The California Consumer Privacy Act of 2018 (CCPA or the Act) relates to companies that collect personal information from consumers. The Act arose as a way to override a ballot initiative proposed by a private citizen. As such, the CCPA is recognized as having been rushed through the legislative process and having a number of flaws as a result. The CCPA became effective on January 1, 2020; however, based on the ambiguity of the CCPA as currently written, the California Attorney General is to release guidance memorandums. The CCPA is to be enforced by the Attorney General after July 1, 2020. Between January 1, 2020, and July 1, 2020, the CCPA can only be enforced through a private cause of action. In an increasingly online world where data hacks and privacy breaches are becoming more commonplace, the CCPA aims to put the consumer in more control of his or her personal information collected by certain businesses.

A business is subject to the CCPA if the business: (1) collects consumers’ personal information and determines the purposes and means of processing the information and (2) either (a) has a gross annual revenue exceeding $25 million; (b) buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices, (c) or derives 50 percent or more of its annual revenue from selling consumers’ personal information. The Act will also apply to those businesses which control or are controlled by a business which fits one of the above criteria and shares common branding with that business. The CCPA will not apply to your business unless your business satisfies both of these requirements.

The CCPA provides consumers with five distinct rights relating to their personal information: (1) the right to know, (2) the right to deletion, (3) the right to opt-out, (4) the right for a minor to give consent via opt-in, and (5) the right to non-discrimination.

Every website in 2020 should already have a privacy policy. These policies now must be updated with various provisions related to the CCPA. Specifically, these additions must provide information about the categories of personal information collected during the preceding twelve months; sources from which the business collects personal information; the purpose for collecting or selling personal information; categories of third parties who have received the personal information; and a description of the consumers right to: (a) access and request specific pieces of personal information, (b) obtain individualized disclosures, (c) deletion, and (d) non-discrimination. Additionally, the methods for submitting consumer requests must be listed in the privacy policies, including a toll-free phone number and online submission, as applicable. Finally, the policies must state whether the business sells personal information to third parties. If so, notice of the same must be given in the policy along with notice that the consumer may opt-out and a link to the “Do Not Sell” page.

These privacy policies should already be undergoing a periodic review to ensure they are up to date with the business’s practices. The Act now requires the business review and update its privacy policy, and especially the notices listed above, at least annually.

After updating its privacy policy and creating notices on its website along with a “Do Not Sell” link, a business must take certain actions to remain compliant with the CCPA. The business must provide two methods to request information, which will generally consist of a toll-free telephone number and a website page. Businesses must also comply with all verifiable consumer requests for information. In doing so, businesses must provide information in a usable format within 45 days of receiving the request. This deadline may be extended one time for an additional 45 days so long as the consumer is notified of the extension. If the business does not provide the information, it must notify the consumer of its reasoning. The information must be provided free of charge. Finally, the business must comply with deletion requests unless an exception applies.