The new California privacy law (CCPA) will bring with it a need to get far more sophisticated about your data collection practices. The risk in ignoring this law is real.

There is a private right of action for any security breach, and consequently, it is time to address your company’s data security procedures. In addition, the CA Attorney General will have the right to take action for any violation of the statute. The law is effective on January 1, 2020, and although the AG has agreed not to enforce the law for six months, that will not stop class action attorneys from acting sooner if there is a security breach.

In addition, there is a 12-month look back on your data collection practices so the time to act is now.

Let me summarize what you can and should do now:

First of all, does the statute apply to you?

The statute applies to for-profit companies whose annual gross revenue is in excess of 25 million. (At this writing, it is unclear right now whether that threshold only applies to revenue derived from CA consumers or a company’s overall revenue.)

Assuming you do not meet that threshold (based on either calculation), the statute also applies to any for-profit company who receives personal information from 50,000 or more California consumers, (which might also include business contacts and households). Unless you can tell who is viewing your site from CA, which also includes a California consumer who is not in California when viewing your site, the broad definition of personal information means that almost all e-commerce sites will have to comply.

CCPA is being amended, should you wait to comply?

CCPA has already been amended and will continue to be revised. However, it is clear that many statutory requirements will remain and should be addressed. The California Attorney General has not issued its regulations which are required under the statute, so some issues will hopefully be clarified in September when they are expected to be released. In addition, there could be many more states’ laws right behind it.

In the meantime, I strongly urge that you take on the following 3 projects. 

1. Know what data you collect, share, retain and destroy. Create a detailed data map. There might be advantages to hiring a third-party service provider to automate this process. I suggest you reach out to me to discuss potential vendors and what data mapping entails.
2. Have an outside audit of your security practices. Again, I can recommend a company I have used in the past or a law firm that does this work if you are interested. Remember that CCPA allows for a private right of action in the event of a security breach occurring after Jan 1, 2020, so getting your security practices in place is an imperative.
3. Audit all your service vendor relationships and, if you are a service vendor in your own right, look at your contracts and strategize whether you are better off as a service vendor or a third party as defined under the CCPA. We can discuss this dichotomy once you have all your vendors and contracts identified. Under the CCPA, regardless you will undoubtedly need amendments to all of those contracts to track the requirements under the law.

Will you need to revise your online privacy policy to comply with CCPA?

There will have to be a new notice to California consumers as well as an opt-out mechanism with a link from the landing pages on your site. There are also specifically dictated disclosures that must be included in your privacy policy: 

• A description of CA consumer’s rights under the statute.
• The categories of personal information collected in the preceding 12 months.
• The commercial or business purpose for which the personal information was collected.
• The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
• The categories of third parties with whom personal information was shared.
• A link to a “Do Not Sell My Personal Information” web-based opt-out tool.
• A description of any financial incentives for providing data or not exercising rights, for instance, if you offer a discount to people who provide their email for marketing purposes, (which has to be tied to the value of that information).
• Two or more designated methods for submitting information requests, (which now includes a toll-free number and a website address, if applicable).
• Under the CCPA, your privacy policy must be reviewed every 12 months.

Takeaway 

You must start to gather a team and resources to address not only the CCPA but other privacy laws that will inevitably arise in the near future.