This is your grand “Welcome” from the California Consumer Privacy Act as it comes to change your way of life and business.
These are BIG changes, folks. Yes, the California Consumer Privacy Act (CCPA) is technically a state law and only protects Californians. But it also applies to any business . . . in any state . . . that is offering its goods and services to Californians. If your business even has a website or marketing strategy that reaches out to Californians, this “state” law could apply to you.
Moreover, other states are following Cali’s lead and using the CCPA to draft their own individual state privacy legislation. This isn’t the first time California has been considered a change leader—the state was also the first to implement higher vehicle emission standards, which thirteen other states and D.C. have since adopted.
So, the CCPA is essentially operating as a federal law. Our (free, but not legal) advice: Go ahead and follow it. But this law is pages and pages and pages of legal jargon with a compliance date beginning January 1, 2020. *Happy* New Year. And before then, there’s about 2,020 things you need to do.
Well, not that many, but you definitely need to get busy so you can be in compliance by the deadline (or soon after)!
Does my Business have to comply with Cali’s Consumer Privacy Act?
If you answered YES, then here comes a hard pill to swallow: your business is required* to comply with the CCPA.
MAKE SOME DECISIONS
One of the major reasons California is going through the process of creating this new law is so that companies are more intentional about the data they are collecting about their consumers. To safeguard against data breaches, companies need a plan, but they also need some controls so that they are only gathering and storing data they actually need. There’s no reason a grocery store needs your social security number for creating an account—and if that business gets hacked, that’s less information leaked.
To begin complying with the CCPA, a business needs to figure out what data is needed from consumers to operate. There is an abundance of data that is collected, some that you might not even realize is significant and now must adhere to the new constraints of CCPA, such as the names, IP addresses, biometric data, and website interaction history of your users. Not only must a business list what data it wants to collect, but it has to state its purpose for collecting that information.
MAKE SOME CHANGES
The Initial Notice. The CCPA requires an initial notice be given to consumers about what personal information your business is collecting about them, why that info is being collected and who the business is sharing this info with (unknown creepy third parties).
THEN you need to give these consumers the ability to act. This means consumers have power over the data collected on them. They get to know what is being collected (Right to Know), and they get to demand its deletion (Right to be Forgotten).
Not only are YOU held responsible by the CCPA, but third parties working for you must also comply or you could be exposed to legal ramifications. Vendors, contractors, and employees could be collecting user data through your services, which could lead to trouble if proper procedures and training are not implemented throughout the collection and usage process.
To stay on top of your legal responsibilities, it’s a great idea to review your current vendor contracts and start alerting and training your employees to changes that are being made. Also, to prep for a possible data breach, your business should create a breach response plan that dictates employee responsibilities and authorized actions should such an attack occur.
If you go through the process of creating a privacy system—follow through. It’s not enough just to state that you’ll honor consumers’ opt-out or information requests, you must respond to them as well. And along with responding, go ahead and make your lawyer happy by recording these requests and your responses.
To keep your ducks in a row, designate one or a few select individuals to track, record, and honor all opt-outs, requests for information, and deletion demands. Having a limited number of individuals in charge of your records will enable better detection for security incidents, enable internal uses to reasonably align with consumer expectations, simplify compliance with your legal obligations, and avoid discrimination against consumers choosing to exercise their rights under CCPA.
This is A LOT to take in. The CCPA is a big deal, making for big changes in your business’s data organization and collection processes. That’s why lawyers exist. Let the legal team at Rockridge Venture Law make your life easier.
LASTLY, THIS IS NOT LEGAL ADVICE. I AM NOT YOUR LAWYER. NOTHING IN YOUR REVIEW OF THIS ARTICLE OR ACTIONS YOU TAKE IN FURTHERANCE OF IT ESTABLISHES A LEGAL RELATIONSHIP BETWEEN YOU AND ME. I PROBABLY DON’T EVEN KNOW YOU, THOUGH WHO’S TO SAY WE CAN’T BE FRIENDS? NOTHING IN THIS ARTICLE IS WARRANTED TO BE ACCURATE IN ANY WAY, AND THOUGH PRACTICALLY UNLIKELY, IT IS POSSIBLE THAT THE SUBSTANCE OF THE ARTICLE CAN KILL, HARM, MAME, OR OTHERWISE DEFEAT YOU, PARTICULARLY IF YOU ARE READING IT WHILE ON A SCOOTER. YOU SHOULD NOT RELY ON ANYTHING IN THIS ARTICLE WITHOUT INDEPENDENTLY DISCUSSING IT WITH YOUR LAWYER. YOU PROBABLY SHOULD HAVE ALREADY BEEN IN TOUCH WITH A LAWYER BEFORE READING THIS ARTICLE. LAWYERS ARE A GOOD THING – ALSO NOT LEGAL ADVICE.
*There are some exceptions, seek out a lawyer.