes and Training

  • In order for a business to respond to consumer requests accurately and in a timely manner, a business should train their employee(s) who are responsible for responding to such requests per internal policies
  • Businesses should implement appropriate internal protocols to make the process more efficient and consistent so that no deadlines are missed and all responses are complete
  • This requires a well-documented, detailed process with employee training and certification of acknowledgment of process

Implement Proper Security Practices

  • Under CCPA, California consumers now have a private right of action for breaches of their Personal Information that are due to a company’s failure to maintain and implement “reasonable security procedures and practices
  • Proof of actual damage is not required for recovery and consumers may recover the greater of their actual damages or up to $750 per consumer per incident in statutory damages
  • To mitigate the risk of liability, businesses should ensure that they have appropriate practices for the storage and destruction of Personal Information

Review Third Party Agreements

  • If a business discloses Personal Information of consumers to service providers, contracts with third parties should include CCPA specific provisions as well as:
    • The categories of personal information that businesses have disclosed for business purposes, or sold to third parties, in the preceding 12 months. For each category of personal information, businesses must provide the categories of third parties that the information was disclosed or sold to
  • The third party should agree by contract to not retain, use or disclose Personal Information other than for the specific purposes specified in the contract
  • Agreements may also include provisions around assisting with consumer rights requests, safeguard all information received and to report data breaches in an efficient manner

Bottom Line

Updating online privacy policies, review third party agreements and building out an internal CCPA policy and information security framework are the required steps that must be taken towards achieving CCPA compliance. Businesses should consult with experienced data privacy attorneys in this process in order to avoid a California Attorney General’s Office investigation. And…act quickly in doing so.

Share this:

Leave a Reply