Look Out for the 'Look Back'—Begin CCPA Prep Now
To comply with the CCPA look-back provision, businesses should have begun record-keeping as of Jan. 1, 2019.
February 01, 2019 at 04:00 PM
6 minute read
This past summer the California legislature passed, and later amended, the California Consumer Privacy Act of 2018 (CCPA). The CCPA grants California consumers an unprecedented amount of rights regarding their personal information (PI) and an expansion of consumer privacy expectations. Although the CCPA does not go into effect until Jan. 1, 2020, a key provision known as the “look back” requires California businesses covered by the CCPA to begin preparing now. This article provides a brief overview of the key provisions included in the CCPA, the “look back” provision, how to take action for compliance now and the potential penalties for violating the CCPA.
Although the CCPA will go into effect on Jan. 1, 2020, it should be noted that many of the regulations related to key provisions, such as the scope of definitions, opt-out provisions and penalties remain unclear. The California Attorney General's Office is currently soliciting public comments on the CCPA to help address these issues.
|Is Your Business Affected by the CCPA?
The CCPA regulates businesses, defined as for-profit entities doing business in California that are the controllers of the data and that have either: gross revenue in excess of $25 million; or that annually buy, receive, sell or share the personal information of 50,000 or more consumers; or that derive 50 percent or more of their annual revenue from selling personal information.
|What Kind of Information Is Protected?
The purpose of the CCPA is to protect the PI of all Californians. Under the CCPA, “PI” is defined broadly as “any information that … relates to … a particular [California resident] or household.” The CCPA provides a long list of examples of PI including: online identifiers, financial information and geo-location data. Some PI intersects with other California laws, including California's Net Neutrality Act, which may still have an effect on the CCPA even if struck down. The CCPA's protection applies to consumers, employees, individual representatives of businesses or any other California resident.
Under the CCPA, the obligations of a business to protect California residents' PI fall under five general categories, which include: transparency; access; deletion; choice related to the sale of PI and nondiscrimination.
For example, a business must track PI collected and inform consumers at or before collection and provide them with the purposes for the collection. If the business later decides to use the information for other purposes it must provide further advanced notice to the consumer. In addition, businesses must also inform consumers of their rights under the CCPA, and have a “Do Not Sell My Personal Information” web-based opt-out tool and program that enable consumers to prevent the sale of their PI. Any party that is sold PI, even if not a regulated business, may not resell it without first giving the consumer notice of the right to opt out of sales and must accept and honor opt outs.
|How Can Businesses Prepare Now for the 'Look Back' Provision?
The CCPA also includes a 12-month look back provision which gives consumers the right to access their individualized information for the past 12 months from the business. Upon a verified request from the consumer, a business must provide the following personal information to the consumer:
- The categories of PI collected about that specific consumer.
- The categories of sources from which the PI is collected.
- The specific pieces of PI collected about that consumer.
- The business and commercial purpose(s) for collecting or selling the PI.
- The categories of third parties with which the business “shares” PI.
- For PI that is sold, the categories of the consumer's PI sold to what categories of third parties and the categories of the consumer's PI sold to each applicable third party.
- For PI that is disclosed for a business purpose, the categories of the consumer's PI that were disclosed.
Steps to Prepare Your Business for Compliance
Given that the CCPA becomes effective on Jan. 1, 2020 with the 12-month look back provision, consumers will have the right to access their PI dating back to Jan. 1, 2019. Therefore, in order to comply with the effective date of Jan. 1, 2020, businesses should have begun record-keeping as of Jan. 1, 2019.
Below are five operational steps for your business to take now in order to be ready for CCPA compliance:
Step 1: Initiate a readiness assessment—look at the regulations and procedures already in place at your organization in order to evaluate whether processes need to be updated or created altogether.
Step 2: Begin data inventory and record-keeping—map the processing of personal information of California consumers as of Jan. 1, 2019. If there is a clear process in place now, your business will be able to look back efficiently should you receive a request for information.
Step 3: Combine your internal process with the CCPA Data Subject Access Request (DSAR) procedure, to ensure complete and accurate handling of the consumer request.
- Create templates for responding to consumer requests and internal policies for compliances to follow and for consistency.
Step 4: Plan employee trainings—update employee training is mandatory for those who will be facing consumers and handing the consumer information.
Step 5: Update your online presence.
- Update your online privacy notices and policies (both GDPR and CCPA have specific requirements regarding the information to disclose to consumers/data subject.)
- Update and streamline your process for consumers to access the CCPA information.
- Provide an online opt-out mechanism for consumers.
What Are the Potential Penalties for CCPA Violations?
The California Attorney General can impose penalties of $2,500 per violation and up to $7,500 per intentional violation.
Additionally, companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages anywhere between $100 and $750 per California resident and incident, or actual damages, whichever is greater.
Many business and legal professionals believe that the current version of the CCPA will likely undergo additional revisions before its Jan. 1, 2020, enforcement date. Regardless of the likelihood of modifications to the CCPA, businesses should assume that the finalized law will substantially increase the required level of privacy transparency and choice for consumers. Given this likelihood and the 12-month look-back provision, businesses need to begin collecting consumer data and implement data management systems and practices that will enable compliance come Jan. 1, 2020.
Tarah Powell-Chen is an associate at Murphy, Pearson, Bradley & Feeney in their San Francisco office where she represents individuals and corporate clients with matters involving professional liability, commercial and business litigation, real estate, employment law and data privacy issues. She also serves as general counsel to various California businesses and law firms, providing advice and counsel on data privacy compliance, regulatory issues and general contract review. Powell-Chen can be reached at 415-962-2849 or [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250