California Consumer Privacy Act: Action Required by New Privacy Law

Signed into law in June 2018, California’s Consumer Privacy Act of 2018 (“CCPA”) has a broad reach as it is set to go into effect on January 1, 2020.[1]  Referred by many as one of the strictest consumer privacy laws in the nation, the CCPA regulates how businesses handle personal data of California residents and confers new rights to California residents to protect their personal information that is collected by businesses.  The CCPA casts a wide net – it will impact many businesses across the nation, regardless of where the business is located. To avoid penalties and enforcement actions, prompt steps are required for impacted businesses to come into compliance with the CCPA.  Below are some general questions and answers to help you assess the impact on your business and some suggested next steps.  For additional information about how the CCPA may impact your particular business, please contact Sue S. Junn or Charles Russman.

To view California Consumer Privacy Act of 2018, known as Assembly Bill 375, please click here 

To view the California legislature’s amendments to the California Consumer Privacy Act of 2018, known as Senate Bill 1121, please click here

Does My Business Need To Comply?

For-profit businesses that receive a California resident’s personal information must comply with the CCPA if they meet at least one of the three thresholds:

(1) receives annual gross revenues in excess of $25 million; or

(2) obtains personal information of at least 50,000 California residents, households or devices annually; or

(3) derives 50 percent or more of annual revenue from selling CA residents’ personal information. “Selling” is broadly defined to mean any disclosing, making available, or otherwise communicating a consumer’s personal information to another business or third party for money or other valuable consideration.

The definition of a “business” covers a parent company or any other entity that controls the management of the business and which shares a common branding with the business.  The CCPA, as amended, exempts its application of personal information that are governed by other privacy laws which are set forth in the statute including but not limited to, the Health Insurance Portability and Accountability Act under certain circumstances, Gramm-Leach-Bliley Act, and the Driver’s Privacy Protection Act of 1994.

Despite the exemptions, and based on the relatively low threshold, many organizations are likely to meet the requirement of a “business” that is subject to the CCPA.

What Is The Data to Be Protected?

In general, the CCPA applies to data involving the personal information of California residents. Under the CCPA, “personal information” is broadly defined as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.  This definition is inclusive, and even “publicly available information” that is not considered personal information is limited to that information which is lawfully made available from government records.  Under certain conditions, there are exceptions for deidentified or aggregate consumer information.

Based on the broad scope, impacted businesses around the world will need to comply, regardless of whether the business has a location or receives a significant amount of revenue from California. The law also applies to virtually all information about California residents, including their households and devices. This means the CCPA protects far more than sensitive information such as financial and health information, making its applicability even broader than many other privacy laws.

What Does Compliance Require?

The stated purpose of the CCPA was to promote privacy controls and transparency in data practices so that California consumers can be certain there are safeguards against misuse of their personal information.  Towards this end, the CCPA confers new consumer rights to California residents that businesses will now need to provide.

Although compliance will need to be adapted to your business’ particular circumstances, there are several notable components under the CCPA:

  • Provide the statutorily required notice and information about the personal information collected to California consumers. In addition to an updated privacy policy, this requires businesses to be able to provide  information about what categories of information were collected about a specific California consumer, where it came from, whether it was sold, and if so, to whom.
  • Provide a right to opt out.  California individuals need to be provided the right to opt out of having their information sold or otherwise disclosed. Special rules apply when the information is about a minor.
  • Provide a right to deletion of their personal information. Except where required by law (or a few other exceptions), if individuals want their information deleted, that request must be honored.
  • Provide the right to receive equal service and price, regardless of whether someone exercises their privacy rights.

These rights are only an overview and how to implement them appropriate to your business will depend upon the size and complexity of the business and its collection of California residents’ personal information, among other factors.

Why Is Compliance Important?

Noncompliance can subject businesses to significant regulatory fines and civil lawsuits under the CCPA.  The CCPA provides for regulatory fines equal to $7,500 for each intentional violation with no limit on the total amount of the penalty. The CCPA also provides California residents with a right to bring a private action for the unauthorized access or disclosure of personal information with statutory damages between $100 to $750 per consumer per incident, or actual damages, whichever is greater.

In addition, there are general concerns for any business.  Failure to comply with applicable law may be a breach of your agreements with customers and vendors, which could disqualify from certain work or be a default in a loan agreement. There is also the potentially significant reputational harm and damage for a business that took years to build.

This is the first of many similar laws that may be passed in the near future.  Compliance now can mean less stress, cost and time later and a possible competitive advantage in doing business in the e-commerce age.

What Should My Next Steps Be?

Consider the following next steps towards compliance:

  • Inventory and map your data so that your business identifies what is collected, where it is, and who has access to it.
  • Obtain knowledgeable counsel who can help develop an appropriate compliance plan.
  • Review agreements with vendors and service providers, as changes will likely be necessary to ensure compliance, especially with those who have access to data.
  • Review and revise as appropriate your business’ policies and procedures necessary to comply with the new individual rights under the CCPA.  This will provide a basis to demonstrate and ensure practical compliance with the new law.  Once drafted, provide training to impacted employees to help ensure understanding.

Compliance will require knowledgeable implementation of the CCPA that reflects the legal requirements in light of your business’ circumstances. The key is to get started, if your business has not yet done so.

[1] Amendments to the CCPA, signed into law on September 23, 2018, make uncertain when full enforcement of the privacy requirements will take place, but it is set to be on or before July 1, 2020.