The GDPR Was Just the Beginning
Companies that process personal data of California residents will soon be subject to comprehensive new privacy requirements.
August 21, 2018 at 10:00 AM
7 minute read
Just as those of us in the privacy field had begun to have a slight breather as much of the heavy lifting on the European General Data Protection Regulation (GDPR) was finally behind us, lawmakers in California passed the California Consumer Privacy Act of 2018 (CCPA). The CCPA, effective as of Jan. 1, 2020, will require companies, wherever located in the world, that process the personal data of residents of California to observe restrictions on data monetization, provide for data subject rights that are similar to those found in the GDPR, update their privacy policies and to take steps to protect against the possibility of penalties and liquidated damages.
|Scope
The CCPA will apply to all companies, wherever located, that receive personal data from California residents if they or their parent company or a subsidiary:
(a) Have annual gross revenues in excess of $25 million;
(b) Obtain personal information of 50,000 or more California residents, households or devices annually; or
(c) Obtains 50 percent or more annual revenue from selling California residents' personal information.
The CCPA defines personal information very broadly, expanding the existing definition to include any data that relates to or can be associated with a particular consumer, including contact information; online identifiers; government ID numbers; purchase history and other commercial data; biometric information; browsing/search history; sensory, geolocation, professional, employment, or education data; and any data used “to create a profile reflecting preferences, characteristics, … behavior, attitudes, intelligence, abilities, and aptitudes.” Given the very broad definition of “personal information,” the CCPA will have a profound effect on technology companies whose operations involve the processing of data.
|New Rights for California Residents
Like the GDPR, the CCPA provides data subjects with a number of privacy rights, including:
|- Rights of access and knowledge: Once the CCPA is in effect, California residents will have the right to access and know what personal information is collected. Prior to collection, companies must make a number of mandatory disclosures, including the categories and uses of personal information in transactional and other contexts. California residents will also have the right to know whether personal information is sold or disclosed and to whom. Companies must inform requesting consumers about the categories of personal data sold to third parties or disclosed in connection with a transaction. Third-party recipients of personal information are prohibited from selling the data without notice and an opt-out.
- The right to object: Upon request, companies must stop selling personal information. In addition, companies wishing to sell personal information from children will be required to obtain opt-in consent from the child if the child is 13 to 16 years old or from the child's parent or guardian if the child is younger than 13.
- The right to deletion: Subject to certain exceptions, a company that receives a deletion request from a consumer must erase the consumer's personal information from its systems and must also direct its service providers to do the same. As with the GDPR, this will require companies that are in control of personal information processing operations to enter into agreements with their service providers so as to ensure they will be able to comply.
- The right to be free from discrimination: The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights.
Enforcement
The CCPA creates a private right of action with the potential to recover damages of $100 to $750 for each affected consumer, exposing companies to an enhanced risk of class actions and costly litigation. In addition, companies will violate the CCPA if they fail to cure within 30 days of receiving notice from the AG. Such violations will be subject to civil penalties of up to $2,500 per violation. Intentional violations can result in civil penalties of up to $7,500 per violation. The AG could seek to multiply penalties by the number of affected consumers and/or the number of days the violation occurred.
|Preparing for the CCPA
Companies that will be subject to the CCPA are advised to act promptly to assess the new law's impact on their business and develop a compliance roadmap. Although compliance is not required until January 2020, as anyone who has been working on GDPR compliance knows all too well, implementing compliance programs for major legislative changes does take a significant amount of time. Here are some concrete steps to take right now:
|- Assess data practices: If not already done recently in connection with GDPR compliances, companies to be subject to the CCPA should consider mapping current data flows and privacy practices.
- Analyze compliance gaps and begin to make necessary changes: Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number. Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business' internet homepage that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident's personal information. Companies should also consider reviewing vendor agreements to determine if they need to be renegotiated to address the forthcoming changes in law.
- Update privacy policies: The CCPA will mandate a number of additional disclosures beyond what are typically included in most privacy policies today. To prepare for the entry into force of the CCPA, companies should begin to evaluate the changes that they will need to make to their policies and begin to modify their policies.
- Stay up to date on future legal developments: The CCPA requires the AG to solicit public participation to adopt regulations to further the purposes of the [CCPA],” including the establishment of possible exceptions. As such, attention will need to be directed to the evolving regulatory landscape.
Jacqueline Klosek is a counsel in Goodwin Procter's business law department and a member of its intellectual property group as well as its privacy and cybersecurity practice. Her practice focuses on transactions involving technology and intellectual property, and she regularly advises clients on various issues related to privacy and data security. She is a key contributor to Goodwin's Founders Workbench, an online resource for startups, emerging companies and the entrepreneurial community. Klosek drafts and negotiates various technology agreements and advises on different aspects of the law related to intellectual property and technology. She also advises clients on various issues related to privacy and data security.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSanta Barbara Judge Accused of Moonlighting as Attorney for Secretary/Girlfriend
4 minute readInsurers Dodge Sherwin-Williams' Claim for $102M Lead Paint Abatement Payment, State High Court Rules
Trending Stories
- 1Life, Liberty, and the Pursuit of Customers: Developments on ‘Conquesting’ from the Ninth Circuit
- 2Biden commutes sentences for 37 of 40 federal death row inmates, including two convicted of California murders
- 3Avoiding Franchisor Failures: Be Cautious and Do Your Research
- 4De-Mystifying the Ethics of the Attorney Transition Process, Part 1
- 5Alex Spiro Accuses Prosecutors of 'Unethical' Comments in Adams' Bribery Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250