August 5, 2019

How to Mind Your Business Under California’s New Push for Consumer Privacy

Given its history of stringent regulation of many industries, it’s no surprise that California is taking consumer privacy seriously. With its sweeping new California Consumer Protection Act (CCPA), the state is placing an enormous compliance burden upon a vast number of companies that collect consumers’ personally identifiable information.

Although the CCPA will not go into effect until Jan. 1, 2020, and the California Attorney General’s Office cannot bring any enforcement actions until regulations are adopted no later than July 1, 2020, the law’s broad applicability underscores the need for companies, both small and large, and across all industries, to prepare for it.

In short, the CCPA requires a business that collects a consumer’s personal information to affirmatively inform consumers of the categories of personal information it collects and the purpose(s) for which it collects such information. Additionally, such a business must provide consumers with two or more methods for submitting requests for collected personal information to be disclosed. Once such a request is received, a business must disclose the requested information within 45 days. A consumer also has the right to request that the business delete their personal information it collected.

CCPA’s Requirements

The CCPA’s broad scope is rooted in the three ways in which businesses can trigger its requirements and the population the law seeks to protect. The CCPA is applicable to any legal entity organized for profit that does business in California and meets any of the following thresholds:

  1. Generates more than $25,000,000 in annual gross revenue;
  2. Annually purchases, receives or shares for the business’s commercial purposes (i.e., advances an economic interest) the personal information of 50,000 or more consumers, households or devices, alone or in combination; or
  3. Derives 50 percent or more of its annual revenue from selling consumers’ personal information.

Lastly, the CCPA voids any waiver of a consumer’s rights under its provisions, effectively preventing businesses from contracting out of the CCPA with consumers that visit business websites.

Under the law, a consumer is defined as any California Resident, meaning every individual in the state for other than a temporary purpose or every individual who is domiciled (such as a permanent home) in the state but who is outside the state for some temporary purpose.

Personal information is defined as data that identifies or could reasonably be linked to a particular consumer or household, including a person’s real name, email and IP addresses, account names, unique personal identifiers, social security number or driver’s license number.

Another GDPR?

The European Union’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018, similarly protects an individual’s personal data, but its scope and territorial reach are far greater.

Key similarities of the CCPA and GDPR include the right of an individual to receive their personal information, a private right of action and civil fines.

Key differences include the protected parties (data subjects vs. California residents) and the ceiling for civil penalties.The top fine for CCPA is $750 per occurrence vs. the greater of 4 percent of annual global revenue or $20 million under the GDPR.

What’s Next

The CCPA is still in its infant stages; in fact, applicable businesses may have to wait until July 1, 2020, before they can review its regulations, which makes it difficult for such businesses to fully forecast the CCPA’s cost and implement compliance programs. However, certain key provisions of the CCPA likely will have broad implications for how much it might cost:

  1. The protected class of people listed in the CCPA – California residents – includes non-citizens, as well as individuals domiciled in California but whose information is collected when they are outside of California (e.g., a California resident in New York for vacation whose data is collected from the website of a company who transacts business in California).
  2. Individuals seeking to sue a company over an alleged violation of the CCPA must first give the alleged violator 30 days written notice of such violation to allow the company to cure the violation before initiating a civil suit.
  3. The CCPA’s language does not address whether or not companies with multiple entities must aggregate the gross revenue of each entity or the number of consumers from which it collects information.

As it currently stands, the CCPA will necessitate that businesses update their privacy policies, track data collection over 12-month cycles, develop systems to receive and respond to verifiable requests, and track the residency status of its personal information collection targets to be in compliance.

Looking forward, the next 6-12 months are pivotal for businesses, as the need to evaluate data collection practices, the CCPA’s general applicability and the cost of complying with the CCPA looms. While the eventual release of the CCPA’s regulations will likely further narrow the parameters of the CCPA, the general requirements are clear.

If you would like to discuss the CCPA’s impending privacy regulations, as well as any other privacy issues facing your business, please contact one of the lawyers in Gould & Ratner’s Corporate Practice.