By: Vivek Vaidya
The California ConsumerPrivacy Act (CCPA) went into effect on January 1, 2020 and haswide-reaching implications on businesses in California. To help you understandhow the CCPA affects your business, here are a few answers to basic questions:
What do small businesses inCalifornia have to worry about when it comes to the CCPA?
In order for the CCPA toapply to your business, you must meet one of the following criteria:
If a small businessmeets the above-mentioned criteria, here are the top three things that shouldbe prioritized:
1) Understand the breadth of the law
It’s important tounderstand the somewhat vague definition of “personal information”, which isdefined as any info which “identifies, relates to, describes, is capable ofbeing associated with, or could reasonably be linked, directly or indirectly,with a particular consumer or household.” Personal info can include emailaddresses, social security numbers, driver’s license numbers, employmentinformation, geolocation, biometric information, commercial information,internet activity, audio/video information, or education information notavailable to the public. If you collectthis information, you need to have the capability of fielding user requests toaccess, delete, or change their personal information.
2) Train your employees (even if you only have a few)
The CCPA requiresemployees who field customer requests about data privacy practices (deleting personalinformation, opting out of sharing personal information, etc.) and employeeswho are responsible for the company’s compliance to undergo instruction tounderstand the law. Generally, this will require instruction of all customerservice representatives and whoever handles legal compliance.
3) Understand the penalties
The penalties for notbeing CCPA compliant go up to $7,500 per intentional violation and $2,500 forunintentional violations which are enforced by the California attorney general.Consumers also have the right to pursue their own individual action againstnon-compliant businesses, and can sue the company if a data breach occurs dueto carelessness.
What are the top 5 thingsthey should have in place to be compliant?
Here are the top 5most pressing details that need to be squared away ASAP if you are a smallbusiness owner who meets the criteria of the CCPA:
1) Be sure to clearly outline consumer data. In other words:
A) What personal informationdo you collect?
B) How do you acquiresaid data?
C) Where and how doyou keep it?
D) Do you share itwith other entities?
E) Is the shared datapart of provision of service, sale or another purpose?
2) Create a homepage "privacy link":
The CCPA also calls fora privacy link on the homepage of any relevant entity’s website. It must be“clear and conspicuous,” titled “Do Not Sell My Information,” and linked to apage that allows consumers to opt-out of having their personal info sold tothird parties.
3) Update Privacy Policies:
The CCPA gives consumersthe right to know exactly what personal information is being gathered aboutthem. In order to comply with that, businesses must provide a disclosure “at orbefore the point of collection.” It must “inform consumers as to the categoriesof personal information to be collected and the purposes for which thecategories of personal information shall be used.”
4) Develop a process for fielding consumer complaints:
Starting on Jan. 1, 2020, relevant entities must be ready to field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Some examples include:
A) Request a copy oftheir personal information
B) Request that theirpersonal info be deleted
C) Obtain consent froma guardian to sell personal info from a consumer under the age of 13
D) Opt out of sharingtheir personal information with third parties
5) Strengthen data security:
Relevant entities shouldreview and update their info security and privacy policies and actively monitortheir data security defenses to ensure that consumer data is not easily stolen,as they can seek damages for data breaches covered under the CCPA.
Anything else small businessowners should know about this law right now?
There is a 6-monthgrace period from January 1, where mistakes can go unpunished. There is stillplenty of time before you need to be truly compliant as a small business ownerwho meets the criteria of the CCPA. If you have questions about becomingcompliant or need legal aid with preparing a Privacy Policy that is CCPAcompliant, feel free to contact Vivek Vaidya of Bend Law Group at Vivek@bendlawoffice.com.
Disclaimer: This article discusses general legal issues and developments. Such materials are for informational purposes only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Bend Law Group, PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.
Protect your business and make strategic decisions with confidence. Our attorneys are ready to guide you through contracts, compliance, investments and more. Contact us today to learn how we can support your goals.