The California Consumer Privacy Act (CCPA) takes effect January 1, 2020
What is the CCPA?
Introduced as Assembly Bill 375 and signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) provides consumers with groundbreaking new rights on the use of their personal information, effective January 1, 2020.
According to the Office of the Attorney General, the CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes.
A copy of the California Consumer Privacy Act Proposed Regulations and other related documents can be found at www.oag.ca.gov/ccpa. We encourage you to review this with your own legal counsel to determine how the CCPA might apply to your business.
Submit Your Comments on Proposed Regulations
As part of the regulatory process, the Attorney General’s Office is holding a public comment period on the proposed regulations, which will include four public hearings throughout the state in the first week of December 2019. The public comment period ends at 5 p.m. PST on December 6, 2019.
For more information how to how to attend the public hearings or submit public comments, see the October 10, 2019 press release from Attorney General Becerra.
Table of Contents
- What is the CCPA?
- Submit Your Comments on Proposed Regulations
- What Rights Will California Consumers Have Under the CCPA?
- What Qualifies as “Personal Information” Under the CCPA?
- How Much Will CCPA Compliance Cost?
- Does the CCPA Apply to My Business?
- My Business Is Not in California, Do I Still Have to Comply?
- More Privacy Legislation Is on the Horizon
- What Obligations Do Businesses Have Under the CCPA?
- What Steps Can I Take to Comply With the CCPA?
- How the Will the CCPA Impact Collections?
What Rights Will California Consumers Have Under the CCPA?
This landmark piece of legislation gives California consumers:
- The right to know and access personal information that is collected, used, shared or sold;
- The right to delete personal information held by businesses and service providers;
- The right to opt out of sale of personal information. Children under 16 must provide opt in consent, with a parent or guardian consenting for children under 13;
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the CCPA.
What Qualifies as “Personal Information” Under the CCPA?
Personal information under the CCPA is defined broadly as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular California resident or household.”
This includes, but is not limited to:
- Personal identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Internet activity, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
- Biometric information, such as fingerprints and retina scans;
- Geolocation data;
- Sensory data, such as audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related data;
- Education information;
- Characteristics of protected classifications under California or federal law, such as race, gender, religion, sex and so on;
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
How Much Will CCPA Compliance Cost?
Similar to the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) will have a huge impact on businesses in terms of compliance costs.
According to the Standardized Regulatory Impact Assessment (“the Assessment”) provided to the Attorney General’s office by Berkeley Economic Advising and Research, LLC, costs include:
- Legal costs to interpret the law and apply it to business operations.
- Operational costs, including labor across departments to facilitate compliance, ongoing training and record-keeping requirements.
- Technological costs, including websites, forms and other systems for handling consumer requests and more.
- Business costs from decisions such as renegotiating contracts and changing business models.
The Assessment assumes the following estimated initial compliance costs to businesses:
- Small (<20 employees): $50,000
- Medium (20-100 employees): $100,000
- Medium/Large (100-500 employees): $450,000
- Large (>500 employees): $2 million
Assuming about 75% of California businesses will be required to comply to the CCPA, the total estimated cost of initial compliance comes to a whopping $55 billion.
There is a silver lining to this compliance cost cloud: businesses that have already made changes for the GDPR should be able to leverage their existing compliance systems for the CCPA, lowering the overall cost.
However, since the CCPA differs from the GDPR, some changes (and costs) will still be required.
Contact us to learn more about Cedar Financial’s ongoing dedication to compliance and ethical, “People-First” debt collection as a member of ACA International.
Does the CCPA Apply to My Business?
Your business may be subject to the CCPA if it:
- Has gross annual revenues over $25 million;
- Buys, receives or sells the personal information of 50,000 or more consumers, households or devices;
- Derives 50% or more of annual revenues from selling consumers’ personal information.
Businesses that handle more than 4 million consumers’ personal information may have additional obligations under the proposed draft regulations.
My Business Is Not in California, Do I Still Have to Comply?
Despite having “California” in its name, the CCPA will have wide implications outside of California as well, potentially affecting more than 500,000 U.S. businesses.
The CCPA applies to businesses that:
- Collect or sell the personal information of California residents
- Meet one or more of the three criteria (see above) under the CCPA.
Under the CCPA, the definition of California resident includes every individual who is in the state for other than a temporary or transitory purpose, or every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose. The definition is quite broad, which means it appears to cover California residents while they are traveling in other states.
Even if your company is not organized under California law and has no physical presence in California, if you deal with the personal information of California residents, you’ll want to evaluate whether the law applies to you.
More Privacy Legislation Is on the Horizon
Even if the CCPA does not apply to your business now, you will want to closely monitor proposed privacy legislation in other states where you do business.
