CCPA – High-Tech Law Blog

Does the CCPA Apply to Your Business?

November 24, 2019 stanczyk CCPA, Privacy Law

With the CCPA going into effect soon, and the look back period already in place for the current time period, I thought it would be helpful to lay this out, as the CCPA has gone through some amendments and there is some confusion out there about the CCPA’s scope.

If your company falls into either 1 or 2 below (or both), then it is subject to the CCPA and should comply with its requirements:

1. The company (i) is a for profit business, (ii) that does business in the State of California (there is a legal test to determine this), (iii) that collects, or has collected for it, California consumer’s personal information and determines the processing of such information

AND

the company also meets at least one of the following factors: (x) it has at least $25,000,000 in annual gross revenue, (y) it buys, sells, shares or receives the personal information of at least 50,000 California consumers each year, or (z) it receives at least half of its annual revenue from “selling” California consumer’s personal information.

2. The company controls or is controlled by a business that meets the requirements in 1. above.

World Privacy Laws – Termly

August 19, 2019 stanczyk CCPA, European Union Law, Privacy Law

I found an infographic created by Termly and they were nice enough to allow me to post it on my site. They have a free terms of use and privacy policy generator which are great for simple sites and also provide a host of other services.

Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

August 16, 2019 stanczyk CCPA, Privacy Law, Technology, Uncategorized

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

The “Look Back” Requirement of the California Consumer Privacy Act of 2018

January 21, 2019 stanczyk CCPA, Privacy Law

So while the California Consumer Privacy Act of 2018 won’t take effect until 2020 (or later depending on when the regulations are issued), when it does go into effect, part of it will require companies who are subject to the act to have kept records of the data collected within the 12 months prior to the effectiveness of the act. This seems a little retroactive in application and its questionable legally of how this will be enforced, but any companies that are doing business in California should be cognizant of the application and time periods here and should have a procedure in place to track what is being collected and from whom. Additionally when the Act does come into effect, the companies will have to inform California consumers about the data that has been collected, how it was used, especially if it was sold to or shared with third parties. Having a procedure in place to track it now is important.