The California Consumer Privacy Act (CCPA) went into effect on January 1 2020. The CCPA provided for a grace period to allow companies additional time to come into compliance. That grace period ensured that California Attotney General’s offic would not bring enforcement actions until six month after publication og the office’s regulations, or July 1st 2020, whichever came first.
As July 1st enforcement approaches, we would like to remind you of some key CCPA takeaways!
When does it apply and who does it protect?
The CCPA was enacted to protect California residents which are defined as any individual who is in California for other than a temporary or transitory purpose, and any individual who is domiciled in California, though is outside California for a emporary or transitory purpose (“Consumers”). The CCPA applies to a “Business” which is defined as any for-profit entity that either has annual gross revenues in excess of $25 million; annually buys, recieves, sells or shares, for a commercial purpose, the personal information of 50,000 or more Consumers, households or devices; or it derives 50% or more of irs annual revenues from selling Consumer’s personal information.
What should you do if the CCPA applies to your company?
- Increase your data mapping efforts: Data mapping is crucial to track the type of personal information that is collected from consumers, understanding what CCPA requirements apply, and identify California consumers who are entitled to their CCPA rights.
- Personal information sale – notification requirements: Businesses thar sell personal information must provide a “Do Not Sell My Personal Information” link on their websites. Businesses that do not sell personal information should clearly state that fact in their privacy policies.
- Create a mechanism to receive, verify, and respond to consumer requests: Businesses must provide methods (e.g., a toll-free number or email address) for consumers to submit requests to receive information and to delete it. Also, businesses must have procedures in place that would allow them to verify the identity of the requesting consumer.
- Amend service provider agreements: Businesses must ensure that their existing agreements with third-party vendors or service providers, limit the service provider’s use of personal information as prescribed in the CCPA.
- CCPA Training: The CCPA requires training of individuals responsible for handling consumer inquiries, ensuring that they understand the requirements of the CCPA and the adequate manner of response to consumer rights requests.
- Update document retention policies: Companies must update their retention policies to ensure that all records of consumer requests and the businesses’ response are maintained for at least 24 months.
- Assure security procedures and mechanisms: Businesses must also have reasonable security procedures and practices in place that meet the current industry security standard, to maintain the security of the personal information processed.
If the CCPA is less familiar to you, but when it comes to the GDPR you’ve got it under control, there are only a few adjustments to make to assure that your business got both the GDPR and the CCPA covered!
We encourage you to take the above steps to address the CCPA requirements and will be happy to advise and assist you in your implemention process.