Careers

Experiences

Industries

Offices

Our Firm

Pages

Our People

Updates

Practices

Warner Norcross + Judd LLP is a corporate law firm with over 230 attorneys serving clients in nine offices throughout Michigan. Among the largest law firms in Michigan, Warner works in virtually all areas of business law.

Michigan Law Firm - Warner Norcross + Judd LLP

A business subject to the CCPA should take the following steps to become compliant:

contentpilot/introduction

core/paragraph

Understanding the personal information your organization collects, retains and shares is a critical first step in assuring CCPA readiness. You should be able to answer the following questions: &nbsp;

What personal information does your organization collect from California consumers?

How does it collect this information and from what sources?

Why is the information shared (e.g., provision of&nbsp;services, a “sale”)?

Because employee data and business-to-business contact information is carved out for 2020, you can prioritize your compliance efforts by first focusing on consumer data. &nbsp; 2.&nbsp; Review Your Current Security Controls

The CCPA allows individuals to file a lawsuit and obtain statutory damages if certain personal information is breached due to a business’s failure to utilize reasonable security&nbsp; practices and procedures. Now is the time to review and update your data security and privacy policies and practices to help mitigate the risk of a data breach and subsequent litigation. &nbsp; 3.&nbsp; Develop a Process for&nbsp;Handling Requests to Exercise Individual Rights&nbsp;

Given the short, 45-day response window, you should develop procedures for responding to individual requests and establishing rules for when to deny such requests. Your process should also include appropriate methods to verify that the request comes from the data subject or from an authorized representative of the data subject, taking into account the nature of the information involved in the request. Although the CCPA does not allow you to require that an individual set up an account on your website to exercise his or her individual rights, recent amendments to the CCPA allow you to require that any individual who has set up an account must submit his or her request through that account. &nbsp;Furthermore, you should ensure your process allows for requests to be honored. For example, if an individual opts out of the sale of information, you must be able to implement that request throughout your business and with those vendors and affiliates with whom you have shared that information. &nbsp;&nbsp; &nbsp; 4.&nbsp; If You Sell Personal Information About Children Under Age 16,&nbsp;Develop an&nbsp;Opt-In Process&nbsp;

While adults can opt out of the sale of their information, the CCPA requires an opt-in process for children under age 16. Children who are at least 13 years of age can opt in for themselves, but parents must opt in for children under age 13. &nbsp; 5.&nbsp; Update Your Vendor Agreements&nbsp;

To avoid having data transfers classified as a “sale” of information, businesses need to ensure their agreements with third parties, and even affiliated entities, meet certain CCPA requirements. You will likely need to update your current agreements (or create new agreements if they are not already in place) with any organization that handles personal information about California residents on your behalf.

If you do not update these&nbsp;agreements before January 1, 2020, you may be deemed to be selling information, which implicates opt-out obligations (and opt-in obligations for children under age 16) and requires the use of the “Do Not Sell My Information” button.&nbsp; &nbsp; 6. Ready Your Website&nbsp;

You should determine ahead of time whether to develop a California-specific landing page or integrate CCPA requirements into your general website. Furthermore, you will need to update (or develop) your website privacy policy so that it clearly details all of the following:&nbsp; &nbsp;

The types of personal information you collect;

Whether or not you sell personal information (and, if so, how individuals can opt out of the sale); and

How individuals can exercise their rights under the CCPA, including two or more designated methods for consumers to submit requests (at a minimum, a toll-free telephone number and a website address).

&nbsp; In addition, if you sell (or are deemed to be selling) personal information, you will need a clear, conspicuous link on your homepage (or on the homepage for California consumers), titled “Do Not Sell My Personal Information.” This link must take consumers to a page where they can opt out of the sale and where children under the age of 16 and parents of children under the age of 13 can opt into the sale. &nbsp; 7.&nbsp; Train Your Employees&nbsp;

Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests, and the importance of following the organization’s data privacy and security policies and procedures. &nbsp; The CCPA is a data privacy game-changer within the U.S. and it imposes significant obligations on a large swath of businesses. While the obligations and individual rights under the CCPA are similar to obligations and individual rights granted under the European Union’s General Data Protection Regulation (GDPR), the two laws are not identical and compliance with the GDPR does not mean you are automatically compliant with the CCPA. Thus, your business will still need to develop policies, disclosures and contractual provisions that are specific to the CCPA.

Non-compliance with the CCPA will be costly.&nbsp;

The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per consumer violation. Additionally, consumers whose data is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures. The CCPA expressly voids any arbitration provision or class action limitation on this right. If your business meets the statutory thresholds noted above, compliance efforts should be started well in advance of January 1, 2020.

For more general information about the CCPA and to learn whether it applies to your organization, read “<a href="~/Publications/Preparing-for-the-California-Consumer-Privacy-(1)" target="_parent" rel="noopener">An Overview of the CCPA</a>.” &nbsp;

Partner

Kelly R. Hollingsworth

Of Counsel

Norbert F. Kugele

Cybersecurity and Privacy

Data Analytics and eDiscovery

Data and Information Governance

How to Prepare for the CCPA

Warner Norcross + Judd LLP is responsible for the contents of our advertising and this website. Please read our full <a href="/privacy-policy/" aria-label="see privacy policy">privacy policy</a> available on our website. If you have any questions or comments about our website or our Privacy Policy please contact us at <a href="mailto:info@wnj.com">info@wnj.com</a> or 616.752.2000.

How to Prepare for the CCPA

professionals