If you are doing business in California, the way you handle personal data could soon change in significant ways. The California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020, and the time to start preparing is now.

The CCPA applies to for-profit companies that do business in the State of California, and either:

  1. Have annual revenue exceeding $25,000,000; 
  2. Handle the personal information of 50,000 or more California consumers; or 
  3. Derive 50% of more of their annual revenue from selling California consumers’ personal information.  

The CCPA does not explain what it means to “do business in California,” but based on how that phrase is defined elsewhere in California law, it will likely extend to companies that offer goods or services to people or entities in California, regardless of where those companies are physically located.

The CCPA imposes various obligations, many of which will require companies to begin implementing compliance measures well in advance of January 2020.

For example, the CCPA provides California consumers with a number of individual data privacy rights relating to the use of their information in the preceding 12 months, including the right to obtain from companies: (1) the personal information collected about the consumer; (2) the consumer’s personal information sold by the company; and (3) the consumer’s personal information disclosed by the company for a business purpose.

So if these consumer rights become effective on January 1, 2020, companies will be obligated to disclose personal information that was collected as early as seven months ago (January 1, 2019).

By January 2020, companies engaged in business in California also will need to have procedures in place to receive and process requests for information from California consumers. And companies must establish processes to comply with consumers’ new right to opt out of the sale of their personal information to third parties, and the new right to have their personal information deleted (with some exceptions). Companies may need to revise their existing privacy policies and disclaimers to ensure that they are CCPA compliant. And companies will need to train their employees on how to properly handle California personal data.

To be sure, there is still some uncertainty about the CCPA’s final form. Amendments to the law are currently being considered and regulations for the CCPA have still not been promulgated by the California Attorney General. But make no mistake: the CCPA is coming.

You may have heard that the CCPA is similar to GDPR, and in some respects that is true. But just because your company is GDPR compliant does not necessarily mean it is CCPA compliant. For example, the CCPA provides consumers with an express right to opt-out of the sale of personal information to third parties and requires businesses to display a clear and conspicuous link on their homepage – titled “Do Not Sell My Personal Information” – that allows consumers to submit an opt-out request. Although the GDPR contains a qualified right to object to processing of personal data in general, it does not contain this express right to opt-out of sales, and does not require the “Do Not Sell My Personal Information” link.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.