The California Consumer Privacy Act: What You Need to Know
Before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its requirements.
December 01, 2018 at 10:00 AM
8 minute read
istock
If your business just completed the frustrating task of complying with (or getting close to complying with) the European Union's General Data Protection Regulation (GDPR), or your business escaped compliance with GDPR, the State of California has thrown you a curveball.
Read more:
• Almost Half of Companies Haven't Started California Consumer Privacy Act Compliance, Survey Shows
• California Consumer Privacy Act Compliance Tools Take Off
• Amal Clooney: Too Beautiful to Be a Serious Lawyer?
The California Consumer Privacy Act (CCPA), which was signed into law in June 2018 by Governor Jerry Brown, is the first United States law following in the footsteps of GDPR. And before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its the requirements.
The CCPA took effect immediately upon Governor Brown signing the law. However, the requirements will not go into effect until Jan. 1, 2020. Additionally, the CCPA requires that the California Attorney General publish regulations between Jan. 1, 2020, and July 2, 2020. Finally, if that wasn't complicated enough, the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. At this point, businesses must hope that the final regulations are published well in advance of July 1, 2020, so they can fully prepare for implementation of the many requirements.
What follows is a short summary of the CCPA, and how it will affect businesses with exposure to California residents.
What individuals have rights under the CCPA?
The CCPA extends the protections and rights thereunder to California residents, which is defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”
What businesses are subject to the CCPA?
Briefly, the CCPA applies to for-profit entities that both collect and process the Personal Information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
Nonprofit businesses, as well as companies that don't meet any of the three above thresholds, are not required to comply with the CCPA.
What is 'personal information' under the CCPA?
Much like the GDPR, the CCPA includes a broad definition of “personal information,” much broader than typical privacy-related laws normally seen in the United States. “Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.
The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers' license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.
The CCPA excludes information that is publicly available, which is defined as information that is “lawfully made available from federal, state, or local government records, if any conditions associated with such information,” but excludes biometric information collected without the consumer's knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.
The CCPA also excludes aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by California's Confidentiality of Medical Information Act or HIPAA.
What new rights are given to consumers?
The CCPA provides consumers with more control over their personal information in four ways:
- Knowledge: A business must notify consumers what Personal Information is being collected from a consumer, how that Personal Information is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures generally should occur through a publicly posted privacy notice, and specifically upon request by a consumer.
- Sale of Personal Information: Consumers must be presented with an easy, simple and straightforward process to opt-out of having their Personal Information sold to a third party. Consumers who are under the age of 16 must affirmatively opt-in in order to allow their Personal Information to be sold. A business must receive the consent of a parent or guardian for children under the age of 13. Finally, a business must post a “Do Not Sell My Personal Information” link on its homepage, which allows California consumers to easily exercise that right of opting-out.
- Personal Information Removal: Consumers may request that a business delete their Personal Information, and businesses must inform consumers that they have this right. Businesses must comply with these requests and ensure the consumer's Personal Information is also deleted by third-party contractors with whom the business may have previously shared that consumer's Personal Information. There are some exceptions to this requirement, such as if the Personal Information is needed to complete a transaction.
- Service Equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer's data.” Businesses can offer consumers financial incentives to allow Personal Information collection.
Disclosure Responsibilities
Increased disclosure will be a large part of compliance. Businesses subject to the CCPA will need to proactively explain privacy notices to consumers when personal information is collected. That includes informing consumers of their rights under the CCPA, the categories of personal information collected, the ways that personal information is used, and the categories of personal information the business has sold to third parties in the last year. These disclosures must be updated every 12 months.
Private Right of Action
Opening the door to a potential flood of litigation, the CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices.” Consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. The CCPA also allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.
Penalties for Noncompliance
Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the attorney general, companies have 30 days to come into compliance in order to avoid penalties, although it is difficult to see how that would apply to a data breach occurrence.
How to Prepare
The CCPA has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.
Mark G. McCreary is the Chief Privacy Officer and Co-Chair of the Privacy and Data Security Practice at Fox Rothschild in Philadelphia.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Neighboring States Have Either Passed or Proposed Climate Superfund Laws—Is Pennsylvania Next?
7 minute read
An Overview of Proposed Changes to the Federal Rules of Procedure Relating to the Expansion of Remote Trial Testimony
15 minute read
Trending Stories
- 1Am Law 200 Firms Announce Wave of D.C. Hires in White-Collar, Antitrust, Litigation Practices
- 2K&L Gates Files String of Suits Against Electronics Manufacturer's Competitors, Brightness Misrepresentations
- 3'Better of the Split': District Judge Weighs Circuit Divide in Considering Who Pays Decades-Old Medical Bill
- 4Which Georgia Courts Are Closed Today?—Here's a List
- 5After DEI Rollbacks, Employment Lawyers See Potential For Targeting Corporate Commitment to Equality
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
