U.S.-based franchisors and other American businesses were just getting used to compliance with the European Union’s General Data Protection Regulation (GDPR) when, on June 28, 2018, California Governor Jerry Brown signed into law the 2018 California Consumer Privacy Act (CCPA). In its current form, the CCPA applies to any business that collects personal information from California residents and (1) has annual gross revenues of $25 million or more; (2) buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually; or (3) derives a minimum of 50 percent of its annual revenue from selling California residents’ personal information.

The law was passed quickly with little debate after a consumer privacy organization agreed to withdraw a much broader privacy initiative that would have appeared on the November ballot. It does not go into effect until January 1, 2020 and will likely go through several rounds of revisions as efforts are made to clarify the legislation. It is similar to the GDPR in the notification and access rights it gives to consumers and may become the de facto national standard for how businesses use personal information to market their products and services.

Here is a glimpse into some of the key provisions of the current version of the CCPA:

Disclosures and Right to Opt-Out. Consumers must be able to opt out of the sale of their personal information, and businesses are required to notify consumers of this right. The opt-out notification must list the categories of information collected about consumers in the past 12 months and identify whether the business sells or discloses personal information.

No Discrimination. A business cannot discriminate against a consumer because the consumer asserts any rights under the CCPA, including exercising their right to opt-out of the sale of their personal information.

Right to Deletion. With certain exceptions, California residents will have the right to have any personal information collected by a business deleted upon request.

Enforcement by Attorney General and Limited Private Right of Action. The CCPA is enforceable by the California Attorney General and authorizes a civil penalty of up to $7,500 per violation. California residents have a private right of action under the CCPA only when unencrypted information is accessed during a data breach.

While the CCPA does not become effective until January 1, 2020, and likely will be amended, its passage and the recent implementation of the GDPR are indicative of a major shift in consumer expectations. Franchisors should take action in advance of the effective date, including:

  • Determining if and how the CCPA may apply to their businesses and individual franchisees.
  • Performing data mapping as necessary to inventory the personal information collected on California residents, households, and devices.
  • Implementing internal policies and procedures for handling data access requests.
  • Updating privacy policies with new disclosures regarding data access and deletion.
  • Preparing incident response plans and teams as necessary to handle data breach notification requirements.
  • Informing franchisees of the CCPA and the need to comply if the CCPA applies to their business.
  • Determining the extent to which franchisors will provide further guidance to franchisees through updated privacy policies and other directives.