It’s Time to Prepare for the 2020 California Consumer Privacy Act

Many of the CCPA requirements will demand companies’ attention far before the law goes into effect. Here’s what you should focus on first.

CCPA To-Dos

Notable requirements imposed by the current law require businesses to:

• Update their privacy notices to inform consumers about their new rights and to provide information about the collection, use, and disclosure of their personal information.
• Have processes in place to respond to consumer access and deletion requests. Businesses are advised to begin tracking their data (i.e., “data mapping”) as soon as possible as consumer requests are subject to a 12-month look-back.
• Give consumers the ability to “opt-out” of selling their personal information to third parties. A clear and conspicuous “Do Not Sell My Personal Information” link should be provided on the business’ homepage.
• With respect to consumers between the ages of 13 and 16, businesses will need to provide an “opt-in,” and for those under 13, such “opt-in” consent must be provided by a parent or guardian. It’s important to note that the definition of “selling” is extremely broad and includes any sharing or disclosure for valuable consideration.

It is important to note that currently, the application of the CCPA to employee data is an open question. The fact that CCPA’s definition of “consumer” — a natural person who is a California resident — is not qualified by language requiring such persons to have purchased goods or services, coupled with the fact that “professional and employment-related information” is an example of “personal information,” suggests that the CCPA intends to extend to the collection and use of personal information from employees. Forthcoming amendments and guidance may clarify this further, but for now, employers should be prepared to comply.

Ambiguous Bills Call for Amendments

Lawmakers are contemplating the comments that have been filed to amend certain components of the CCPA. Due to its hasty passage, a number of technical corrections bills were expected to clean up errors and ambiguities in the CCPA.

SB 1121: Passed on August 31, 2018, this amendment made a few significant changes. Notably, it pushes the date by which the Attorney General must publish the implementing regulations meant to further the purpose and clarify the law to July 2, 2020. The Attorney General is precluded from bringing a CCPA enforcement action until six months after the publication of the final implementing regulations or July 1, 2020, whichever is sooner. Additionally, this amendment does away with the requirement for consumers who pursue a private right of action to notify the Attorney General within 30 days of filing such action. Finally, it clarifies carve outs for personal information collected by institutions covered by federal and state financial and health information privacy laws.

SB 561: Introduced by the Attorney General and Senator Hannah-Beth Jackson, this amendment is currently under committee review. If passed, SB 561 would make the CCPA even more consumer-friendly, by expanding the private right of action to any violation of the CCPA, rather than only in the event a consumer’s nonencrypted or nonredacted personal information is subject to breach because the business did not meet its duty to implement reasonable security safeguards. The proposed amendment also eliminates the right to cure an alleged violation within 30 days of being notified of noncompliance.

In the meantime, the Attorney General’s Office concluded a six-part series of public forums that were part of its preliminary rulemaking activities. The office is currently considering the public comments it has received from interested parties such as attorneys, businesses, and activists.