The California Consumer Privacy Act (CCPA) comes into effect on January 1st, 2020. It is a sweeping law about the confidentiality and security requirements relating to individuals’ “personal data.” Even if you aren’t based in California, you may be subject to its coverage if you:
- Serve B2B customers
- Have suppliers or customers in California
- Interact directly with consumers, devices, or households based in California
- Obtain or process any information about individual human beings. Including customers, employees of suppliers or customers, and website or app users.
Among other things, the law requires covered companies to provide very specific consumer notice about their data practices, overhaul their back-end operations in order to comply with access or deletion requests from consumers, and use reasonable measures to secure personal data or risk direct lawsuits by affected individuals. The law’s requirements apply directly to certain companies, and they can also be imposed on B2B companies through contracts with their large customers.
Because of the broad way the CCPA defines “covered information” and its application to companies (including B2B companies) outside California, we recommend that most US businesses consider whether they are subject to this new law either directly or through their customer contracts. Failure to comply can result in substantial financial liability, can cost you business with customers who have to comply, and can cost you opportunities with investors.