In Meyer Law's Blog

By: Shalini Bhasker, Associate Attorney at Meyer Law

The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020 and is expected to impact nearly every entity that conducts some sort of business in California. The general idea is that if you collect personal information about a consumer and/or distribute consumer information, you are now responsible to take additional steps to communicate, manage, and protect that information.

“Personal information” is broadly defined as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes identifiers such as name, address, IP address, email address, social security number, driver’s license number, or passport number, records of personal property or products or services purchased, internet activity such as browsing or search history, geolocation data and Inferences drawn from any of the above pertaining to the consumer’s preferences, characteristics, abilities, and more.

Here are three steps you can take to start preparing your business to be in compliance with CCPA:

  1. Take note of the type of information you collect and the way you collect it.
  2. Gain a good understanding of the employees, independent contractors and/or representatives that have access to the information.
  3. Determine how you store the information, where you transfer it and what exactly is getting transferred.

From allowing consumers to opt-out of distributions to complying with reporting requirements to revising contracts to bolster confidentiality terms, and more, it’s important to understand what is necessary to do to comply. To complicate matters, there are certain instances when a business is exempt from complying with CCPA, such as (i) your business has an annual revenue of twenty-five million dollars ($25,000,000) or less, you interact with personal data for 50,000 consumers or less and if 50% or less of your revenue is derived from selling the personal information of consumers; (ii) all personal information from consumers is completely de-identified; and/or (iii) you only collect information about the consumer to complete a specific task and then neither reference, use, sell, or distribute that data. Contact us today so we can help you determine what you need to do in order to comply by the January 1st deadline.

Award20for20email