The California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 – 199) (“CCPA” or “Act”) is a recently enacted law that governs data ownership and transparency, and is set to change the U.S. privacy landscape. It introduces new legal risks and considerations for almost all companies due to its expansive scope, enhanced consumer rights, and significant statutory fines. The CCPA became effective in January of 2020, but governmental enforcement of the Act was pushed back until July 1, 2020 to allow companies to fully implement the changes required by the Act.
We want to ensure that our clients are fully prepared for the looming enforcement deadline. Below we provide a brief summary of the Act for your review. If you have not already evaluated your CCPA obligations, please contact us so that we may assess and address your CCPA compliance needs.
Key Components of the CCPA
The CCPA grants new rights to consumers
right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information; The
right to delete personal information held by businesses and by extension, a business’s service provider; The
right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13. The
right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
The CCPA applies to certain businesses
Businesses are subject to the CCPA if one or more of the following are true:
Has gross annual revenues in excess of $25 million;
Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
Derives 50 percent or more of annual revenues from selling consumers’ personal information.
Companies that work with or handle data for covered businesses may be considered “service providers” and should also evaluate their obligations under the CCPA
Compliance measures our firm can help you implement:
Assessing and tracking how data is held, shared, and/or sold.
Updating to Website(s) and Privacy Notice(s)
Creating outlets for receiving consumer requests
Drafting and implementing Policy and Procedures for responding to consumer requests
Creating and implementing technology build outs to handle consumer requests.
Drafting and implement security procedures and practices
Drafting and negotiating agreement with business partners that companies share data to
The CCPA will apply to most medium to large businesses in California, or with customers in California, including online transactions, regardless of location
The CCPA contains broad definitions of the data covered and the level of disclosure that triggers coverage. The scope of these definitions greatly impacts the compliance burden for businesses and service providers. Two important definitions which affect obligations are:
“Personal Information”: any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
“Sell” – includes selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating the consumer’s personal information to another business or third party for monetary or other valuable consideration
The CCPA imposes new obligations for covered businesses:
notice to consumers at or before data collection.
Create procedures to respond to requests from consumers to opt-out, know, and delete.
For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
Respond to requests from consumers to know, delete, and opt-out within specific timeframes.
As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
Verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
Maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
Enter into agreements with business partners to ensure data security and compliance with consumer disclosures.
CCPA and GDPR
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements. A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA. Your compliance with GDPR does not exclude you from or ensure your compliance with the CCPA.
Penalties and Enforcement of Non-Compliance
Attorney General Enforcement. The AG may bring enforcement actions for violations and is empowered to seek injunctions and assess civil penalties of $2,500 for each violation or up to $7,500 for each intentional violation. AG enforcement is set to begin July 1, 2020.
The state has made
clear that COVID-19 will not affect the enforcement deadline. Consumer Private Right of Action. The CCPA includes a private right of action for consumers but only for a business’s alleged failure to “implement and maintain reasonable security procedures and practices” that results in a data breach of the type that triggers California’s breach notification law, Cal. Civ. Code § 1798.81.5. Consumers can recover $100-$750 per incident or actual damages, whichever is greater.
Due to the scope of the CCPA and the fines associated with non-compliance, companies must assess their obligations under the Act prior to the enforcement deadline. If you have any questions regarding the CCPA or would like to evaluate and take steps to ensure your compliance, please contact our firm.
About Greenspoon Marder
Greenspoon Marder is a national full-service business law firm with 240 attorneys and 26 locations across the United States. We are ranked amongst
American Lawyer’s Am Law 200, as one of the top law firms in the U.S. since 2015. Since our inception in 1981, our firm has been committed to providing excellent client service through our cross-disciplinary, client-team approach. Our mission is to understand the challenges that our clients face, build collaborative relationships, and craft creative solutions designed and executed with long-term strategic goals in mind. We serve Fortune 500, middle-market public and private companies, start-ups, emerging businesses, individuals and entrepreneurs nationwide.
Natalie Villanueva, Director of Marketing
954.333.4308 | firstname.lastname@example.org
This Greenspoon Marder LLP Client Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice nor a solicitation of any type. Please contact the author(s) or your Greenspoon Marder LLP contact if you have any questions regarding the currency of this information. The hiring of a lawyer is an important decision. Before you decide, ask for written information about the lawyer’s legal qualifications and experience.