Oh, Say Can You CCPA

Does your company collect personal information on California residents and meet ANY of the following criteria?

1. Annual gross revenue in excess of $25 million.

2. Individually, or combined with affiliates, buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices.

3. Derives 50% or more of its annual revenue from the sale of consumers’ personal information.

If so, say hello to the California Consumer Privacy Act – considered to be the strictest data privacy law in the United States – which you will be subject to beginning on January 1, 2020.

What Does This Mean?

Businesses that fall within the CCPA’s orbit must have policies in place to manage a litany of new consumer requests, including:

  1. Disclosure – You must reveal to consumers the categories of personal information collected, sold, or shared.
  2. Access – You must provide consumers with a copy of the personal data you have collected.
  3. Deletion – Unless a limited exception applies, you must delete a consumer’s information upon request.
  4. Prohibition on Sale – You must cease the sale of a consumer’s information if that consumer requests the information not be sold.
  5. Notice – Your websites must notify consumers of new rights under the CPA with a link labeled “Do Not Sell My Personal Information” and provide more detailed notices of collection and sharing practices in your privacy policies.
  6. Antidiscrimination – You may need to change your loyalty or rewards programs to ensure that you are not discriminating against consumers who invoke their CCPA rights.
  7. Verification of Consumer Requests – Before responding to any consumer’s CCPA request, you must have processes in place to verify and authenticate consumers’ identities (otherwise, failure to verify identities could result in an inadvertent data breach).

But My Company Is Covered Under GLBA/HIPAA

While the CCPA carves out personal information collected or processed pursuant to GLBA, HIPAA and other federal privacy laws, it still applies to data collected for other purposes (i.e. marketing data, information collected via websites, etc.). Many businesses have assumed that because they are also governed by other privacy laws, the CCPA would not apply - this is incorrect.

What Should My Company Do?

Contact Michelman & Robinson. We have the policies and tools to help you easily meet the CCPA’s new compliance obligations. Likewise, we can keep you apprised of pending amendments to the CCPA that look to expand the civil right of action for damages so that it applies to any consumer whose rights under the Act are violated.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for guidance in specific situations.