The California Consumer Privacy Act of 2018, which goes into effect Jan. 1,
2020, gives California consumers numerous rights with respect to their
personal information — basically allowing them to understand what kind of
data is being collected and what is being done with it.
Businesses face serious penalties if they do not comply with the act. But
uncertainties remain regarding which companies will be subject to the CCPA.
McGuireWoods Los Angeles partner
Bethany Gayle Lukitsch — a member of the firm’s
data privacy and security team
— offered her thoughts on how businesses can determine whether the CCPA
applies to them and how they should prepare for the law’s implementation.
What are the CCPA’s key requirements?
Bethany Gayle Lukitsch:
There are many requirements of the act, but there are four major prongs of
the statute that are getting the most attention. One is that it requires
everybody who does business in California to disclose certain information
about their data collection practices to consumers and to include these
disclosures in their privacy policies.
The second is that a consumer can make an inquiry to a company to find out
what kind of data is being collected about them and the company has an
obligation to respond in a relatively short time period.
The third is a right to be forgotten. In certain circumstances, the
consumer has the ability to ask a company to delete the information that it
has retained about that consumer.
Finally, the CCPA provides for enforcement by the attorney general and/or a
civil private right of action for a data breach.
What is keeping business leaders up at night regarding CCPA-readiness?
Businesses still are questioning whether the statute applies to them and
are just now getting a chance to digest the draft regulations that go along
with the statute. Currently, companies doing any
business in California or collecting data from California residents, like
cookies on their website, are subjected and should be paying attention and
taking action. This statute is still evolving, and other states are
increasingly interested in passing their own privacy laws, so there are a
lot of questions. Our
colleagues are connected with legislators and companies that have interest
in the ultimate outcomes, so they help us keep an eye on what’s in the
works. In turn, we keep our clients abreast of developments.
How should businesses prepare for the Jan. 1, 2020, CCPA compliance
I think the most important thing out of all of this is knowing what data
you have and what you do with it. If you don’t have a good understanding of
the data that exists at your company, how it’s stored, how it’s used and
who has access to it, then I would say that is an immediate priority. That
basic data mapping is critical. I would turn to updating your
clients with these steps.
Businesses also need to evaluate whether or not they are a seller. If so,
they need to give consumers the option to opt out. The definition of “sell”
is extremely broad; nearly all transfers of personal information to vendors
could constitute a sale unless the contracts are carefully drafted to
instead categorize the vendor as a service provider. As such, businesses
should review their vendor contracts.
In this world of big data and consumer interest in their personal data,
there are things about CCPA that are becoming good business practices
overall. Certainly, for any sort of breach purposes a company, in
particular a sophisticated company, needs to know what they have, where
that data is and how it’s secured.
There are other aspects of the CCPA that companies will need to address —
like employee training, customer support and even structural IT issues if a
consumer asks to “be forgotten.” The bottom line is to pay attention and
start planning and acting. Our data privacy team is ready to help.
To learn more about the CCPA, read the McGuireWoods data privacy and
and the firm’s
Password Protected blog.