The California Consumer Privacy Act (CCPA) is a new law that aims to protect the privacy of California (CA) residents. Introduced in January 2018 and signed into law June 2018, the regulation will require many for-profit businesses to disclose to CA residents how their personal information is being handled, what data is being collected, the option to refuse the sale of their personal information, and the right to sue in the event of a data breach.
Atrium and Maier Law Group (MLG) have been working closely with clients to help them understand what they need to do to prepare for the CCPA, which became effective January 1, 2020. MLG recently joined Atrium in a webinar to discuss the key points of the new regulation that founders need to know.
Below are three key takeaways from our discussion. You can also watch the full webinar for more comprehensive information or download our checklist of how to prepare.
To whom CCPA applies
CCPA applies to for-profit companies that collect CA consumers’ personal information, determine the means of processing that data, and do business in CA. Further, it applies to all for-profit entities that do business in the state for whom any of the following apply:
- The entity has a gross annual revenue in excess of $25M;
- The entity annually buys, receives, sells, or shares the personal information of more than 50,000 California consumers, households, or devices for commercial purposes; or
- The entity derives 50% or more of its annual revenue from selling California consumers’ personal information.
It also applies, in part, to businesses that work with or on behalf of CCPA-covered organizations that receive personal information. For example, CCPA applies to businesses that share branding with a CCPA-covered company or are service providers that process information on behalf of a covered business. The regulation also applies to companies that serve other businesses (as opposed to individuals), also known as “B2B” companies.
One thing to note is that a business doesn’t need to be physically located in the state of CA for CCPA to apply—CCPA applies to any company that does business in the state. A company may “do business” in California if it:
- Has employees working in the state,
- Conducts online transactions with people who reside in the state,
- Or has other connections to the state.
The law originally envisioned that employees that are CA residents should be treated like any other consumer with respect to their privacy rights. However, a recent amendment to the CCPA exempts employee personal information that is collected in the course of employment until January 1, 2021. For example, employees cannot make a request under CCPA that their employers delete their personal information. However, businesses are still required to provide their employees notice when the business collects employees’ personal information. The California legislature has suggested that 2021 will bring new privacy laws that are specific to employees. This would likely resolve the issue of how employees’ information will be handled after January 1, 2021.
How CCPA differs from GDPR
One common question clients ask is how CCPA differs from the General Data Protection Regulation (GDPR), a regulation in European Union (EU) law. The two regulations are indeed different. However, if you’re compliant with GDPR, you’re in a better place to become compliant with CCPA.
One key difference between the two regulations is that GDPR is more focused on accountability, data ownership, and rights to deletion or amendment of personal data. GDPR requires a legal basis for organizations to process personal data, whereas CCPA does not. Notably, this also happens to be a key difference between US and EU privacy. In the EU, you must have a legitimate basis before you collect and use any personal data. In the United States, you may process personal information unless a specific law or regulation prohibits it. Additionally, GDPR applies to all organizations selling goods or services to individuals in the EU, as well as those monitoring behavior of individuals in the EU. CCPA, on the other hand, applies solely to companies doing business in the state of California. It also excludes certain types of data and instead focuses more on transparency and limiting the sale of personal information.
What you need to do to prepare
Enforcement of CCPA begins July 1, 2020. However, preparing for CCPA now rather than down the road is critical because its provisions take time to understand, prepare to comply with, and implement.
Here are a few of the key actions that businesses can get moving on right away:
- CCPA also requires contracts with company vendors that handle personal information on behalf of the company. Vendors must make certain certifications and representations about their handling of the personal information to ensure their client company remains in compliance with CCPA.
- Lastly, employee training is critical. All employees handling consumer inquiries about a company’s privacy practices and compliance with CCPA must receive training on the requirements of the CCPA. Employees must know how to direct consumers to exercise their CCPA rights.
To make sure you’ve taken all the actions required, download this comprehensive checklist. To go even deeper into each of these areas, better understand the types of data that CCPA regulates, and when and how you can start preparing, watch the on-demand webinar.
Maier Law Group and Atrium frequently work together to advise clients on employment and privacy matters. To keep updated on changes to employment and privacy laws as they occur, or to read other articles by Maier Law Group, follow their blog.