In 2019, over 43 states and Puerto Rico introduced over 300 bills and resolutions dealing with cybersecurity, indicating that 2020 could be a very active year for the enactment of consumer privacy laws. This issue is also on Congress’ mind at the federal level.
In effect, California will serve as a testing ground of sorts for future legislation in other states, so it is important to think about the potential implications for your business, monitor proposed laws and have a plan in place.
What Obligations Do Businesses Have Under the CCPA?
If your business falls under the scope of the CCPA, you will need to adjust to comply with the law, effective January 1, 2020.
Here are some of the new obligations businesses have under the CCPA (as proposed by draft regulations):
- Provide notice to consumers at or before the time of data collection.
- Create procedures to respond to consumer requests to opt out, access and delete their personal information.
- Respond to requests within certain timeframes.
- Verify the identity of consumers who make requests.
- Disclose financial incentives offered in exchange for retention or sale of personal information; explain how the value of such information is calculated; detail how the incentive is permitted under the CCPA.
- Maintain records of requests and responses for 24 months to demonstrate compliance.
To view the current Proposed Regulations and other related documents, visit www.oag.ca.gov/ccpa.
What Steps Can I Take to Comply With the CCPA?
Step 1: Determine Whether or Not Your Business Is Subject to the CCPA
It may seem obvious, but the first step to complying with the CCPA is to determine whether or not you need to.
Here are some questions you want to consider while you are reviewing with your legal counsel:
- Do you collect, retain, buy or sell the personal information of California residents?
- Is your gross annual revenue over $25 million?
- Do you buy, receive or sell the personal information of 50,000 or more California consumers, households or devices?
- Do you get 50% or more of annual revenue from selling consumer personal information?
- Are you exempt from the CCPA?
- If you’re not exempt, are you a business or service provider, as defined under the CCPA?
Step 2: Review Your Policies Regarding the Collection & Use of Consumer Personal Information
If you do fall under the CCPA, you’ll want to go through your current policies with a fine-tooth comb and determine what, if anything, you need to change. Work with your legal and compliance teams to come up with a game plan for implementing those changes. Decide whether your new policies will apply only to California consumers, or to all consumers and send out an updated privacy notice.
Even if you determine that you are not subject to the CCPA at this time, it is a good idea to re-evaluate your privacy policies now, as more privacy legislation is just around the corner, and you may be required to implement similar changes in the future.
Step 3: Update Your Data Inventory
To be compliant with the CCPA, companies will need to maintain a data inventory, or database to track all their data processing activities. Ensure that your data inventory has all the necessary information for compliance, including the ability to track consumer requests under the CCPA.
Step 4: Implement Security Updates
Under the CCPA, covered businesses must protect consumer personal information with “reasonable” security and consumers have the right to sue for data breaches, so now is the time to review your systems and address any high-risk areas that need attention.
It’s also a good idea to review data security policies with any third-party service providers who handle consumer information for your business.
Contact us today to learn more how Cedar Financial prioritizes data security for our clients and their customers.
Step 5: Review Contracts With Third Party Service Providers
Do you have third party service providers or vendors that you share consumer personal information with? Or are you a service provider handling a business’s consumer PI?
If so, you’ll want to work with your business partner to ensure you are both on the same page in terms of compliance to consumer requests and other requirements under the CCPA. You may need to revise or add an addendum to your contracts to ensure compliance.
As always, consult with your legal counsel to determine the best course of action.
How the Will the CCPA Impact Collections?
For covered businesses and service providers in the accounts receivable and collections space, the CCPA may create more questions than answers, which is why it is important to conduct a thorough review of this law with your legal experts, service providers and vendors.
Some questions you may want to go over include:
- What policy and procedural changes do I need to make with my third-party collection agency to ensure CCPA compliance?
- How does the CCPA apply to various types of collected data, such as skip traced info and asset searches?
- What type of data is exempt from consumer deletion requests?
- How should my third-party collection agency handle CCPA requests in relation to my business, and vice versa?
- How do I respond to requests from non-California residents?
- How can I effectively respond to CCPA requests used by debtors as a tactic to delay or avoid payment?
Still Have Questions After Reviewing With Your Legal Team? Talk to Us!
While the information provided on this website does not, and is not intended to, constitute legal advice, we welcome open discussion regarding the CCPA.
Call us at 800-804-3353 or fill out an Online Contact Form to start a conversation today.
“Your Success Is Our Success”
As a trusted business partner for our clients, Cedar Financial welcomes conversation about the laws and issues affecting your collections efforts, operations and cash flow. Our goal is to help you thrive and succeed, and we do this by providing the most comprehensive debt recovery services, tailored to your business’ needs.
Contact us today. Whether large or small, domestic or international, consumer or commercial, we have solutions to fit your needs.
*The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information.