The California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 – 199) (“CCPA” or “Act”) is a recently enacted law that governs data ownership and transparency, and is set to change the U.S. privacy landscape. It introduces new legal risks and considerations for almost all companies due to its expansive scope, enhanced consumer rights, and significant statutory fines. The CCPA became effective in January of 2020, but governmental enforcement of the Act was pushed back until July 1, 2020 to allow companies to fully implement the changes required by the Act.
We want to ensure that our clients are fully prepared for the looming enforcement deadline. Below we provide a brief summary of the Act for your review. If you have not already evaluated your CCPA obligations, please contact us so that we may assess and address your CCPA compliance needs.
Key Components of the CCPA
The CCPA grants new rights to consumers
The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
The right to delete personal information held by businesses and by extension, a business’s service provider;
The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
The CCPA applies to certain businesses
Businesses are subject to the CCPA if one or more of the following are true:
Has gross annual revenues in excess of $25 million;
Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
Derives 50 percent or more of annual revenues from selling consumers’ personal information.
Companies that work with or handle data for covered businesses may be considered “service providers” and should also evaluate their obligations under the CCPA
Compliance measures our firm can help you implement:
Assessing and tracking how data is held, shared, and/or sold.
Updating to Website(s) and Privacy Notice(s)
Creating outlets for receiving consumer requests
Drafting and implementing Policy and Procedures for responding to consumer requests
Creating and implementing technology build outs to handle consumer requests.
Drafting and implement security procedures and practices
Drafting and negotiating agreement with business partners that companies share data to
TAKEAWAY
The CCPA will apply to most medium to large businesses in California, or with customers in California, including online transactions, regardless of location
Important Definitions
The CCPA contains broad definitions of the data covered and the level of disclosure that triggers coverage. The scope of these definitions greatly impacts the compliance burden for businesses and service providers. Two important definitions which affect obligations are:
“Personal Information”: any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
“Sell” – includes selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating the consumer’s personal information to another business or third party for monetary or other valuable consideration
The CCPA imposes new obligations for covered businesses:
Provide notice to consumers at or before data collection.
Create procedures to respond to requests from consumers to opt-out, know, and delete.
For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
Respond to requests from consumers to know, delete, and opt-out within specific timeframes.
As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
Verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.Maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.Enter into agreements with business partners to ensure data security and compliance with consumer disclosures.
CCPA and GDPR
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements. A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA. Your compliance with GDPR does not exclude you from or ensure your compliance with the CCPA.
Penalties and Enforcement of Non-Compliance
Attorney General Enforcement. The AG may bring enforcement actions for violations and is empowered to seek injunctions and assess civil penalties of $2,500 for each violation or up to $7,500 for each intentional violation. AG enforcement is set to begin July 1, 2020.
The state has made clear that COVID-19 will not affect the enforcement deadline.
Consumer Private Right of Action. The CCPA includes a private right of action for consumers but only for a business’s alleged failure to “implement and maintain reasonable security procedures and practices” that results in a data breach of the type that triggers California’s breach notification law, Cal. Civ. Code § 1798.81.5. Consumers can recover $100-$750 per incident or actual damages, whichever is greater.
Due to the scope of the CCPA and the fines associated with non-compliance, companies must assess their obligations under the Act prior to the enforcement deadline. If you have any questions regarding the CCPA or would like to evaluate and take steps to ensure your compliance, please contact our firm.
About Greenspoon Marder Greenspoon Marder LLP is a full-service law firm with over 240 attorneys and more than 20 office locations across the United States. With operations from Miami to New York and from Denver to Los Angeles, our firm attracts some of the nation’s top talent in key markets and innovation hubs. Our core practice areas include Real Estate, Litigation, and Transactional Services, complemented by the capabilities of a full-service firm. Greenspoon Marder has upheld a spot on The American Lawyer’s Am Law 200 as one of the top law firms in the U.S. since 2015, and our goal is to provide exceptional client service by developing a thorough understanding of each client’s business needs and objectives in order to provide strategic, cost-effective solutions.
MEDIA CONTACT
Natalie Villanueva, Director of Marketing[email protected]
This Greenspoon Marder LLP Client Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice nor a solicitation of any type. Please contact the author(s) or your Greenspoon Marder LLP contact if you have any questions regarding the currency of this information. The hiring of a lawyer is an important decision. Before you decide, ask for written information about the lawyer’s legal qualifications and experience.
