The California Consumer Privacy Act of 2018 (“CCPA”) was signed into law by Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The CCPA gives significant new data privacy rights to California residents with respect to their personal information that is collected and maintained by companies doing business in California. Even if you are compliant with current privacy laws, you must consider how the CCPA may affect your business. And, if you have not already started steps for compliance with the CCPA, now is the time.
Businesses cannot afford to wait until next year to think about or prepare for the wide-ranging impacts of this new law. Specifically, affected businesses need to: (1) decide now whether they will or will not sell personal information to third parties (and analyze any modifications to business services that may be required if they will not (or cannot) sell such information); (2) update websites and privacy policies with required information disclosures; (3) ensure that sufficient systems, processes, and resources are in place to respond to consumer requests for access to or deletion of their personal information and required disclosures; and (4) analyze and adjust any contracts with service providers that may be necessary to ensure compliance with the law.
Unless you conduct business operations wholly outside of California (including having no online presence in California), the CCPA probably applies to your business. The CCPA applies to all businesses – regardless of location – that conduct business (including online sales) in California and collect personal information from California residents if at least one of the following thresholds are satisfied:
For some businesses, this is an easy determination. But even if you do not believe your company meets these thresholds at first glance, you may want to give this further consideration. For example, because “personal information” under the CCPA is defined broadly enough to encompass essentially every piece of information related to a California resident or household, information such as IP addresses that are collected merely from website visits constitutes collection of personal information under the CCPA. Therefore, even putting aside what personal information your business collects from customers, employees and other California residents in the course of its transactions and operations, if your business has a website accessible to California residents, you are likely to exceed the 50,000-resident annual threshold, and your company must likely comply with the CCPA.
The CCPA provides the following privacy rights to California consumers:
This will require, among other things, that businesses:
Businesses that fail to comply with the CCPA are subject to civil penalties in actions brought by the California Attorney General in amounts of $2,500 for each unintentional violation, or $7,500 for each intentional violation.
The CCPA also gives a private right of action to any California resident whose personal information is subject to a data breach and allows such residents to recover between $100-$750 per resident and incident, or actual damages, whichever is greater. The availability of statutory damages resulting from a data breach should provide significant incentives for companies to increase and improve their data security practices and breach response plans and procedures. Additionally, current state legislation is under consideration that would expand this private right of action to the violation of any provision of the new law.
The above summary of the CCPA is a very high-level discussion of the duties and obligations businesses have under the new law and does not constitute legal advice with regard to compliance with the CCPA. There are many additional details and rights, as well as defenses and exemptions, to take into account in assessing what steps your business may need to take to comply with the CCPA. Please contact Litigation and Data Privacy partner Scott Hall at email@example.com or 415.772.5798 to discuss additional questions or details and to determine how we can help your business be prepared for the CCPA.
Click here to download or print a PDF of this alert.