On June 1, 2020, Xavier Becerra, the Attorney General for California, submitted the final package of regulations for the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”). For businesses required to comply with the CCPA, the package outlines the requirements for privacy notices, methods for submitting requests to know and delete consumer information, verification of consumers, special rules regarding minors, and non-discrimination.
The CCPA was signed into law in June 2018 to provide additional protections for consumers and their rights to know, delete, and opt-out of storing their data. The law also gives greater legal recourse to consumers if their data is improperly stored by, and/or stolen from, companies subject to the law. Among its many protections, the CCPA affords consumers the right to:
A consumer that finds a business to be in violation of the CCPA has recourse to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per incident or actual damage, whichever is greater; injunctive or declaratory relief; and/or any other relief the court deems to be appropriate.
Read the full text of the law here.
Under the proposed final regulations, businesses that must comply with the CCPA must abide by several requirements, including the following:
Read the final proposed regulations here.
The CCPA exempts certain information that is collected, processed, sold, or disclosed pursuant to the requirements set forth in the Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“CA SB-1”). This would include information such as driver’s license information, social security numbers and other information obtained to provide investment services.
More than likely, what is not exempt is information collected on non-consumers (such as prospects or lead lists and business contacts) and other information not required for the delivery of investment services (such as internet use, CRM/marketing data, "cookies" data, employee data and deal sourcing data).
Firms should begin by reviewing and mapping the types of consumer data that are captured. Next, firms should review the text of the final regulations and consider if any of their data collection activities are subject to the CCPA. Firms should then take steps to consider (1) how they handle requests to know and delete data; (2) verifying the identities of individuals requesting to know and delete data; (3) providing training to employees that will handle the requests; (4) performing due diligence on service providers that are required to comply with the CCPA and consider updating service agreements to include additional protections; and, (5) reviewing cybersecurity, privacy, and incident response policies and procedures to ensure that data protection controls are up-to-date.
Jacko Law Group can help your firm with reviewing your firm’s privacy policies and determining if any of your data collection activities may be subject to the CCPA and updating your privacy policies and notice accordingly. Additionally, our attorneys can assist you with reviewing your service agreements to ascertain if additional provisions and protections need to be added for service providers that are subject to the CCPA. Our team of attorneys will use our extensive experience to ask detailed questions designed to assist your firm with determining if it is subject to the CCPA and ensuring that adequate controls are in place to remain compliant.
Jacko Law Group provides tailored legal services and effective strategies for success, delivering exemplary solutions to complex legal and regulatory challenges to ensure that both business efforts and compliance obligations are satisfied.