Search Menu

California Consumer Privacy Act Enforcement Effective July 1

How to Update Your GSA eBuy Profile to Improve your Visibility to Customers

GAO Reviews Agency Oversight of Small Business Subcontracting Plans

Popular Now
Guest Author
August 19, 2020
Dark Light
While the CCPA has been in effect since Jan 1st, companies that do business with California consumers now risk penalties for noncompliance.

This is a guest post by David T. Shafer and Emily J. Rouleau of PilieroMazza PLLC.

© Wavebreakmedia – depositphotos.com

Despite requests for delay due to COVID-19, California Attorney General Xavier Becerra has affirmed that enforcement of the California Consumer Privacy Act (CCPA) has started, effective July 1, 2020. The CCPA is a huge step forward in data privacy law, granting California consumers robust data privacy rights and increased control over their personal information. Previous PilieroMazza coverage of the CCPA can be viewed here and here.

While the CCPA has been in effect since January 1, 2020, companies that do business with California consumers will now risk penalties for noncompliance. Below is key information for companies seeking to ensure CCPA compliance and to avoid enforcement action.

Approval of Final Regulations

The Office of the California Attorney General submitted the final proposed CCPA regulations package to the California Office of Administrative Law (OAL) on June 1, 2020, for review. OAL has 30 working days, plus an additional 60 calendar days to review the package.

Once approved, the final regulation text will be filed with the Secretary of State and become enforceable by law. OAL is not expected to make significant changes to the regulations, so a full analysis of the rule will likely be necessary for the creation and implementation of a robust CCPA compliance program.

Compliance Tips

To understand whether or not you are subject to potential enforcement,, first determine if you fall within CCPA’s compliance criteria. Critically, the statutorily defined terms “consumer” and “personal information” are far broader than comparable statutes and regulations found in other jurisdictions, though that itself is currently the subject of debate in many state legislatures.

The enlargement of these terms causes CCPA’s jurisdiction to be larger than it appears on the face of the statute. Below are certain high-level questions that can help a business determine if it meets certain threshold standards:

  • Do you, or any of your subsidiaries or affiliates, engage in business in California?
  • Do you do business with contacts or employees who reside in California?
  • Does your business have over $25 million in annual gross revenues?
  • Does your business buy, sell, or receive personal information?

If you fit certain initial criteria, we recommend identifying the type of personal information your business collects. As briefly mentioned above, CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer.

CCPA grants consumers significant rights to the use of their personal information, including general notice rights. It is here that companies can take proactive steps to prepare for CCPA’s implementation.

More specifically, CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them. Additionally, several sections of CCPA require businesses to make affirmative disclosures to consumers by way of privacy policies and other notices.

With the expiration of CCPA’s safe harbor and subsequent July 1, 2020 enforcement, steps that can be immediately taken may include, but are not limited to, the following:

  • updating notices and privacy policies;
  • reviewing data flows including data mapping and classification;
  • segregating data and IT systems between regulated and non-regulated data repositories;
  • implementing cookie banners and web beacons in accordance with CCPA-compliant privacy policies;
  • implementing individual request processes (including opt-out and deletion); and
  • implementing training to meet CCPA’s new requirements.

What to Watch

The California Secretary of State recently announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020, ballot. If approved by voters, the CPRA would significantly update and amend the CCPA, allowing California consumers to block businesses from using a new category of information known as “sensitive personal” information and establishing a new enforcement authority to protect data privacy rights.

PilieroMazza’s attorneys will continue to monitor the CCPA, along with legal developments for data privacy in other states. For assistance with CCPA implementation in your business, please contact the authors of this client alert, Dave Shafer and Emily Rouleau, or a member of the Firm’s Cybersecurity & Data Privacy Group.

This post originally appeared on the PilieroMazza website at https://www.pilieromazza.com/california-consumer-privacy-act-enforcement-effective-july-1/ and was reprinted with permission.

Related posts:

  1. How the CCPA Will Affect Federal Contractors
  2. The CARES Act and Leave Guide For Employers: Deciding Which Option is Best For You and Your Employees
  3. DOD Issues New CARES Act, Section 3610 Guidance
  4. How SBA’s Final Rule Will Impact WOSB and 8(a) Businesses
  5. Limitations on Subcontracting
Related Posts

The All-Small Mentor-Protégé Program

SBA had a well-established mentor-protégé program (MPP) for SBA 8(a) certified firms but lacked an MPP program for other small business concerns and specifically, one for specialized certified concerns such as WOSB, EDWOSB, SDVOSB, & HubZone. The 2010 Jobs Act and 2013 NDAA gave SBA the authorization to address this by establishing an all-encompassing mentor-protégé program. Ms. Sandi Clifford, deputy director of the All Small Mentor-Protégé Program (ASMPP), visited the Mid-Tier Advocacy (MTA) earlier this year to discuss the program. Here are some of the highlights of this candid and informative discussion: As Ms. Clifford explained, mentor services to protégés include: • Management and technical assistance (internal business management systems) • Financial assistance (in the form of equity investments and/or loans) • Contracting assistance (contracting processes, capabilities acquisitions and performance) • International trade education (learn how to export, international trade business plan, finding markets) • Business development assistance (strategy, finding contracting and partnership opportunities) • General and/or administrative assistance (business processes and support) As administrators of the program, SBA provides: • Central HQ as opposed to 8(a) distributive model • Online application – certify.sba.gov • Online course tutorial requirement • Annual review and evaluation • Template agreements, i.e., MPA (Mentor-Protégé Agreement) Other All-Small Mentor-Protégé Program (ASMPP) details: • A protégé may generally only have one mentor at a time; SBA may approve a second (two is the maximum) where no competition exists, or if the protégé registers under a new NAICS or otherwise requires new mentor skills.  • Both protégé and mentor must be for-profit (with exception of protégé being an agriculture cooperative). • A mentor may have no more than three protégés at same time (no lifetime limit). • A participant can be both a protégé and mentor at the same time, if there is no competition or conflict. • The ASMPP is self-certifying and is open to businesses who qualify as small in their primary NAICS code, or who are seeking business development assistance in a secondary NAICs where they also qualify as small.  • SBA will not authorize MPAs in second NAICS in which firm has never performed any work; or where firm would only bring “small” status to Mentor and nothing else. • Existing 8(a) firms in last 6 months of the 8(a) program may transfer their MPA to the ASMPP via the online application process. Coordinate with 8(a) office to fine tune the process but there is no reapplication required. • Application requirements include upload of business plan, but no financial statements or tax returns. • JV agreements: ASMPP will not review and approve joint venture agreements. How to apply for the ASMPP: • Applicants are required to register in the System for Award Management (SAM) prior to submitting their mentor/protégé application. • Complete your business profile in certify.SBA.gov. • Evaluate and select your mentor prior to applying. This is not a matching program. SBA will not find a mentor for you. • Begin the ASMPP application process. • Protégés and mentors must complete the online tutorial and have their certificate of completion and all other required documents ready for upload Thank you to Sandi Clifford, Deputy Director, All Small Mentor-Protégé Program, for this helpful overview. TAPE has mentored several small businesses over it’s life as a large business (we’re large in some NAICS codes, though still small in others) and it has been gratifying, satisfying, and integral to our success. As protégés ourselves, we have benefitted from working with some really classy large businesses, and have also had the experience of being a protégé and really getting no tangible benefits. We are currently working with two small businesses, and negotiating ASMPP agreements. You can learn more about the ASMPP on the SBA site. To join MTA and attend future events like this one, please visit www.midtier.org.
Bill Jaffe
August 23, 2017
css.php