Patricia Ramsey Chronicle , left, and David J. Gellen, right, of Nason, Yeager, Gerson, Harris & Fumero.

Don't let the name fool you. The California Consumer Privacy Act protects—and affects—more than consumers in the Golden State. Signed into law in 2018 to enhance consumer privacy rights and protections for California residents, the law is relevant to any company doing business out of, into, or with the state's residents.

The CCPA took effect on Jan. 1 of this year; enforcement has been delayed until July 1, by which time the California Attorney General's Office is required to adopt and finalize regulations relating to the CCPA. Private civil suits are also permitted in limited circumstances.

Companies should be using this window to learn whether they are affected by the law, and, if so, what must be done to ensure compliance.

The first step is to determine whether your company meets the requirements. Any company that "does business in California" is covered by the CCPA if it meets one of three thresholds. It must have annual gross revenues in excess of $25 million; buy, receive, collect or share data of more than 50,000 people, households, or devices; or derive at least 50% of annual revenues from the sale of consumers' personal information.

If your company meets any of these thresholds, the law requires that your company "implement and maintain reasonable security procedures and practices" to protect consumer data it collects from California residents. Note that the definition of "consumer" is broad—it applies not only to individuals who are customers or potential customers of the business, but also any employees or business contacts that reside in California.

What does "protection" mean? The CCPA grants California residents rights regarding their information that a company collects and how it—and its partners—use, share, sell, or otherwise handle it. Many think data privacy laws apply only to personal information collected online, such as through a website or app. But it is particularly important to note that, at least in the case of the CCPA, the law covers data collected both online and offline.

This goes beyond the use of cookies and targeted advertising and takes a much deeper dive into your information database. Consumers that are California residents now have a right to know what personal data is being collected about them, whether that data is being sold or disclosed and to whom, to access or request the deletion of that personal data, and to opt out of such data being sold or shared with third parties for compensation.

The law also prohibits discrimination against anyone who exercises their privacy rights. For example, a business cannot refuse to sell, charge different prices for, or provide lower quality goods or services to a consumer as a result of exercising their CCPA rights.

When the EU's General Data Protection Regulation (GDPR) went into effect in 2018, many businesses, even in the US, to the extent they thought it may apply, updated their privacy policies to comply with GDPR requirements. Although the GDPR was widely viewed as the most comprehensive privacy law adopted to date at the time it went into effect, there are substantial differences in how the GDPR and the CCPA define personal information and the rights each law grants to consumers in their respective jurisdictions. So even if you are confident in your GDPR compliance, it is not by any means a guarantee that you are automatically CCPA-compliant.

Assuming you meet the minimum thresholds, consider these five steps to begin preparing your company for CCPA compliance:

• Develop a data map. Trace how your organization currently handles any personal information it collects for California residents, whether they are customers or employees. This practice categorizes the who, what, where, when, and why of the information you're gathering and how your organization is storing, disclosing, and protecting it.

• Perform a risk allocation analysis. Working with your privacy law advisers and IT team, explore how your organization will manage data online and offline to ensure compliance beginning on July 1 and beyond. A thorough review of the practices at your company, and its partners, vendors, subcontractors, agents, and service providers, as well as the applicable agreements in place, can help determine if you and they are in compliance. From a business-to-business (b2b) standpoint, review all existing agreements to ensure third-party vendors and subcontractors are in compliance as well. Addenda should be added to existing agreements to ensure compliance by service providers.

• No copy/paste. Companies often use cookie or privacy policy "generators" to create website visitor notifications and acceptance apps. This doesn't apply to CCPA. Generators, templates or addenda from another site source copy/pasted to your terms of service, cookie policy, or privacy guarantees will be insufficient and may either mischaracterize your current business practices, or even add unnecessary obligations, both of which could create liabilities for your company. Business, operational, sales and marketing, and legal teams must collaborate to customize a privacy program unique to your circumstances.

• Train employees. A privacy policy may be beautifully drafted and technically compliant, but it is only as good as the people who implement it. Businesses need to monitor and train staff on compliance with their privacy programs to make sure the business makes good on its promises.

• Update as needed. The CCPA requires that your online privacy policy be updated at least once every 12 months. Both the CCPA, and to a lesser extent for US companies, the EU's GDPR, set the stage for how companies must master personal data and business relationships in the future. For this reason, companies must review and update privacy policies and practices as needed.

Businesses subject to the CCPA will be required to provide notice to consumers at or before data collection (again, whether in person, on the phone, or online), create procedures to respond to information, opt-out, and deletion requests, and maintain records of consumer requests and how they responded.

Proposed regulations have been made available by the California Attorney General. Businesses can rest assured these rules will require attention and, once finalized, may require additional changes to how the CCPA rules are implemented by businesses. For example, the current proposed regulations require that online privacy notices be reasonably accessible to people with disabilities and comply with industry standards for accessibility such as the Web Content Accessibility Guidelines. This may require additional technical upgrades for your website.

What's more, other states have either passed their own data protection laws, or, like Florida, are mulling them this legislative session. The companion bills in the Florida House (HB 963) and Senate (SB 1670) (collectively, the 2020 Florida Consumer Data Privacy Act), if passed, would create certain privacy rights under Florida law, although the current draft of the Florida Consumer Data Privacy Act does not mirror the definition of "consumer" or grant all the same consumer rights as the CCPA. Until a federal statute is passed, each state could have different rules—all of which likely will require compliance. If your company, its partners, or customers fall into the categories mentioned above, and you haven't already addressed this issue, don't delay. Achieving compliance could take longer than expected, and for those who aren't prepared, July 1 is right around the corner.

David J. Gellen is a shareholder and chair of the corporate department and Patricia Ramsey Chronicle is an associate in the corporate department of Nason Yeager Gerson Harris & Fumero in Palm Beach Gardens.