Major New York Law Firm Kramer Levin has written a post on its website offering companies some information and guidance on the recently passed California Consumer Privacy Act (CCPA).
The act, which went into effect on January 1, 2020, places restrictions on how business can use, retain and disclose the personal information of California consumers while also granting new rights to California consumers with regards to their personal information.
The CCPA’s definition of “personal information” encompasses any information that can be linked to a particular individual consumer or household, including but not limited to names, addresses, phone numbers, email addresses, ID numbers, biometric information, location data, IP addresses, and other internet or electronic network activity.
Only California residents are able to exercise these rights, primarily through a data subject access request (DSAR), which the CCPA requires companies to respond to within 45 days in most cases.
The new rights granted to consumers include the right to request that a business disclose what information is being gathered, how it is going to be used, and what third parties (if any) the information is shared with. The CCPA also give consumers in California the right to opt out of the sale of their information and restricts businesses from discriminating against any consumers who choose to exercise that right.
For any companies that may find themselves subject to the CCPA restrictions, Kramer Levin’s post provides a number of possible actions they can take to avoid contravention.
Though it is stressed that this is not an exhaustive list, some of the actions include updating existing privacy policies and customer agreements, making sure they know where customer data is being stored, reviewing vendor contracts, and implementing appropriate cybersecurity and infrastructure safeguards.
Third parties or “data brokers” are also required to register with the California Attorney General — the list of registered data brokers will be publicly available — and pay an annual registration fee.
Finally, under the CCPA any company selling consumer data in California must place a “clear and conspicuous” link on their homepage and in their privacy policies titled “Do Not Sell My Personal Information” that directs consumers to a webpage where they can opt out of such a sale.
The CCPA also prohibits businesses from selling the personal information of anyone under the age of 16 without their explicit consent.
To see the full post, visit Kramer Levin’s website.
January 30, 2020 – by Tony Bitzionis