How prepared are businesses for the California Consumer Privacy Act (CCPA)?

What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is a law that grants consumers new rights and protections concerning the collection of their personal information. Signed on June 2018 by Governor Brown, the act will come into effect on July 1, 2020. It’s associated regulations and prohibitions place limits on both the collection and sale for profit of personal information by businesses, and entitle consumers with the right to be informed of such data collection, the right to opt-out of data sales, the right to expunge their personal information from databases, the right to access their personal data, and to top it all out, the right not to be discriminated against in retaliation of exercising these rights.

Is this really such a big deal?
Privacy legislation is already part of the legal corpus on both federal and state level– will the new legislation really make that much of a difference?
It very well might. The CCPA defines “personal information” in a far broader manner than previous legislation and includes data elements which no prior U.S legislation defined as such.

Are you ready for CCPA?
It’s not just California. 15 other states have introduced their own CCPA inspired legislation, and similar motions are being mooted at the federal level as well. The fact of the matter is, that practically every business relies on consumer data collection and analysis, either directly and indirectly, to plan its marketing, sales and development strategy, and even to target specific individuals. So, if you aren’t ready, there is no time like the present to prepare for the new regulatory environment.
In fact, you are overdue. For while the law only comes into effect in January 1 2020, it will not be enforced until the Attorney General publishes regulations, which are not required by law until July 1,2020. The CCPA requires companies to answer queries for 12 months “look back” period dating back to July 2019. Feeling the heat yet? You should.

Does the CCPA even apply to my business? I don’t even have any operations in California!
The law is not limited to companies with physical operations in California. It applies to any for-profit entities that “do business” in the state that either:

  • Annually perform transactions, either buying, selling or sharing, with the personal information of over 50,000 Californians (consumers, devices or households, as the case may be).
  • Whose primary business (over 50% of revenue) is associated with selling California consumers personal information.
  • Have a gross annual revenue of over 25 million dollars. Revenue specific to California, or that of the company as a whole? Unclear- and it will likely be settled in a precedent setting court. Do you want your business to be that precedent setting case?

The bottom line is that any medium sized company doing any business in California, or any small company extensively engaged with personal data transactions of California citizens, needs to start getting ready. And since similar legislation is in progress in 15 other states, then you can just switch the “California” in the previous sentence with “The United States of America”.

How to prepare?
The first step is amending your company’s online privacy policy, or at least provide a new form of California privacy notice. That means adding a number of elements to your disclosures and including them in your privacy policy. This includes a description of CCPA mandated consumer rights, any personal information collected by the business over the preceding 12 months, the purposes for which personal information is collected, Which categories of personal information were sold for commercial purposes over the preceding 12 months; The categories of all third parties with whom your business will share personal information, a link to an opt-out tool, full disclosure of any financial incentives for providing personal information and at least two ways to submit requests for personal information stored by your business including, if applicable, a toll free number and an online address.
And of course, that only applies to the CCPA. The various copycat legislation initiatives in other states may require you to meet additional criteria.

So, if you are asking when the best time is to begin preparing for the CCPA the correct answer is, as when planting a tree, three years ago. But the second-best time is now.