Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series
First Steps First – the Data Map
It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. So where should a business begin in its efforts to meet the Act’s requirements?
What is the CCPA?
The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020. The effective date of the Act gives covered businesses little time to prepare. Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.
What businesses must comply with the Act?
As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California. The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:
- Generate annual gross revenue in excess of $25 million,
- Receive or share personal information of more than 50,000 California residents annually, or
- Derive at least 50 percent of its annual revenue by selling the personal information of California residents.
What to do first – Data mapping
The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss. Continue reading