CCPA Enforcement is Well Underway…with CPRA Right Behind It

By: Linda L. Goodman

Despite requests from the industry to delay enforcement due to COVID-19, California Attorney General Xavier Becerra has quickly moved into the initial enforcement phase of the California Consumer Privacy Act (“CCPA”). Companies who do business with California residents are now at risk for penalties for noncompliance.

To understand whether or not you are subject to potential enforcement actions – first determine if you fall within CCPA’s compliance criteria.

Is your business including your subsidiaries or affiliates, engage in business in California?
Does your business have over $25 million in annual gross revenues?
Does your business buy, sell, share, or receive personal information?

If your answer to anyone of those questions is yes – it is critical that you understand that the statutory definitions of “consumer” and “personal information” are far broader than any other regulations found in other jurisdictions. The broadness of these terms causes CCPA’s jurisdiction to extend much farther than it appears on the face of the statute.

If your business fits any one of those criteria, it is critical that you are identifying the type of personal information your business collects. CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer. If it can, you must comply with CCPA rights.

CCPA grants consumers significant rights to direct the use of their personal information, including general notice rights. This is the most immediate and simplistic proactive step to take at this stage to prepare for CCPA’s enforcement. Get your policies in order and get a ‘do not sell’ notice on your website pages. To undertake this step, it is important to know that CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them. Additionally, the CCPA requires businesses to make affirmative disclosures in their privacy policies to consumers identifying the rights provided by the statute.

Next, reviewing data flows and map out what information you have, where you received it from and then classify the information into personal and non-personal information. Once you know what data you have, where it came from, where it goes you need to segregate the data and IT systems between regulated and non-regulated data repositories.

You should also prepare and implement cookie banners and web beacons in accordance with your CCPA-compliant privacy policies. This step will make it much easier to respond to individual request processes (including opt-out and deletion).

Finally, begin implementing employee, vendor, and associate training to meet CCPA’s new requirements.

Stay involved with your compliance team for coming changes.

The Office of the California Attorney General was late submitting their final regulations package to the California Office of Administrative Law (“OAL”). However, it was accepted and now the OAL has only 90 days to review. Once approved, the final regulation text will be filed with the Secretary of State, and they too become enforceable by law. Since the OAL is not expected to make significant changes to the regulations, your compliance program should be implemented for regulation enforcement using the proposed regulations.

Lastly, the California Secretary of State recently announced that the California Privacy Rights Act (“CPRA”) will be on California’s November 3, 2020, ballot. Likely to be approved by voters, the CPRA would significantly update and amend the CCPA, allowing California consumers to block businesses from a newly created category of information known as “sensitive personal” information and establishing a new enforcement authority to protect data privacy rights. Since the fines levied by the new enforcement agency will go back into funding the same agency, it is expected that enforcement will be robust!

______________________________________________________________________

This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.

Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.