What You Need to Know — and Do — About the CCPA
On January 1, 2020, the California Consumer Protection Act (CCPA) will become the law of the land in the fifth largest economy in the world.
Although its reach is technically limited to California’s citizens and the larger enterprises that serve them, the CCPA will have major impacts on businesses — and data privacy norms — across the nation, since it covers out-of-state enterprises that sell to or display websites to Californians.
What’s more, most lawyers believe that given the size of California’s economy and the widespread clamor for improved data privacy, most U.S. firms will adhere to the CCPA.
“Three criteria are used to determine which organizations, including for-profits that collect consumers’ personal data, are subject to the CCPA,” explains Quest Vice President of Enterprise Risk Management Shawn Davidson.
He notes that meeting any one of these criteria subjects your firm to the new law: annual gross revenues exceeding $25 million; possession of personal information about 50,000 or more consumers, households, or devices; or earning more than half of annual revenues from selling consumers’ personal information.
What the CCPA does
CCPA-impacted organizations will have to explain to consumers upfront about the personal data they collect and must update these disclosures annually.
In addition, the CCPA grants California consumers several new rights regarding their personal data — including geolocation data; biometrics; employment/academic data; data from internet browsing and products considered or purchased; data used to generate individual profiles; and likely more.
For businesses, this means…
- Upon a consumer’s request, you will be required to disclose your data collection and sales practices, including the categories of personal data you’ve collected, where/how you got it, how you use it, whether the data has been disclosed or sold to third parties, and, if it has, what categories of data
continued on page 2