The GDPR Was Just the Beginning
Companies that process personal data of California residents will soon be subject to comprehensive new privacy requirements.
August 21, 2018 at 10:00 AM
7 minute read
Just as those of us in the privacy field had begun to have a slight breather as much of the heavy lifting on the European General Data Protection Regulation (GDPR) was finally behind us, lawmakers in California passed the California Consumer Privacy Act of 2018 (CCPA). The CCPA, effective as of Jan. 1, 2020, will require companies, wherever located in the world, that process the personal data of residents of California to observe restrictions on data monetization, provide for data subject rights that are similar to those found in the GDPR, update their privacy policies and to take steps to protect against the possibility of penalties and liquidated damages.
|Scope
The CCPA will apply to all companies, wherever located, that receive personal data from California residents if they or their parent company or a subsidiary:
(a) Have annual gross revenues in excess of $25 million;
(b) Obtain personal information of 50,000 or more California residents, households or devices annually; or
(c) Obtains 50 percent or more annual revenue from selling California residents' personal information.
The CCPA defines personal information very broadly, expanding the existing definition to include any data that relates to or can be associated with a particular consumer, including contact information; online identifiers; government ID numbers; purchase history and other commercial data; biometric information; browsing/search history; sensory, geolocation, professional, employment, or education data; and any data used “to create a profile reflecting preferences, characteristics, … behavior, attitudes, intelligence, abilities, and aptitudes.” Given the very broad definition of “personal information,” the CCPA will have a profound effect on technology companies whose operations involve the processing of data.
|New Rights for California Residents
Like the GDPR, the CCPA provides data subjects with a number of privacy rights, including:
|- Rights of access and knowledge: Once the CCPA is in effect, California residents will have the right to access and know what personal information is collected. Prior to collection, companies must make a number of mandatory disclosures, including the categories and uses of personal information in transactional and other contexts. California residents will also have the right to know whether personal information is sold or disclosed and to whom. Companies must inform requesting consumers about the categories of personal data sold to third parties or disclosed in connection with a transaction. Third-party recipients of personal information are prohibited from selling the data without notice and an opt-out.
- The right to object: Upon request, companies must stop selling personal information. In addition, companies wishing to sell personal information from children will be required to obtain opt-in consent from the child if the child is 13 to 16 years old or from the child's parent or guardian if the child is younger than 13.
- The right to deletion: Subject to certain exceptions, a company that receives a deletion request from a consumer must erase the consumer's personal information from its systems and must also direct its service providers to do the same. As with the GDPR, this will require companies that are in control of personal information processing operations to enter into agreements with their service providers so as to ensure they will be able to comply.
- The right to be free from discrimination: The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights.
Enforcement
The CCPA creates a private right of action with the potential to recover damages of $100 to $750 for each affected consumer, exposing companies to an enhanced risk of class actions and costly litigation. In addition, companies will violate the CCPA if they fail to cure within 30 days of receiving notice from the AG. Such violations will be subject to civil penalties of up to $2,500 per violation. Intentional violations can result in civil penalties of up to $7,500 per violation. The AG could seek to multiply penalties by the number of affected consumers and/or the number of days the violation occurred.
|Preparing for the CCPA
Companies that will be subject to the CCPA are advised to act promptly to assess the new law's impact on their business and develop a compliance roadmap. Although compliance is not required until January 2020, as anyone who has been working on GDPR compliance knows all too well, implementing compliance programs for major legislative changes does take a significant amount of time. Here are some concrete steps to take right now:
|- Assess data practices: If not already done recently in connection with GDPR compliances, companies to be subject to the CCPA should consider mapping current data flows and privacy practices.
- Analyze compliance gaps and begin to make necessary changes: Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number. Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business' internet homepage that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident's personal information. Companies should also consider reviewing vendor agreements to determine if they need to be renegotiated to address the forthcoming changes in law.
- Update privacy policies: The CCPA will mandate a number of additional disclosures beyond what are typically included in most privacy policies today. To prepare for the entry into force of the CCPA, companies should begin to evaluate the changes that they will need to make to their policies and begin to modify their policies.
- Stay up to date on future legal developments: The CCPA requires the AG to solicit public participation to adopt regulations to further the purposes of the [CCPA],” including the establishment of possible exceptions. As such, attention will need to be directed to the evolving regulatory landscape.
Jacqueline Klosek is a counsel in Goodwin Procter's business law department and a member of its intellectual property group as well as its privacy and cybersecurity practice. Her practice focuses on transactions involving technology and intellectual property, and she regularly advises clients on various issues related to privacy and data security. She is a key contributor to Goodwin's Founders Workbench, an online resource for startups, emerging companies and the entrepreneurial community. Klosek drafts and negotiates various technology agreements and advises on different aspects of the law related to intellectual property and technology. She also advises clients on various issues related to privacy and data security.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250