Companies are still scrambling to comply with the new California Consumer Privacy Act of 2018 ("CCPA"), which became effective on January 1, 2020. The CCPA provides new rights and protections for "consumers," defined as natural persons being California residents, who are either in California for other than a temporary or transitory purpose, or who are domiciled in California but currently outside the state for a temporary or transitory purpose.
The CCPA's focus is personal information (understood as any information that directly or indirectly identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being associated with or could reasonably be linked to a particular consumer or household) of such California residents.
The CCPA covers all for-profit businesses that, in addition to collecting consumers' personal information, also do business in California and meet one of the following thresholds:
- Have annual gross revenue exceeding $25 million (adjusted for inflation); OR
- Annually buy, receive, share, or sell personal information of more than 50,000 consumers, households, or devices for commercial purposes (alone or in combination); OR
- Derive 50% or more of its annual revenue from selling consumers' personal information.
The above also includes any entity that both controls or is controlled by a covered business and shares common branding with a covered business, such as a shared name, service mark, or trademark.
The CCPA provides California customers with the following rights:
- To know what personal information a business collects, sells or discloses about them
- To receive a copy of personal information collected about them
- To request having its personal information deleted
- To know if a business sells personal information and, if so, the right to opt-out therefrom (in case of minors younger than 16 years old, the CCPA requires an affirmative opt-in)
- To equal service, prohibiting discrimination against consumers who have exercised their rights under the CCPA
Significantly, in addition to the above, the CCPA also provides a Californian consumer with the right to seek damages against a business in case their data is lost, hacked or stolen if the business failed to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
However, such right to consumer civil actions for damages is available only in case "sensitive data," such as a Social Security number, driver's license number, California ID, passport, account or credit card number, medical, biometric or health insurance information, was impacted.
Enforcement actions that the Attorney General may bring will not be enforced until July 1, 2020.
In addition to a covered business, the CCPA distinguishes service providers, which include any entity that processes personal information received from a covered business on a covered business' behalf for a business purpose, provided that there is a written contract between those parties. Complying with a definition of a service provider is particularly important given that if an entity receiving personal information qualifies as a service provider, it shall not be held liable for the business' CCPA obligations when it provides services under the contract.