California Governor Gavin Newsom has signed five bills that will directly amend the California Consumer Privacy Act (CCPA). Signed into law by then-Governor Jerry Brown on June 28, 2018, the CCPA was designed to notify consumers that they can learn about their personal data that is being collected and sold or distributed to third-parties or affiliates and be given the opportunity to opt-out. The effective date of the CCPA is January 1, 2020, and the enforcement date will be on July 1, 2020.
Overview of CCPA
The CCPA applies to any for-profit business entity that does business in California, collects consumers’ personal data, and possesses the personal information of more than 50,000 consumers, houses or devices, has annual gross revenues of more than $25 million or earns more than half of its annual revenue from selling personal information.
Requirements for Financial Institutions
CCPA does differ from California SB-1, the California Financial Information Privacy Act, and will additionally require firms to:
1. Provide consumers with notice requirements, including consumer rights;
2. Obtain opt-in consent before “selling” personal information for individuals under 16;
3. Provide, upon request from the consumer, any information collected, whether it has been shared or sold, and to whom; and
4. Provide for deletion measures and allow consumers the ability to “opt-out” of the sale of personal information to third parties.
Additional Privacy-Related Bills
In addition to the CCPA amendments, Gov. Newsom also signed two other privacy-related laws. AB 1130 will now include governmental identifiers and biometric data as types of data businesses may be held liable for in data breaches, and AB 1202 requires that data brokerage firms register with and provide information to the Attorney General’s office.
Preparation for Compliance
While the amended laws provide some additional details on the CCPA, some vagueness and uncertainty remain. To date, there has been no sign of an extension to the January 1, 2020 effective date. As the date is quickly approaching, firms should proactively prepare for the compliance date.
Preparation will include assessing and mapping the data your firm currently possesses and collects, analyzing the CCPA along with firm activities to determine what activities will fall under regulation, and then taking necessary steps to comply with the CCPA’s notification and consent requirements. Your firm will also need to create policies and procedures in order to respond to consumer requests and train employees accordingly.
Jacko Law Group published a Legal Risk Management Tip earlier this year with detailed steps to prepare for the CCPA. Read the Legal Risk Management Tip.
Should your firm require guidance and assistance in assessing data, implementing privacy safeguards and/or counsel on considerations for strengthening internal controls, privacy policies and notices, and training employees on the CCPA, Jacko Law Group can assist. Contact our team of attorneys today.