The California Consumer Privacy Act of 2018, which goes into effect Jan. 1, 2020, gives California consumers numerous rights with respect to their personal information — basically allowing them to understand what kind of data is being collected and what is being done with it.
Businesses face serious penalties if they do not comply with the act. But uncertainties remain regarding which companies will be subject to the CCPA. McGuireWoods Los Angeles partner Bethany Gayle Lukitsch — a member of the firm’s data privacy and security team — offered her thoughts on how businesses can determine whether the CCPA applies to them and how they should prepare for the law’s implementation.
What are the CCPA’s key requirements?
Bethany Gayle Lukitsch: There are many requirements of the act, but there are four major prongs of the statute that are getting the most attention. One is that it requires everybody who does business in California to disclose certain information about their data collection practices to consumers and to include these disclosures in their privacy policies.
The second is that a consumer can make an inquiry to a company to find out what kind of data is being collected about them and the company has an obligation to respond in a relatively short time period.
The third is a right to be forgotten. In certain circumstances, the consumer has the ability to ask a company to delete the information that it has retained about that consumer.
Finally, the CCPA provides for enforcement by the attorney general and/or a civil private right of action for a data breach.
What is keeping business leaders up at night regarding CCPA-readiness?
BGL: Businesses still are questioning whether the statute applies to them and are just now getting a chance to digest the draft regulations that go along with the statute. Currently, companies doing any business in California or collecting data from California residents, like cookies on their website, are subjected and should be paying attention and taking action. This statute is still evolving, and other states are increasingly interested in passing their own privacy laws, so there are a lot of questions. Our McGuireWoods Consulting colleagues are connected with legislators and companies that have interest in the ultimate outcomes, so they help us keep an eye on what’s in the works. In turn, we keep our clients abreast of developments.
How should businesses prepare for the Jan. 1, 2020, CCPA compliance deadline?
Businesses also need to evaluate whether or not they are a seller. If so, they need to give consumers the option to opt out. The definition of “sell” is extremely broad; nearly all transfers of personal information to vendors could constitute a sale unless the contracts are carefully drafted to instead categorize the vendor as a service provider. As such, businesses should review their vendor contracts.
In this world of big data and consumer interest in their personal data, there are things about CCPA that are becoming good business practices overall. Certainly, for any sort of breach purposes a company, in particular a sophisticated company, needs to know what they have, where that data is and how it’s secured.
There are other aspects of the CCPA that companies will need to address — like employee training, customer support and even structural IT issues if a consumer asks to “be forgotten.” The bottom line is to pay attention and start planning and acting. Our data privacy team is ready to help.