What Does Doing Business in California Mean Under the CCPA?

Under the CCPA, companies must provide a link on their website's home page titled "Do Not Sell My Personal Information" to allow California residents to opt-out of having their personal information sold. Companies must also disclose what personal information they h

What Does Doing Business in California Mean Under the CCPA?

Doing business in California under the CCPA means that companies must comply with certain regulations regarding the collection and sale of personal information of California residents. Companies must provide a link on their website's home page titled "Do Not Sell My Personal Information" to allow California residents to opt-out of having their personal information sold. Companies must also disclose what personal information they have about a California resident and what they do with it, as well as delete the personal information upon request. The CCPA applies to companies that transact online with people who reside in California, have employees who work in California, or have other connections to the state, even if they do not have a physical location in the state.

If a company is ordered not to sell the personal information of a California resident, they must comply with this order. Companies should also review their existing agreements with third party service providers to ensure that they include the required language. If a company rejects an opt-out request, the consumer can contact the company to ask for their reasons. The CCPA also gives California residents the right to bring private lawsuits against a company if unencrypted or unredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to the company's failure to implement and maintain reasonable security.

When transferring business assets to a third party in the course of a merger, acquisition, or bankruptcy, companies must take into account consumer personal information that may be part of these assets. Businesses are not required to verify that the person submitting an opt-out request is actually the consumer for whom they have personal information, but they may need to request additional information from them to ensure that they stop selling the right person's personal information.