On June 28, 2019, California passed the so-called California Consumer Privacy Act of 2018 (“CCPA”), changing the landscape of privacy laws and compliance for many years to come. The new law gives Californians more control over the information businesses collect on them, and imposes new requirements and prohibitions on businesses. Non-compliance with and violations of the CCPA will also expose businesses to penalties and, because the CCPA provides for a private right of action, the risk of private law suits.
The new law (full text available here) goes into effect on January 1, 2020.
The CCPA is similar to Europe’s General Data Protection Regulation (“GDPR”), which went into effect on May 25, 2018. Much like the GDPR, the cost of noncompliance can be staggering. The CCPA imposes penalties of $750 per consumer per incident (e.g., $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.
As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act. While at first the penalties and damages under the CCPA may seem minimal, they can add up to enormous amounts, depending on the number of violations, number of consumers, and the amount of actual damages.
What is “Personal Information”?
The CCPA derives from the California Constitution’s inalienable right of privacy. The Legislature reasoned that Californians’ ability “to control the use, including the sale, of their personal information” is fundamental to protecting their right of privacy. For purposes of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” such as name, internet protocol (IP) address, email address, postal address, driver’s license number, social security number, and passport information. Publically available information (i.e., information lawfully made available by federal, state, or local government records) is expressly excluded from the CCPA’s definition of “personal information.”
What “Businesses” Are Covered?
The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.
Summary of Consumer Rights, and Business Requirements and Prohibitions:
The following table highlights the CCPA’s most important consumer rights, as well as business requirements and prohibitions.
The CCPA is considered one of the toughest data privacy laws in the United States and will dramatically impact how businesses handle data. A more detailed analysis of the CCPA, and how it may impact our clients will be published shortly. .