CCPA: the New GDPR? (Part III)

The California Consumer Privacy Act, effective January 2020, means that many businesses will have to update their practices and their communications about data with consumers. If the CCPA applies to your business, updating your privacy policy will not be enough. Complying with the CCPA will likely require a change in your data privacy practices as well as an update your privacy policy, even if you are already compliant with the GDPR.

If you are complying with the GDPR, you’ve already done much of the required foundational work. A GDPR-compliant business has:

  • A process for responding to requests from individuals who want to opt-out, delete, correct, or otherwise exercise control over their personal data.

  • Records of such requests and how the business responded.

  • An inventory of the personal data you collect, and what the business does with it, including any transfers or sales of personal data.

  • An updated privacy policy that tells consumers what information you collect, what you do with it, and how to contact the business to exercise the consumer’s rights over their data.

  • Agreements in place with vendors and third-parties to ensure that they are handling personal data in a way that complies with the law.

If your business was not required to comply with the GDPR, you will want to get all of the above in place in order to comply with the CCPA.

Even if you are GDPR-compliant, the CCPA has different and additional obligations:

  • You must provide a “Do Not Sell My Info” link on your website or mobile app so that consumers can opt-out.

  • You may not sell personal information belonging to anyone who is between 13 and 16 years old unless they expressly consent. It’s not enough that a consumer between 13 and 16 didn’t opt-out, you must collect an express opt-in (Data on kids under 13 is protected under US Federal law that requires parental consent and establishes other significant protections.)

  • You must disclose any financial incentives that your business provides to individuals in exchange for their personal data, and you must disclose how you have determined the value of that personal information.

  • If you are a data broker, you must register with the State of California.

Keep in mind that the CCPA and the GDPR share a foundation, but have significant differences. It is entirely possible to be compliant with both, but the fact that you are compliant with one does not automatically mean you are compliant with the other.  Conversely, if you have determined that you aren’t required to comply with either, you should still consider what practices and notifications will best protect your business from data breach, legal action, and a loss of consumer confidence going forward.

Please note that the above is a high-level overview for your information, and is not intended to be legal advice for your specific situation.

DeathtoStock_Creative Community7.jpg

odell girton siegel llc | (212) 217-6767 | info@ogslaw.com
434 West 33rd Street, PH, New York, NY 10001
disclaimer | attorney advertising