The California Attorney General released an alert on April 10, 2020 to remind consumers of their privacy rights and provide information on how consumers can stay secure as they spend more time online during the current pandemic.* The alert specifically reminds consumers of their new privacy rights under the California Consumer Privacy Act (CCPA), including the following:
This recent consumer alert is also a good reminder for companies that have not yet stood up a CCPA compliance program to refocus on the broad scope of the CCPA. For those companies that may need to improve their current CCPA compliance program, it is also a good reminder that they should do so before the looming July 1, 2020 enforcement date.
Companies do not need to be based in California or even have a physical presence in the state to be subject to the CCPA. A "business" will be subject to the CCPA if:
The CCPA adopts an expansive definition of PI that includes "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The definition includes not only the data elements typically identified as PI in most state data breach notification statutes, such as name and Social Security number, but also includes, among other things:
This broad definition of PI will pull in a lot of data that companies may be collecting from their website traffic and from lead or prospect lists they purchase or acquire from third parties. It may also pull in any retained audio or video recordings of meetings with prospective or current customers, a common activity in the current work from home environment.
To determine whether your business is subject to the CCPA, you need to both "Know Your Business" and "Know Your Data". If your company has made the decision that it is not subject to the CCPA because it does not do business in California and/or does not collect any PI of California residents, it may be prudent to document this decision. This documentation will make it much easier to respond to a notice of noncompliance from the California Attorney General's office sent on or after July 1, 2020. A closer review of the broad scope of the CCPA may also reveal that your initial decision that your company is not a "business" or does not collect PI of California residents was incorrect.
* See Here.
This alert provides a brief overview of certain CCPA requirements. This document is not intended to provide a comprehensive summary of the CCPA or any related laws or regulations. The information in this alert is provided for general informational purposes only and does not, and is not intended to, constitute legal advice. Financial institutions and other companies should carefully review the CCPA and any related laws and regulations, as the same may be amended from time to time, and consult with their legal counsel to determine the applicability of the CCPA to their unique business operations. No reader of this alert should act or refrain from acting in reliance on any information in this alert without first seeking legal advice from their counsel. Only your legal counsel can provide assurances that the information contained in this document, and your interpretation of this information, is applicable or appropriate to your business. The publication, distribution, and use of this alert does not create an attorney-client relationship between CENTRL Inc. and any reader or user.