The new California Consumer Privacy Act (CCPA) goes into effect on 1 January, 2020. The CCPA can apply to businesses even if they do not have offices or employees in California. It can also be applicable to processing activities conducted outside of California. The CCPA is the first comprehensive US privacy law to require changes in the day-to-day interaction between businesses and their customers. UK businesses must therefore consider whether they fall within the scope of the CCPA.
Organisations that have already taken steps to comply with the GDPR may find that they have less adjustments to make in their data practices to comply with the CCPA.
However, complying with the GDPR does not automatically mean you are complying with the CCPA. For instance, the CCPA and GDPR have different provisions on deadlines, record keeping requirements and definitions. UK businesses may therefore need another layer of compliance procedures in addition to those under GDPR to ensure they are covered.
The CCPA will apply to any for-profit UK business entity:
- doing business in California;
- collecting or telling others to collect personal information of consumers that are resident in California;
- determining the means and purposes for using the personal information; and
- which satisfies at least one of the following thresholds:
- your annual gross revenue is over $25,000,000;
- you annually buy, receive, sell or share the personal information of at least 50,000 California residents, households or devices; or
- you derive 50% or more of your annual revenue from selling personal information of California residents.
Is your organisation doing business in California?
UK businesses are likely to be considered as 'doing business in California' regardless of whether or not they have physical offices or employees in California, if they:
- are actively engaging in any transaction in California for the purpose of financial gain
- have sales, property or payroll in California which exceed certain thresholds
- are offering goods or services to individuals in California or
- carry out on-line activities that monitor the behaviour of California residents (e.g. tracking cookies).
Top 10 things UK businesses need to do for CCPA compliance
1. Delegate CCPA compliance oversight to a knowledgeable employee or team.
2. Maintain and regularly update a business-wide privacy policy.
3. Implement and maintain reasonable security practices.
4. Maintain procedures to respond to requests for access to personal data and specific pieces of information.
5. Maintain procedures to respond to requests to delete personal information.
6. Maintain procedures to respond to requests to opt-out of sale of personal information.
7. Update vendor contracts to comply with CCPA and avoid being characterized as “selling” personal information to vendors.
8. Maintain procedures for collection and use of personal information of minors (as applicable).
9. Conduct appropriate privacy training for personnel depending on their job function.
10. Assess affiliates’ need to comply with the CCPA and implement group-wide compliance if necessary.
If you have questions regarding this alert, please contact the WBD Data Protection team: Andrew Kimble (Partner) or Peter Given (Legal Director).
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.