White Papers

CCPA Compliance: Where Do I Begin?

Issue link: https://insights.redspin.com/i/1081440

Contents of this Issue


Page 1 of 4

Consider This…. Page 2/5 CCPA Compliance: Where Do I Begin? 9/20/19 CCPA Compliance: Where Do I Begin? The California Consumer Privacy Act of 2018 1 (CCPA) and a series of Amendments and Technical Corrections 2 require businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and to have it deleted. CCPA defines these terms very broadly and the act will apply to many businesses throughout the U.S. that collect the personal information of California residents through their physical or digital presence in the state. The CCPA takes effect on January 1, 2020 but enforcement has been delayed until July 1, 2020. Designing and implementing a CCPA compliance program will take time and require coordination across many segments of your organization. Complicating this challenge are infirmities in the law that require clarification and guidance by the California attorney general on the interpretation of some provisions of the CCPA. However, further legislative action to resolve key issues concerning privacy rights for employee data and information of consumers who are employees or owner of another business directly related to a B2B relationship have been put- off until the 2020 session of the California General Assembly. Notwithstanding uncertainty surrounding some provisions of CCPA, many organizations will require significant time to assess their processes and develop plans for how to comply with the requirements of CCAP. They cannot afford to put off efforts to identify how the act's requirements apply to them. The following are starting points for assessing if CCPA will apply to your organization. Are You a For-Profit Entity Doing Business in California? One approach to assess if an organization has a business presence affected by CCPA is to see if they are incorporated in California. Foreign entities (i.e., an entity not incorporated in California) "doing business" in California comply with some provisions of California's tax and corporate law, and California courts have developed a test to make this determination. Factors that qualify an organization as "doing business in California" include a physical presence (e.g., an office or retail location but for online entities where servers are located, banking is done, or orders for goods and services are taken from a California source for delivery in the state), having employees in California, and holding special licenses to conduct business in California. Another, less strenuous test might be sufficient to yield an initial assessment. Under California law, an entity incorporated in another state operating in California would register with the California secretary of state and pay an annual minimum franchise tax. Looking at whether an organization pays franchise taxes in California, is incorporated in California, or is registered as a foreign corporation with the secretary of state could help identify business organizations that are doing business in California. By its terms, CCPA applies only to for-profit entities. While many healthcare organizations are organized as not- for-profit business entities, it is not uncommon to find a for-profit subsidiary or affiliate operating under their corporate umbrella. Healthcare organizations should carefully examine their entire business enterprise to assure that there are not any for-profit subsidiaries or affiliates. Legal counsel should be consulted in these cases to evaluate the impact such business organization will have on ultimate determination of their status under CCPA. Identify Your Data Controllers The mandate of the CCPA to provide consumers privacy notices and rights to control their personal information extends to for-profit businesses that are data controllers [i.e., "alone or jointly with others determine the purposes

Articles in this issue

view archives of White Papers - CCPA Compliance: Where Do I Begin?