On January 1, 2020, the California Consumer Privacy Act will take effect, granting California residents more authority over information collected about them. To accommodate for this, marketers at businesses impacted by the legislation will need to ensure they have an organized system for data collection and a way to distribute data to consumers when requested.
The California Consumer Privacy Act (CCPA) is legislation intended to protect California Consumers’ rights to privacy by granting more rights regarding the collection, handling and sale of personal information. Under the laws outlined in the CCPA, companies will be expected to increase transparency regarding the information they collect and sell from consumers.
Disclaimer: As a note, New Breed is not a master on all facets of the legal wording employed within the California Consumer Privacy Act. The information found in this blog post is not the same as legal advice, and we would recommend those interested in the topic pursue the help of their own legal counsel in regards to compliance.
This article and the information within it do not constitute as legal advice and should not be considered in lieu of actual trained legal council. In summary, we are not responsible for your interpretation of this information and should not be held responsible for any independent actions taken after viewing this information.
The first thing to consider when discussing the California Consumer Privacy Act is whether or not it will impact your business.
For the CCPA to apply, your company must first fulfill one of the following criteria as a for-profit entity doing business in California:
If your business falls into any of these three categories, we highly suggest you learn more about how the California Consumer Privacy Act might change the way you do business starting January 1, 2020.
To be able to fulfill consumer requests regarding how their information is used, companies will need to set up a data collection process that enables them to pull and delete data as requested by verified consumers.
Not only do companies need to be cognizant of the information they’re collecting, but they also need to be aware of how they’re storing it. In addition to being fined for not complying with consumers’ requests, businesses can also be penalized for failing to implement proper security measures around the personal information they’ve collected.
According to a fact sheet from the Office of the California Attorney General, businesses will need to:
There is still some ambiguity about what businesses will need to do to comply with the Act. Additionally, California’s Attorney General is still developing the regulations for how the legislation will be enforced. They’re accepting public comments on the matter until December 6.
One of the biggest gray areas is about what constitutes as a “verifiable request.” Companies subject to the CCPA must respond to verifiable requests within 45 days with the requested info either by mail or electronically. They don’t have to respond to a consumer’s request more than twice in a 12-month period, and only have to respond to verified consumer requests.
However, the bill defines a verifiable consumer request as “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”
Until the Attorney General’s regulations go into effect, businesses won’t have a concrete definition of what requests for information they are obligated to comply with.
Legal Documentation:
Useful topic Summaries:
News Articles: