The California Consumer Privacy Act (CCPA) presents numerous compliance challenges for businesses.  Given the heightened focus on consumer privacy and ever-increasing enforcement risks, companies have to move quickly to ensure appropriate compliance programs are in place by January 1, 2020. 

Any business that collects, stores and processes consumer information is subject to significant risks.   The importance of CCPA compliance is not limited to businesses that collect and sell personal information (e.g. credit bureaus, marketing companies). 

Given the broad definitions, the risk of unauthorized disclosures and the broad set of consumer rights created by the CCPA, businesses need to develop a priority-based project to ensure appropriate risk mitigation.

Locate Your Data – In the GDPR context, many companies were stuck in the process needed to map your data.  This should not be an overwhelming or burdensome process.  I know this sounds obvious but mapping simply requires an examination of what “personal information” is collected, how such information is used, processed, stored and then sold (if applicable).  The data map should be traced over the business organization to understand exactly where the information is collected, stored, processed and used.  This should not be an academic issue, rather this should be focused on practical analysis of the use of personal information.  Too many companies spend hours with theoretical discussions concerning esoteric discussions of storage and processing of information that have little to no relevance to compliance and enforcement risks.

Consumer Requests:  Companies have to make available to consumers two designated methods to submit disclosure and preference requests – a toll-free number and a website address.  Businesses have to respond to a consumer request within 45 days.  Also, they have to screen the requests to verify the bona fide nature of the request.  In this regard, the business has to ensure that the consumer making the request is the same consumer whom the business has personal information (or that the requesting person is authorized to make the request).  A business only needs to respond to two requests per consumer in a 12-month period.  Companies have to establish a portable format for transmission and delivery of such information to a consumer.  Companies have to create a tracking system for consumer requests to ensure timely and complete responses within the allotted time period.

Consumers have the right to learn from the business the categories of personal information maintained by the business; the categories of sources of such information; the business purpose for collecting and selling such information; categories of third parties to whom the business sells the consumer’s personal information; and specific pieces of personal information collected by the business. 

Every business has to maintain in its privacy policy or on its website: (i) a list of the categories of consumers’ personal information the business has sold (or state that it has not sold any information for a specific category); and (ii) a list of the categories of consumers’ personal information the business has disclosed for a business purpose (or state it has not made any disclosures of information for a specific category.

Consumer Deletion Requests:  Following the same procedures outlined above, consumers can request that a business delete his or her personal information.  There are certain exceptions to such consumer requests – e.g. if the information is needed to complete a transaction or to detect security incidents, or debug a function.  Again, businesses will need to create a tracking system to monitor the status of such requests and ensure compliance with applicable timeframe.

Consumer Opt-Out of Sale: A consumer has the right, at any time, to opt out of the sale of any personal information by the business to a third party.  (The specific means for such opt-outs has not yet been defined by regulation).  Businesses must maintain on its homepage a link titled “Do Not Sell My Personal Information” which links to an opt-out function.  The link must be included in the business’ privacy policy.  If a consumer opts out, the business cannot request authorization to sell the consumer’s personal information for at least 12 months.  A third party may not sell a consumer’s personal information unless the consumer received explicit notice to opt out of sale of his/her personal information. 

A business may not sell any personal information of a consumer that is between the ages 13 and 16 without opt-in consent.  The business must have actual knowledge that the consumer falls in that age range, but the business may not willfully disregard a consumer’s age.  A business may not sell a consumer’s personal information if the consumer is under age 13 unless it obtains the opt-in consent ot the consumer’s parent or guardian.

Businesses will have to tag and track opt-out requests and ensure timely compliance.  Before a sale of personal information occurs, a business will have to establish verification protocols to ensure the consumer has not opted-out and is proper age or covered by opt-in or opt-out requirements described above.

Nondiscrimination: Businesses may not discriminate against consumers who exercise their rights under the CCPA.  This broad prohibition applies to pricing, denial of goods or services, or difference in quality of goods or services.  Any difference in these areas will have to be justified and documented.  Businesses may offer financial incentives for the collection, sale or deletion of personal information, provided the business has notified the consumer of the terms and obtained an opt-in consent.  Such incentives cannot be unjust, unreasonable, coercive or usurious.

Transfer to Service Provider: A business can only provide personal information to a service provider if the disclosure is for a business purpose and pursuant to a written contract; and the contract prohibits the service provider from retaining or using or disclosing the personal information for any purpose other than for performing the specified service in an agreement.  Businesses will have to identify relevant service providers who require personal information (e.g. shipping company) and ensure that there are appropriate contractual provisions governing personal information.