As the industry awaits approval of proposed regulations from the California Attorney General, here’s what businesses need to know about the CCPA when evaluating their data privacy policies and procedures in the coming months.
1/20/2020 9:00
The California Consumer Privacy Act (CCPA), a landmark piece of data privacy legislation, has become law in California. The CCPA’s implementing regulations, introduced in October 2019, will be up for final approval from California Attorney General Xavier Becerra's office in the coming weeks. Accordingly, the next few months will be a critical period for businesses to take stock of the law’s effect, how the proposed regulations will implement the law, and how the CCPA might serve as precedent for new state and federal regulations.
According to Attorney General Becerra’s office, key requirements of the CCPA include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted;
- Consumers have a right to opt out of the sale or sharing of their personal information; and
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
The CCPA applies to certain for-profit businesses that fall under one or more of the following criteria:
- Annual gross revenues of more than $25 million;
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices;
- Derive 50% or more of annual revenue from selling consumers’ personal information.
These factors are set in stone, so what’s next?
“I see the CCPA as a continuation of the trend that was started by the GDPR [Europe’s General Data Protection Regulation], and I don’t think it is going to be the last law. Other states have proposed legislation that look like the CCPA or the GDPR, and we know that there is talk at the federal level,” said Josh Stevens, senior attorney at Mac Murray and Shuster LLP in New Albany, Ohio.
Stevens worked with many clients, including large and small businesses, to help them prepare for compliance with the CCPA and evaluate their data privacy policies.
California-based attorney June Coleman, with Messer Strickler Ltd., expects that the attorney general’s regulations will be finalized and published by June 2020, and she hopes they will clarify some aspects of the new law. In the meantime, she suggests that affected businesses may want to bear in mind that although the law bars Becerra’s office from bringing an enforcement action until July 2020, the attorney general may later decide to prosecute businesses that did not comply between January and July.
“We anticipate that many states will enact privacy legislation in the next few years,” Coleman said. “Even if you don’t have consumers in California, you should be aware of what California is requiring, because your state will probably follow suit.”
Businesses required to follow the CCPA need to evaluate the policies and procedures that they implemented before the law took effect and prepare for the additional proposed regulations likely to be finalized by Becerra’s office in the first few months of 2020.
Those businesses may further wish to consider developing privacy notices for their letters, privacy policies to post on their websites, and letters to respond to requests for information and requests to delete information.
“The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law,” according to a news release from the attorney general’s office. “The regulations would address some of the open issues raised by the CCPA and would be subject to enforcement by the Department of Justice with remedies provided under the law.”
For example, the proposed regulations include additional steps for responding to consumers’ requests to delete their data or understand how their data is being used or sold, particularly for businesses that monetize data.
Coleman notes that the CCPA provision applying the law to any business that “[a]lone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices” does not limit the scope of that provision to devices located in California. (Under the CCPA, “device” means “any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.”
This definition would appear to include smart phones and computers.
“Since devices are not limited to California devices, that may mean every account you receive in a year, if you believe that each account has a cell phone,” Coleman said. “And if you collect IP addresses from your website visitors, that would also increase the count. Finally, if you don’t meet the 50,000 or $25 million threshold but collect for creditors that do meet the threshold, you would be a ‘service provider’ and fall within the ambit of the CCPA anyway.”
Becerra’s office has begun the process of reviewing its proposed regulations considering comments received during a 45-day public comment period that ended in December 2019. This included numerous public hearings across California.
The attorney general’s office cannot bring an enforcement action under the CCPA until six months after the publication of its final regulations or until July 1, 2020, whichever comes first.
Businesses that fall outside the CCPA’s reach may want to review the law and its implementing regulations, too, because California’s new consumer privacy regime may serve as a model for what may come in their states or at the federal level.
Currently, at least 25 states have laws that address data security practices in the private sector, according to the National Conference of State Legislatures.
For more information on the CCPA, view the fact sheet provided by the California Attorney General’s Office and watch for an upcoming episode of ACA Cast on the law with additional insights from ACA International members.
ACA International’s Washington Insights Fly-In is a critical opportunity for members to get involved with advocacy at the federal level and learn more about the reach of laws such as the CCPA that have been viewed as potential roadmaps for federal legislation. Register now to join ACA’s advocacy team May 19-21 in Washington, D.C., where you can hear from legislative and regulatory speakers and meet with members of Congress on the Hill.