Why You Need a Lawyer to Help Comply with the CCPA

Use these links to jump to different sections:

• New Consumer Data Privacy Rights
• What Else Companies Must Do for CCPA Compliance
• Who Is Impacted?
• Seeking Legal Help

California has essentially become the nation’s regulator of data security and privacy, and it’s forcing business owners across the U.S. to scramble. The reason? The California Consumer Privacy Act (CCPA), passed on June 28, 2018, takes effect Jan. 1, 2020. “It impacts not just companies in California, but any organization that’s doing business in California and is processing a certain amount of personal information of individuals and households,” says Tanya Forsheit, an attorney handling data security, privacy, compliance, transactions, and incident response for businesses. “It really operates more like a federal law.” The CCPA is the closest American law to those passed in Europe (such as the General Data Protection Regulation (GDPR)), Forsheit says, adding that it’s already starting to become the model for other state proposals. So, if your business isn’t preparing already, it should be. “You can’t comply without taking action beforehand, and companies really cannot wait to get started,” she says. “That is the practical reality we’re facing come January 1: a much more stringent set of regulations than companies have ever had to deal with in the U.S.”

New Consumer Data Privacy Rights

The CCPA provides consumers with robust rights and protections that require businesses disclose more information about the data they collect and how it’s used. “They have the right to tell a company not to sell their data—and ‘sell’ is very broadly defined to mean not just a traditional sale, but when data is exchanged for something of value,” says Forsheit. “So companies have to respond to an individual’s request that their information not be sold. Obviously, in the current digital economy, there’s a lot of data that changes hands regularly for all kinds of reasons. So that’s a significant change.” Among other things, this change requires businesses to have a clickable link on their website that, essentially, says, ‘Do not sell my personal information.’ “It’s not that hard to put a link on your website,” Forsheit says. “But do you actually know where your data is? Do you know what you’re sharing? Do you know what you’re selling? Are you going to be able to stop it when the person says, ‘Don’t share or don’t sell?’ All the contracts with third parties that they do business with and share data with have to be updated to have certain kinds of language to restrict what those third parties can do with personal data.”

What Else Companies Must Do for CCPA Compliance

Forsheit advises businesses to revisit and update, or develop from scratch, privacy policies about informing consumers, data security, third-party contracts, incident responses and more. “If you’re not doing these things, you’re putting your company at risk—not just for a data breach, but then having lawsuits that seek statutory damages from you.” If there is a data breach and it is determined that the company did not have reasonable security, you could face statutory damages under the CCPA. These damages are between $100 and $750 per person, per violation. In addition, the attorney general can also enforce the CCPA beginning in July 2020. “And they can seek penalties between $2,500 and $7,500 per person per violation,” Forsheit says. “So let’s say you don’t prepare, and you don’t respond right away to requests that you not sell data—or that you don’t delete certain data that people are requesting you delete. The attorney general can come after you for that, too.”

Who Is Impacted?

Handling data and consumers’ personal information is broadly defined under the CCPA. “It’s not just somebody’s name and social security number, but phone numbers, IP addresses, emails,” Forsheit notes. “Some seem to think this law is meant for the Googles and Facebooks of the world, but it reaches way beyond that. All you need is 50,000 unique pieces of personal information a year, which breaks down to 137 a day. If you have 137 unique hits on your website a day, which could be just like somebody’s basic blog, you’re in.”

Seeking Legal Help

Data security lawyers’ phones has been ringing steadily since the CCPA passed, because there’s a lot of work to be done to get businesses in line with the changes in this new privacy law. “Obviously, you can do all those things without a lawyer,” Forsheit says, “but it’s probably not a good idea. Updating privacy policies, updating contracts, understanding your data flows, these are legal obligations. So those are all things that you can and should be doing working with competent privacy professionals. “It’s almost impossible to overstate how significant a change it is for privacy laws in this country,” she continues. “There are a lot of very large companies who are now treating privacy as one of the most important things that they’re dealing with as a business matter. If you don’t, you’re taking on significant risk.” For more information on this area of law, see our overview of business and corporate law.