The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and went into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted. Your clients may be asking you about the CCPA. While each business should evaluate the law in terms of its own specific situation, here are some general guidelines to start the process.
If your business satisfies one or more of the following, then the CCPA applies:
(i) annual gross revenue in excess of $25 million?
(ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, (a) for commercial purposes (assume always true), (b) alone or in combination (assume always true), (c) annually, and
(iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.
Even if the business does not collect personal information, as long as is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.
The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.
Specifically, the regulation says that businesses must:
Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.
For more information about the impact of the CCPA on your business, please contact the lawyers at Adler Law Group to schedule a consultation.