The California Consumer Privacy Act: What You Need to Know
Before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its requirements.
December 01, 2018 at 10:00 AM
8 minute read
If your business just completed the frustrating task of complying with (or getting close to complying with) the European Union's General Data Protection Regulation (GDPR), or your business escaped compliance with GDPR, the State of California has thrown you a curveball.
Read more:
• Almost Half of Companies Haven't Started California Consumer Privacy Act Compliance, Survey Shows
• California Consumer Privacy Act Compliance Tools Take Off
• Amal Clooney: Too Beautiful to Be a Serious Lawyer?
The California Consumer Privacy Act (CCPA), which was signed into law in June 2018 by Governor Jerry Brown, is the first United States law following in the footsteps of GDPR. And before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its the requirements.
The CCPA took effect immediately upon Governor Brown signing the law. However, the requirements will not go into effect until Jan. 1, 2020. Additionally, the CCPA requires that the California Attorney General publish regulations between Jan. 1, 2020, and July 2, 2020. Finally, if that wasn't complicated enough, the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. At this point, businesses must hope that the final regulations are published well in advance of July 1, 2020, so they can fully prepare for implementation of the many requirements.
What follows is a short summary of the CCPA, and how it will affect businesses with exposure to California residents.
What individuals have rights under the CCPA?
The CCPA extends the protections and rights thereunder to California residents, which is defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”
What businesses are subject to the CCPA?
Briefly, the CCPA applies to for-profit entities that both collect and process the Personal Information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
Nonprofit businesses, as well as companies that don't meet any of the three above thresholds, are not required to comply with the CCPA.
What is 'personal information' under the CCPA?
Much like the GDPR, the CCPA includes a broad definition of “personal information,” much broader than typical privacy-related laws normally seen in the United States. “Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.
The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers' license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.
The CCPA excludes information that is publicly available, which is defined as information that is “lawfully made available from federal, state, or local government records, if any conditions associated with such information,” but excludes biometric information collected without the consumer's knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.
The CCPA also excludes aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by California's Confidentiality of Medical Information Act or HIPAA.
What new rights are given to consumers?
The CCPA provides consumers with more control over their personal information in four ways:
- Knowledge: A business must notify consumers what Personal Information is being collected from a consumer, how that Personal Information is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures generally should occur through a publicly posted privacy notice, and specifically upon request by a consumer.
- Sale of Personal Information: Consumers must be presented with an easy, simple and straightforward process to opt-out of having their Personal Information sold to a third party. Consumers who are under the age of 16 must affirmatively opt-in in order to allow their Personal Information to be sold. A business must receive the consent of a parent or guardian for children under the age of 13. Finally, a business must post a “Do Not Sell My Personal Information” link on its homepage, which allows California consumers to easily exercise that right of opting-out.
- Personal Information Removal: Consumers may request that a business delete their Personal Information, and businesses must inform consumers that they have this right. Businesses must comply with these requests and ensure the consumer's Personal Information is also deleted by third-party contractors with whom the business may have previously shared that consumer's Personal Information. There are some exceptions to this requirement, such as if the Personal Information is needed to complete a transaction.
- Service Equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer's data.” Businesses can offer consumers financial incentives to allow Personal Information collection.
Disclosure Responsibilities
Increased disclosure will be a large part of compliance. Businesses subject to the CCPA will need to proactively explain privacy notices to consumers when personal information is collected. That includes informing consumers of their rights under the CCPA, the categories of personal information collected, the ways that personal information is used, and the categories of personal information the business has sold to third parties in the last year. These disclosures must be updated every 12 months.
Private Right of Action
Opening the door to a potential flood of litigation, the CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices.” Consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. The CCPA also allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.
Penalties for Noncompliance
Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the attorney general, companies have 30 days to come into compliance in order to avoid penalties, although it is difficult to see how that would apply to a data breach occurrence.
How to Prepare
The CCPA has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.
Mark G. McCreary is the Chief Privacy Officer and Co-Chair of the Privacy and Data Security Practice at Fox Rothschild in Philadelphia.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFor Lawyers, the 'Work' of Making an Impact Does Not Have to Happen in a Courtroom. Laura E. Sedlak Says
Doing the Right Thing in the Pursuit of Justice Requires Guts, Says Lyndsay Ruotolo
One Can be Most Impactful When Their Pursuits Are Driven by Their Concerns and Passions, Says Sherilyn Pastor
As a Lawyer, You Have a Powerful Way to Make an Impact, Says Mary Frances Palisano
Trending Stories
- 1The Tech Built by Law Firms in 2024
- 2Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 3For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 4As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 5General Warrants and ESI
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250