Is California Calling Your Business? The California Consumer Privacy Act Is Here

January 6, 2020

On January 1, 2020, the most restrictive data privacy act in the United States, the California Consumer Privacy Act (CCPA), went into effect.

This law is not limited only to businesses that are established or have locations in California. To the contrary, the CCPA applies to any for-profit business “doing any business in California” which collects personal information from California residents and satisfies just one of these criteria: (a) has a gross revenue of greater than $25 million dollars, (b) annually buys, receives, sells or shares personal information of more than 50,000 consumers, households or devices for commercial purposes or (c) derives more than 50% of its annual revenues from selling consumers’ personal information.

One goal of the CCPA is to give control of the dissemination of personal information back to California residents, whether they are currently living in the state or are temporarily outside the state. The legislators specifically referred to the March 2018 news reports regarding the misuse of personal information by Cambridge Analytica. In line with the stated mission to protect California residents’ personal information, the definition of personal information is very broad and encompasses “any information that directly or indirectly:

  • Identifies, relates to, or describes a particular consumer or household or
  • Is reasonably capable of being associated with or could reasonably be linked, to a particular consumer or household.”

No other state’s privacy statute has included “household” in its definition of personal information; it’s defined as “a person or group of people occupying a single dwelling.” The CCPA’s laundry list of personal information includes (but isn’t limited to) biometric information, geolocation information, employment-related information, personal names, online identifiers, email addresses, social security, passport and driver’s license numbers, IP addresses, physical addresses, real property records, records of the consumer’s purchases of or searches for products or services, Internet search records, educational records and profiles created by a business about a consumer or job prospect.

So, what are the obligations of a covered business with respect to the consumer? Here are the highlights:

  • Before the information is collected, or at the time of collection, provide a clear, easy to understand Privacy Notice explaining what categories of personal information are being collected, disclosed or sold, and for what purpose;
  • Provide a CCPA Privacy Policy;
  • Enable consumers to opt-out of the sale of their personal information by including a DO NOT SELL MY PERSONAL INFORMATION link on the website’s home page and not ask again for permission to sell personal information for 12 months;
  • Respond to a consumer’s request for information on how and with whom its personal information is shared;
  • Provide a consumer with its personal information, upon request, in an easily portable format to transfer to another business;
  • Delete the consumer’s personal information on request and instruct any third-party hosting service to do the same (assuming the information is not required for transactions with the consumer or to provide the consumer with a product or service)
  • Not discriminate financially or provide cheaper or low-quality goods or services based on the consumers’ exercise of their rights

The CCPA has teeth. Consumers have a private right of action against a business if there is a data breach involving non-redacted/non-encrypted consumer information that isn’t cured within 30 days, with a potential recovery of statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater. But the CCPA doesn’t define what constitutes an effective cure. The Attorney General may sue a business for non-compliance (for any provision, not just a data breach) and, depending on whether the violation is intentional, demand civil penalties ranging from $2500 to $7500 per violation (the 30-day cure period applies here too).

There is a bright spot for businesses, at least until January 1, 2021: businesses who collect personal information received from (a) an individual acting in a business capacity and (b) from job applicants and their own personnel, namely employees, independent contractors, owners, officers and directors, are exempt from the requirement to provide a list of the categories of personal information being collected or to delete all personal information collected. But all personnel must be provided with the Privacy Policy, and if the business is collecting information from its personnel that isn’t related to an employment purpose, the CCPA’s temporary exemption doesn’t apply. The exemption also doesn’t apply to non-discrimination or the private right of action for a data breach.

In order to comply with the CCPA, businesses will need to conduct a deep dive into their information management practices. This includes finding out where personal information is stored, preparing a list of all categories of personal information being collected, disclosed and sold, preparing a new CCPA Privacy Policy, re-evaluating insurance policies to assess CCPA coverage, determining who will respond to consumer’s requests within the 45 day time period, and drafting standard responses to an initial consumer inquiry, among other tasks. And not yet known are what implementing regulations will be enacted; the Attorney General published the regulations in October and the public comment period ended on December 6, 2019. The final regulations are expected to be enacted in the spring of 2020.

Those businesses who are aware of the 2018 European General Data Protection Regulation (GDPR) will be familiar with the schema of the CCPA as the laws are similar in their protective approaches. But even if a business isn’t a CCPA covered business, New York may not be that far behind the West Coast: while the New York Privacy Act wasn’t passed in the 2019 legislative session, it may yet succeed, and its regulations were more restrictive than the CCPA. Will protection of personal information become the “new” New York State of Mind? Time will tell.

  • share with
Name Title Direct Dial Vcard
Goldsmith, Amy B. Partner and Chair of Privacy and Cybersecurity Group Partner and Chair of Privacy and Cybersecurity Group 212.216.1135 VCard

Privacy Policy

We have updated our privacy policy. Click here to view.

I agree