A beginner’s guide to the California Consumer Privacy Act and its implications for businesses nationwide
Our previous article “Does the CCPA Apply to My Company?”[i] outlined some questions to help determine if your company is included in the definition of business for the CCPA. Here, we give a brief overview of the law and discuss both its potential effects and enforcement.
What is it?
The California Consumer Privacy Act (CCPA) is a bill that the California Legislature passed in exchange for the withdrawal of a ballot initiative with similar goals. Passed on June 28, 2018, the Act gives consumers new rights regarding the collection of personal data. It also requires businesses to provide specific disclosures before collecting personal information. This act is arguably the most aggressive law about consumer privacy in the United States and goes into effect on January 1, 2020.
How could it affect my business?
If you are located in California, it is highly likely you will need to comply with the law. However, even if you are not located in California, the CCPA could directly affect your business. The law protects “consumers” who are California residents. “Personal Information” includes identifiers of individuals or households such as a real name or alias, email address, or Internet Protocol (IP) address. It also has a catch-all for any identifier that an organization can use to identify a particular consumer, family, or device.
“Business” is also broadly defined (see “Does the CCPA Apply to My Company?”), but notably does not include non-profits or small businesses. While there are other limited exceptions to applicability, the broad definitions used cast a wide net and mean the CCPA’s reach will include businesses coast to coast.
One of the other consequences of the Act is that it may influence other states to enact similar measures. Multiple states have either amended existing laws to reflect, or are in the process of passing laws similar to the CCPA. This trend of heightened consumer protection laws will likely continue, and a business should consider reviewing its insurance policies to ensure it has coverage for any breaches of the law.
What could happen if I don’t comply?
While some privacy laws are “all bark with no bite,” the enforcement of the CCPA could result in enormous impacts for businesses that violate the act. The consequences include both regulatory enforcement actions and individual lawsuits.
The California Attorney General is responsible enforcing the Act. While the CCPA goes into effect on January 1, 2020, the date of enforcement is set to be 6 months after the publication of enforcement regulations or July 1, 2020, whichever is earlier. This means that there could as little as one day between the publication of the regulations and enforcement.
After the enforcement date, the California Attorney General must give a company who is alleged to have violated the CCPA written notice and 30 days to cure the alleged violation before imposing monetary penalties. These penalties include fines up to $2,500 per violation or $7,500 per intentional violation. Depending on how “violation” is interpreted, a business could incur immense aggregate fines for a single event that causes multiple consumers to have their information stolen or collected without their consent (e.g., consider a single data breach affecting thousands of consumers).
While many privacy laws allow the government to enforce the laws, what is somewhat unique and aggressive about the CCPA is that it also provides an individual cause of action. This right has an absolute start date of January 1, 2020 and will allow consumers the right to sue for unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information if the business failed to implement certain security practices and procedures. As you may imagine, this law could result in significant individual and class action lawsuits.
Interestingly, the California legislature narrowed the definition of “personal information” for the individual cause of action. The Act accordingly differentiates between more and less sensitive personal information, providing for a private cause of action for the former, but not the latter. Nonetheless, an individual can still bring a private causes of action for breaches of social security numbers, driver’s license numbers, account numbers with passwords or codes, medical information, and health insurance information. Multiple remedies are available to consumers including statutory and actual damages, injunctive and declaratory relief, and any other relief a court considers proper.
While it remains unclear what regulations will be published associated with the CCPA and/or how the court will enforce the Act, the CCPA fundamentally changes the way states may start regulating and handling breaches of personal consumer information.
For these questions and more, businesses should educate themselves as well as seek individualized guidance for both the direct and indirect effects of the CCPA. Reaching out to a trusted legal advisor could be the next step to determine what compliance looks like for your business.
The CCPA is coming. Will your business be ready?