The California Consumer Privacy Act (CCPA) took effect Jan. 1. It’s the most sweeping state law aimed at protecting individuals’ personal information that’s collected by businesses, and it’s sending restaurants scrambling to understand and comply.
What’s the big deal? “The CCPA is a completely different kind of privacy law,” says Helen Goff Foster, a privacy expert with Davis Wright Tremaine, a law firm partner with the National Restaurant Association’s Restaurant Law Center. Foster says the CCPA’s broad definition of personal information and the fact that compliance can hit businesses brand-wide—moving from a parent company to franchisees and vice versa—are just two examples of why the law is unprecedented.
The CCPA’s four core rights: The law gives California residents four new rights: They have the right to get notice of a CCPA-covered business’s privacy practices—before the business collects information from them, whether online or offline. They can request access to any personal information that the business holds on them. They can ask that this information be deleted. And they can opt out of the business’s sale of their personal information. The burden on businesses to implement all these processes can be staggering, says Foster.
It’s likely to spread: A dozen states last year proposed a form of privacy legislation similar to CCPA, and more bills are expected this year. “This will continue to evolve,” says Foster. She says the quick pickup across the states and the groundswell of public support are unlike anything she’s seen. “Privacy legislation is going to be a place where restaurants are going to need to have their ‘compliance hat’ on for years.”
Stay tuned: The CCPA itself is in flux. California businesses are now complying with proposed CCPA rules that the state is expected to finalize as soon as this spring. “The proposed regulations themselves are pretty outrageous,” says Foster. “They could get more so or less so” as they’re finalized. The Association is working with Congress on federal privacy bills and collaborating closely with state restaurant associations as more states take up the issue. Visit Restaurant.org/privacy for the latest.
Make sure your 800 number is working. CCPA-covered businesses must have a toll-free number and a web form on their sites to take California residents’ requests for access to and/or deletion of their personal information. They also need a system to verify requesters’ identity.
Have a written information-security plan. If you have a data breach, you’ll want to show you were prepared. “It’s the best way to prove that you do have reasonable procedures, even if your procedures weren’t followed to the letter every time,” sFoster says. Include your data-encryption policy and an incident response plan, she advises.
Train your employees. That’s an explicit requirement of the CCPA, and another way to prove you take the law seriously, Foster says.
Get our CCPA white paper at Restaurant.org/dataprivacy.