Will the California Consumer Privacy Act Affect My Business?

On Jan. 1, 2020, California’s Consumer Privacy Act (CCPA) will go into effect. Originally signed into California law by former Gov. Jerry Brown in 2018, the act gives California residents—among other things—the right to know what personal data is being collected about them and the right to disallow the sale of said data.

Victoria E. Beckman, an intellectual property and data security attorney in Columbus, Ohio, notes that, for businesses, the law’s effects reach far beyond the state’s borders.

“As it is written now, the act applies even if you’re a company in New York or Ohio,” she says. “If you collect information from California residents—even if you’re located in any other state—you may have to comply with it.

“The act was modeled after Europe’s General Data Protection Regulation,” Beckman continues. “It is groundbreaking in that it gives … the right to access information, and erase some information. It also gives a private right of action in case there’s been a data breach, so you can basically sue a company if you can demonstrate that a data breach caused some harm or was their negligence.”

There are, of course, a couple caveats. Your business will only need to prepare for the CCPA if:

• it is a for-profit company
• its annual gross revenue exceeds $25 million
• it buys, sells, receives or shares the information of more than 50,000 California residents, households or devices
• it derives 50 percent or more of its annual revenue from selling the state of California residents’ personal information

If your business is going to be affected by the CCPA, it will need to prepare. “They’re going to have to invest money in reviewing the policies,” says Beckman. “And, later, in responding to requests from the data subjects. Internally, a company has to have a process in place to respond and comply with a deletion request. You’re going to have to have personnel to make sure they know where the data is.”

To prepare, she recommends:

• Mapping out, and taking inventory of, the consumers’ personal information of California residents for whom your business receives or sells
• Reviewing and updating data privacy notices and disclosures, as well as service producer agreements
• Creating a process to fulfill CCPA rights requests and respond to alleged violations
• Reviewing and implementing security practices and procedures
• Conducting employee training

“Before it’s enforced, businesses have to make sure they know, internally, how the process works. So, if they get a request for deletion, they can guarantee everything was deleted,” Beckman says. “The act requires a 1-800 number for people to call, so they have to make sure that’s set up.”

When businesses come to Beckman, she first makes sure the new privacy law will apply to them. Then, she helps take inventory of their California residents, where their information is stored, and who has access to it. Then she’ll review privacy policies, and help with employee training—so they know how to handle requests and why it’s important.

“We also help with reviewing service provider agreements,” she says. “If you have third-party vendors doing the information requests for you, we make sure that they are in compliance.”

Beckman further notes that it’s important that businesses don’t discriminate against California residents because “they’re exercising their rights.” And though the law may change before 2020 arrives, it’s crucial that affected businesses prepare for compliance—which an experienced attorney can help with.

“It really applies to everybody, and we don’t know how flexible they’re going to be with enforcement,” says Beckman. “The last thing you want is some kind of fine, or your business being shut down, because you’re not being compliant.”

For more information on this area of law, see our overview of business and corporate law.