On the heels of the European Union’s General Data Protection Regulation (GDPR), which went into effect last May, U.S. businesses now have a new data privacy law to contend with: the California Consumer Privacy Act (CCPA).
What the CCPA provides
The CCPA gives consumers four rights:
- businesses must notify consumers about what information they’re collecting, how they’re collecting it, and how they plan to use it;
- consumers have the right to opt out of any sale of their information to third parties;
- consumers have the right to have their personal information deleted; and
- businesses cannot discriminate against consumers who exercise their CCPA rights.
Though the CCPA is a state law, it will affect businesses across the country. If your company does business in California and has earned more than $25 million; if it buys or uses the personal information of more than 50,000 California consumers, households, or devices each year; or if it earns more than 50% of its revenue from selling the personal information of California consumers, your company is subject to the law, regardless of your location.
The CCPA’s definition of protected personal information is incredibly broad. It includes the standard personal identifiers, such as names, addresses, Social Security numbers, email and IP addresses, and many others. But it goes on to include protected characteristics (e.g, race, age, and sex), biometric information, employment history, information about internet and browser history, geolocation data, education history, and records of purchases and consumption. It also extends the definition to any consumer profiles derived from any of these categories of information.
The impact of the CCPA
The CCPA empowers consumers to ask for one year of their collected “personal information” from affected organizations without needing a discovery request, deposition, or subpoena.
The law goes into effect on January 1, 2020. But the law also contains a lookback provision that extends its reach back to data collected one year prior to the date of any complaint, so now is the time to get ready. Here are three important ways to start preparing.
Inventory your data.
If you haven’t already taken stock of your data for the GDPR, now is the time to start. Catalog the types of data in your possession, where it is stored, who has access to that data, and how it is being used. Pay particular attention to where your organization’s personal information lives. Memorialize these details in a data map, and update the map periodically to ensure no data falls through the cracks.
Eliminate as much data as you can and enforce your information governance policy.
If you have a records retention policy that’s collecting dust while your data stockpiles continue to grow, it’s time to implement and enforce it. Get rid of any redundant, outdated, or trivial information so you have less data—particularly less sensitive information—to manage. Not only will this mitigate any potential liability under the CCPA, but it can also simplify legal holds and eDiscovery.
Specify third-party obligations to comply with the CCPA in agreements and protective orders.
In the course of litigation or investigations, you may share personal information with your adversaries or with service providers who are helping you manage documents. Make sure that these third parties have agreed to protect consumers’ data, and for lawsuits, consider entering a protective order implicating California residents’ data.
eDiscovery tools can help you make sense of your data, so you can readily determine what you need to keep, what you need to protect, and what you should dispose of. To learn more about how data analytics and other tools can help you gain more insight into your data and accelerate your preparation for the impending CCPA, get in touch.