California Consumer Privacy Act Now In Effect

2020 ushered in significant new privacy rights for residents of California.  The California Consumer Privacy Act (CCPA), which took effect January 1, 2020, provides important rights to California consumers concerning how businesses collect and sell their personal information.  Critically, even though the goal of the CCPA is to create rights for residents of California, its reach is much larger and will affect many companies located outside that state.  Here’s a brief overview of what you should know:

  1. The CCPA applies to any company “that does business in the State of California” and meets certain other conditions. Unfortunately, California has not yet offered any guidance about what it means to do “business” in the state.  Factors making it more likely that California will consider your company as doing “business” within the state include the following:
    • Does your company market specifically to California residents?
    • Does your company maintain a physical presence in California?
    • Does your company engage in numerous transactions in California?
  2. If your company “does business in the State of California,” the CCPA will apply to it only if your company:
    • Has annual gross revenues in excess of $25,000,000; or
    • Buys or uses the personal information of 50,000 or more California residents; or
    • Derives 50% or more of annual revenue from selling consumers’ personal information.
  3. If the CCPA applies to your company, what does it require? There are four main requirements for how a business must treat a Californian’s personal information:
    • Inform: A business that collects a consumer’s personal information must tell consumers what type of information it is collecting and for what purpose;
    • Disclose: A consumer may request that a business tell it what personal information it has collected about the consumer, and details about how it is shared or sold;
    • Delete: When requested by a consumer, a business shall delete the consumer’s personal information, with certain exceptions;
    • Don’t Sell: A business that engages in the sale of consumer’s personal information must inform consumers of that practice. If the consumer directs the business not to share their information, the business must not sell the consumer’s personal information to a third party.
  4. The CCPA applies to “personal information” of a consumer. What is “personal information?”
    • It’s defined very broadly, and generally means any information that can reasonably be linked to a particular consumer or household.
    • This includes (but is not limited to):
      • Common identifiers such as name, address, social security number, physical description, telephone, passport numbers, and driver’s license numbers;
      • Biometric information;
      • Internet activity, such as browsing and search history;
      • Geolocation data;
      • Employment data.
    • “Personal information” does not include information that is publicly and lawfully available from federal, state, or local government records.
  5. What if your company fails to comply with CCPA?
    • The California Attorney General may assess a civil penalty of $7,500 for every violation not cured after 30 days.
    • The CCPA also provides a private right of action. Consumers may bring suit against businesses to recover for CCPA violations.
      • A consumer may recover $750 for each violation without proving actual harm.
      • A consumer may recover more than $750 per violation if they can prove their actual harm exceeded that amount.

The CCPA is complex legislation that imposes serious demands on businesses.  Businesses affected by the CCPA must analyze their data management practices to cure any areas of non-compliance.  Due to the size of the California market, these are steps that many businesses even outside of California must take.  If your company has questions about this process, contact our Cybersecurity & Technology team for guidance.