For over a year now, companies throughout California, and across the globe, have been taking steps to comply with a host of new data privacy protections required by the California Consumer Privacy Act (CCPA).  In effect since January 1, 2020, CCPA now comes of age on July 1st, when the California Attorney General (AG) will begin enforcement.  The AG was not persuaded by requests from the advertising and marketing industry to delay enforcement.

What is enforcement going to mean, exactly, and how do you prepare for it?  Here are a few things to be aware of and steps you can take to reckon with CCPA in the coming weeks and months.

The Basics

If you are new to CCPA, learn more about the big picture here. If you’re not sure whether CCPA applies to your business, you can learn more here.  Be sure to consider how easy it might be to meet the threshold of holding data for 50,000 consumers (which is just one of the ways CCPA might apply to your business).  If your website is visited by an average of only 140 unique individuals each day, and you collect personal information about those visitors, directly or indirectly, you may be obligated to comply with CCPA.

Every covered business will need, at a minimum:

• A CCPA-compliant privacy policy;

• Vendor contracts governing the use of data you disclose to them; and

• A program that ensures your systems and employees can respond to consumer requests.  Each consumer can ask you to identify the personal information you hold and request that you delete it, up to two times every 12 months. 

You may also need:

• A “Do Not Sell” notice on your website or other point of data collection that gives consumers a means to opt-out from the sale or disclosure of their personal data.  Even if you do not directly sell data, per se, other forms of disclosure could qualify as a “sale” to third parties under the statute.

• Disclosure of incentives offered in exchange for data.  If you offer financial or other incentives to consumers who allow you to share their data, this must be disclosed to them and is not permitted unless the incentive—such as enhanced service options—is relevant or proportional to the value of the data they provide.

The Attorney General’s (AG) Enforcement Priorities

Recently, the AG issued a press release highlighting some of the new consumer rights and business obligations, which may explain the AG’s reluctance to delay the enforcement start date, as requested by several advertising and marketing industry associations.  Among other things, the AG pointed to an increase in consumer data privacy risks during the Covid-19 pandemic, in part because everyone has had to rely more and more on electronic devices to get necessities and to connect with family, friends, and colleagues. 

The AG reminded consumers that they can minimize the data collected by companies by exercising their rights to request deletion of data. 

In a private right of action, a consumer can seek statutory damages of $100 to $750 per consumer, per incident, in addition to actual damages.  In addition, the AG will enforce compliance, using its consumer protection powers.  A business who receives a notice of alleged violations has only 30 days to remediate the problem.  Otherwise, civil penalties range from $2,500 for unintentional violations up to $7,500 for intentional violations.

While it’s too soon to tell how the enforcement actions will pan out, the AG has said that its focus will include, not surprisingly:

• Children’s information, which can only be collected with parental consent for children under 13 and with opt-in for children from 13-16 years old; and

• Sensitive data such as social security numbers or health data.

Current Exemptions

While CCPA applies to consumer data, employee data, and business-to-business (B2B) data, the California legislature exempted employee and B2B data in 2020.  Unless the legislature takes action, those exemptions will expire and businesses may be required to revisit privacy policies, vendor contracts, and more.

Adding to the uncertainty, the backers of CCPA have gathered signatures—currently waiting to be certified for inclusion on the November 2020 ballot—for the California Privacy Rights Act (CPRA). The proposed CPRA calls for the creation of additional personal information rights, enhanced penalties related to the collection and sale of children’s information and the establishment of an enforcement agency to enforce these rights.

Actions to Take Now

If CCPA applies to your business, the most important steps to take now are:

1. Identify the data you collect, where you store it, and who you share it with.  Make sure that employees have access to data on a “need to know” basis.  If you receive a request to delete or identify what data you hold, you have an obligation to understand what data is in your possession and a limited time to respond to consumer requests.  Determine how you will verify the identity of individuals requesting access to data (another requirement of CCPA).

2. Review your privacy policy to ensure that it complies with CCPA.

3. Implement a Do Not Sell option on your website if you determine that your consumer data sharing practices could be considered a “sale” of data to third parties.

Author: Kellie Delaney, Associate.

Please contact the team at Maier Law Group if we can help you assess your readiness for CCPA. We help companies ensure that their policies and practices comply with the relevant regulations.  Please contact us at info@maierlawgroup.com for more information.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.