With a new year comes a slate of new state and local laws, and 2020 is no different. However, few of these laws will have the wide-reaching implications of the California Consumer Privacy Act (CCPA). Signed into law in June 2018, CCPA went into effect on January 1, 2020. The overall intention of the law is to regulate data collection policies, and give consumers more control over how their data is used.

CCPA explained

CCPA grants the following rights to California consumers:

• Knowledge – Consumers have the right to know what personal data about them is being collected, used, shared, or stored by a business.
• Control – Consumers can opt out of the sale of their personal information or have it deleted altogether.
• Non-discrimination – Consumers who exercise their rights under CCPA are entitled to the same level of service as any other consumer.

Businesses subject to CCPA must do the following:

• Notify consumers if they are collecting personal information.
• Create procedures to handle opt out and deletion requests including a mandatory “Do not sell my information” link on website or mobile application.
• Respond to deletion or opt out requests in a specific timeframe.
• Have reasonable data security practices in place.

Companies can be subject to fines if they experience a data breach due to poor security practices. In addition, companies that are not compliant with CCPA could be subject to lawsuits directly from consumers or the Attorney General of California.

Will CCPA impact my business?

Any company that does business in California, for example if you’re located in San Diego, San Jose, or Bakersfield, is subject to CCPA if they meet at least one of the following requirements:

• Has gross annual revenues of at least $25 million.
• Exchanges the personal information of 50,000 or more consumers or households.
• Earns more than 50 percent of annual revenues from selling personal information.

This means that many SMBs and startups are likely subject to CCPA especially if they offer digital products and services. The fines as a result of data breaches ($100 – $750 per consumer, per event), could be particularly devastating to unprepared SMBs, as over 40 percent of cyberattacks are aimed at small businesses.

What can I do now to be compliant?

If your business is subject to CCPA you need to at least come into compliance with the basic requirements of the law:

• Opt-out tool – You’ll need to create a “Do Not Sell My Personal Information” link on the homepage or main page of your website that will lead users to a form where they can opt out.
• Contact method – At a minimum you will need a toll-free number that consumers can call to request information about their personal data.
• Updated privacy policies – Your website will need to have information about CCPA and the rights of California residents under the law.

What are the next steps for my business?

One of the most important requirements of CCPA, although probably the least defined is the provision requiring businesses to “implement and maintain reasonable security measures and practices.” Each company will need to approach this requirement differently, but here are a few factors to keep in mind:

• What are all of the sources of the data you collect?
• Where is the data stored?
• Who in and out of your organization (partners and vendors) has access to personal information?
• What personal information do you collect? Is it vital to your business?

Working with an external security partner may make the process of becoming compliant with CCPA and other data security laws simpler. Electric works with small businesses and startups to achieve compliance with the growing number of regulatory frameworks.

This communication is distributed with the understanding that the author is not rendering legal or other professional advice on specific facts or circumstances and, accordingly, assumes no liability in connection with its use.