The California Consumer Protection Act (“CCPA”) becomes effective January 1, 2020. The CCPA will impose burdensome, GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees. Given the magnitude of California’s economic footprint in the world, the CCPA’s potential impact is almost as large as the GDPR’s impact.
Specifically, the CCPA will impact any company that handles “personal information” about California residents, operates for profit, and meets one or more of the following triggers: (1) annual gross revenue above US$25 million; (2) annually handles personal information regarding at least 50,000 consumers, households or devices; or (3) derives 50% or more of its revenue from selling personal information. Most CCPA obligations will apply directly to “businesses” (i.e., the entity that determines the purposes and means of processing personal information). But service providers and other third parties that handle personal information will also be impacted.
The CCPA will impose several new or enhanced privacy requirements, including disclosing what personal information is collected, how it is used, and how it is shared. The CCPA will also grant consumers rights regarding their personal information, including a right to access, delete, and opt out of the sale of their information, as well as an accompanying prohibition on discrimination for exercising such rights. Companies will need to contract with service providers to prohibit unauthorized processing and will be required to train employees regarding the CCPA’s requirements. The law also allows consumers to seek statutory damages (no proof of injury required) in the event of a data breach, opening the door to additional data breach class actions in California.
The California Legislature is considering amendments, but we do not believe that they will significantly water down the key requirements of the CCPA or shrink its scope. And it may not stop with California. The US Congress has already started hearings on whether a comprehensive federal data privacy act makes sense. However, with a divided federal government and other pressing distractions, a preemptive federal law is unlikely to pass before the rapidly approaching January 1, 2020 effective date.