As those of you looking at your budgets for 2019 you should factor in the cost of documenting your data collection policies and reviewing your current business models in the context of what you may need to do to comply with the new California Consumer Privacy Act (CCPA). CCPA goes into effect in 2020 but its sweeping nature will require companies to use this lead time to effect changes in order to achieve compliance. 

The time to act is now.

As a practical matter, this new CA law changes the privacy law landscape in the U.S. The law’s protection of California-based “consumers” means that many companies, even those based outside California, will be subject to its requirements. Businesses will incur significant compliance costs in order to update procedures, policies and websites in accordance with the new law. Additionally, the Act’s grant of a private right of action means that companies will have to anticipate a possible flood of consumer-driven litigation. 

The law protects any “consumer,” who is a “natural person who is a California resident,” which is defined as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”  

The law also notably establishes a broad definition of “personal information,” drawing in categories of data, which include a consumer’s personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer. 

Based on the law’s requirements your internal privacy practices and data storage systems might have to be tweaked in order to comply with (among other things) four basic rights CA residents will have regarding their personal information:

1. the right to know, through a general privacy policy, (with more specifics available upon request), what personal information you have collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it was disclosed or sold to in the preceding 12 months;
2. the right to “opt out” of allowing you to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold without their, or their parent’s, opt-in);
3. the right to have you delete their personal information, with some exceptions; and
4. the right to receive equal service and pricing, even if they exercise their privacy rights under the CCPA.

In addition, the law’s requirements could threaten your established business models. For instance, companies that generate revenue from targeted advertising over internet platforms will have to allow California residents to delete their data or bring it with them to alternative service providers. This could cut into revenue. This could also further impact the value of targeted advertising which could become less precise as a result of the new protections afforded to individual CA residents.

Amendments have already been made and the law might continue to be tweaked before it goes into effect in 2020. However, at a minimum, businesses will have to “data map” to document the personal information collected, shared, received, stored, retained and destroyed that pertaining to CA residents. To complicate matters further, other states are looking at enacting similar laws. Proper data mapping requires lead time: without knowing exactly what data you collect and where it is shared you cannot begin to assess business risk, or start formulating compliance strategies and, perhaps, adjusting business models.

There are some exceptions for businesses, but those exceptions are very narrow. If you want to discuss the law and its applicability to your business, please reach out to me.

Takeaway: As a New Year’s Resolution, start the process of data mapping.