The California Consumer Privacy Act
Five Ws and an HBy: Ryan J. Perry
January 23, 2019
Not long after the EU General Data Protection Regulation implementation date, the California state legislature enacted the California Consumer Privacy Act (the “CCPA”). The CCPA was later amended on September 23, 2018; just in time to make it on your business’s New Year’s resolutions list! Although the law will not go into effect until January 1, 2020, the hastily passed CCPA and subsequent amendment is complicated and requires businesses to give much thought to the classes of data they collect, about whom that data relates, and, depending on the responses to the first two questions, how to comply with the new law. Thus, businesses should seize the opportunity that the New Year presents, familiarize themselves with the CCPA’s requirements, and evaluate their current processes for compliance. In the spirit of the New Year, Morse’s Privacy and Data Security Team shares the following “five Ws and an H” about the CCPA.
WHO: Who is covered by the CCPA?
The CCPA protects the personal information of California residents, regardless of the location of the data or the business that processes it. The CCPA protects the personal information of California residents while they are in California and continues to protect the personal information of California residents when they leave the state temporarily. This protection means that businesses outside of California may be subject to the CCPA if they handle California residents’ information.
The CCPA applies to certain for-profit businesses that do business in the state of California, collect and control the personal information of California Residents, and meet at least one of the following requirements:
- Have annual gross revenues in excess of $25,000,000.
- Alone or in combination, handle the personal information of fifty thousand or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling the personal information of California residents.
Therefore, the first key step in the compliance process will be applying these jurisdictional rules to determine whether your business will be subject to the CCPA.
Service providers that process personal information for a business governed by the CCPA must also comply with certain CCPA requirements. These service providers will need to comply with specific retention, use and disclosure requirements. Businesses should make sure these requirements are well documented through written contracts with such service providers.
WHAT: What kind of Personal Information is protected?
The CCPA defines personal information very broadly. Personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA also considers any inferences from personal information “to create a profile about a consumer reflecting the consumer’s preference, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” as personal information in its own right, subject to the rights and protections afforded by the CCPA.
WHEN: When do you need to comply?
The CCPA will take effect on January 1, 2020. California residents may start making requests under the CCPA on this date. The California Attorney General’s Office (the “CAG”), however, will not start enforcing the CCPA until July 1, 2020 or six months after they publish the final regulations, whichever date is earlier. For example, if the CAG were to publish the final regulations before June 30, 2019, enforcement may start on January 1, 2020. Alternatively, if the final regulation is published between July 1, 2019 and December 31, 2019, enforcement actions may start six months from such publication date. Otherwise, if the final regulation is published on or after January 1, 2020, the CAG’s ability to bring enforcement actions will start on July 1, 2020. It is important to note that with the current timeline, the closer the publication date of the final regulation is to July 1, 2020, the less time businesses will have to comply with the CCPA and the regulations before enforcement actions can commence. Such a delay may result in little or no time for businesses to comply with the CCPA. Therefore, businesses should begin their compliance pushes before the issuance of the final regulations.
Additionally, businesses should be aware of certain obligations under the CCPA that may require action before the above enforcement date. For example, the CCPA requires that disclosures to California residents who request access to their data cover the 12-month period preceding the business’s receipt of that verifiable request. Effectively, this means that businesses will likely need to evaluate their data retention and recordkeeping processes before the above enforcement date. Thus, businesses should not wait for publication of the final regulation before they start compliance efforts.
WHERE: Where will the CCPA apply?
Businesses in other states or nations may need to comply with the CCPA if they fall under the CCPA’s definition of a business and they collect or control the personal information of California Residents. Given the modern business landscape, it is likely that many businesses based outside of California will need to comply with the CCPA.
WHY: Why do you need to comply?
Penalties under the CCPA can reach up to $7,500 per violation for intentional violations and $2,500 for non-intentional violations. Additionally, and perhaps more importantly, the CCPA provides for a private right of action and possible statutory damages of up to $750 per consumer per incident. The CCPA also contains provisions limiting the use of arbitration clauses and class action waivers. In combination with the private right of action, the above prohibitions could mean huge penalties for businesses and increased attention from plaintiff-side law firms.
HOW: How should you comply?
It is crucial to note that the CCPA is a complicated statute that has not yet been subject to interpretation and battle testing. Moreover, compliance with any privacy and data security regulatory regime is a highly fact specific process. The article above is intended to provide a flavor for the CCPA and is not a substitution for legal advice. There is no “off-the-shelf” CCPA compliance strategy; rather, the strategy must be tailored to the business at issue. Morse’s Privacy & Data Security Team has significant experience in providing privacy and data security compliance strategies for its clients for a myriad of privacy and data security regulatory regimes.
Start your New Year off on the right track and contact Ryan Perry, CIPP/U.S., Faith Kasparian, CIPP/U.S., or another member of the Privacy and Data Security Team for more information on the CCPA and how your business can become CCPA compliant.
The author would like to acknowledge the contributions to this article by, and give thanks to, Hanbo Yu, Northeastern University School of Law (NUSL) 2019.