CCPA Effective as of January 1, 2020
The California Consumer Privacy Act of 2018 (CCPA), which is often compared to the European Union’s General Data Protection Regulation (GDPR), was enacted to provide privacy rights for California consumers and has been effective as of January 1, 2020.
The CCPA applies to any for profit businesses that does business in California and collects consumers’ personal information, and satisfies at least one of the following:
- Has annual gross revenues in excess of $25 million;
- Annually receives or discloses the personal information of 50,000 or more California residents, households or devices; or
- Derives at least half of its annual revenues from selling California residents’ personal information.
The definition of “personal information” is very broad under the CCPA. It encompasses “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…” such as names, addresses, browsing history, purchasing history, biometric information, but excludes “publicly available” information.
The CCPA grants the following rights to such California consumers:
- Right to know what personal information is collected, used, shared or sold and for what purpose
- Right to delete personal information held by businesses or a business’s service provider
- Right to opt-out of a sale of personal information (with additional requirements for children under the age of 16)
- Right to non-discrimination in terms of price and service when a consumer exercises such rights.
Businesses that are subject to the CCPA must comply with various obligations including the following:
- Provide notice to consumers that personal information is being collected or sold at or before data collection
- Notify consumers of their rights to know, delete or opt-out of the collection or sale of their personal information
- Make it reasonably accessible for consumers to exercise their rights to know, delete, or opt-out
- Respond to requests within specified time frames at no charge to consumers
- Disclose financial incentives if offered for the collection, sale, or deletion of personal information
- Maintain records of requests and how they responded to requests for at least 2 years
- Publish a privacy policy that is easy for an average consumer to understand
In the event a regulated business does not comply with the CCPA, they can be subject to civil penalties of up to $7,500 for each intentional violation. Businesses have 30 days after written notification to cure any alleged noncompliance, and such civil penalties can only be assessed and recovered by the Attorney General.
Consumers have a limited private right of action for data breaches only in the event a consumer’s nonencrypted and nonredacted personal information is subject to unauthorized access and theft or disclosure as a result of a business’s violation of its duty to maintain reasonable security measures to protect personal information. Such consumers can recover damages of $100-750 per consumer per incident or actual damages, whichever is greater, in addition to injunctive or declaratory relief, or any other relief the court deems proper.
Because the CCPA was drafted and passed so hastily, it has been amended several times since the enactment and continues to be subject to further amendments as it is implemented and enforced.
The attorneys at Vogt, Resnick & Sherak, LLP can help you determine whether your business is subject to the CCPA or advise regarding compliance obligations. If the CCPA applies to your business, it will likely affect its vendor contracts as well, which should be reviewed. Please contact us if you have any questions regarding the CCPA.