When Europe’s data privacy law, the General Data Protection Regulation (the GDPR), became effective in May 2018, it had repercussions across businesses all over the world, not only those located in the European Union. The United States doesn’t have federal law that parallels the GDPR to give consumers the right to know what personal information is being collected and sold. The California Consumer Privacy Act (the CCPA), which became effective in January 2020, is similar to the GDPR but it is not identical. As the first comprehensive law governing data privacy, it is poised to affect businesses across the state, the nation and the world.
How does the CCPA apply?
That’s because the CCPA applies to all businesses operating in California, whether or not they are domiciled there, if they fall into one or more of the following categories: (1) they have gross annual revenues of more than $25 million; (2) they buy, receive or sell personal information of 50,000 or more consumers, households or devices; (3) they earn 50% or more of their annual revenues from selling consumers’ personal information.
What are the requirements?
Businesses that are subject to the CCPA are required to provide California residents with access to the personal data the business has collected or sold about them in the past 12 months. According to the CCPA, personal information includes information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.
The law contains an exception for information that is readily available in federal, state or local government records as well as for activities, such as background checks, authorized by the Fair Credit Reporting Act. There is a caveat: employees must be notified of these exceptions. Consequently, employees must be provided with privacy notices that alert them to what personal information will be gathered and how it will be used.
Consumers must be given the right to opt out of having their personal information sold to third parties without any change to their level of service or price structure. As a result of this requirement, company websites are required to have an opt-out link.
What information is being collected?
Understand the data your company has collected. What are the data points, why is that information being collected, where is it housed and who has access to it? To be CCPA compliant, that information must be available on a rolling 12-month basis. As you do this, think about whether you really need all the data being collected. Why even collect data that isn’t useful to your business and increases your risk exposure?
Are the data secure?
Cybersecurity is a concern across the board. To be CCPA compliant, ensure that your consumer and employee data are secure and that all security procedures are documented. Don’t forget data that are held by outsourced vendors such as human resources or payroll vendors. Make sure the contracts you have with those vendors have CCPA-compliant provisions. Your company can be held liable if they aren’t compliant.
Establish and put in place access and deletion systems. This process is complex. Among other things, it includes knowing where the data are, having processes in place to delete, training the people who are responsible for executing the requests, updating your online privacy policy and adding appropriate methods for opting-out.
Many states are considering comprehensive data privacy laws, and others (Nevada and Vermont) have adopted more limited protections.
Questions? Contact an MCB Advisor at 703-218-3600 or click here. To review our business planning articles, click here. To review our closely held business articles, click here. To learn more about MCB’s tax practice and our tax experts, click here.
Subscribe to the MCB Blog and get all new MCB blog posts sent directly to your inbox.
©2020