By Mike Khoury on July 10, 2018
On June 28, 2018, California passed the so-called California Consumer Privacy Act of 2018 (“CCPA”), changing the landscape of privacy laws and compliance for many years to come. The new law gives Californians more control over the information businesses collect on them, and imposes new requirements and prohibitions on businesses. Non-compliance with and violations of the CCPA will also expose businesses to penalties and, because the CCPA provides for a private right of action, the risk of private law suits.
Effective Date:
The new law (full text available here) goes into effect on January 1, 2020.
Potential Liability:
The CCPA is similar to Europe’s General Data Protection Regulation (“GDPR”), which went into effect on May 25, 2018. Much like the GDPR, the cost of noncompliance can be staggering. The CCPA imposes penalties of $750 per consumer per incident (e.g., $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.
As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act. While at first the penalties and damages under the CCPA may seem minimal, they can add up to enormous amounts, depending on the number of violations, number of consumers, and the amount of actual damages.
What is “Personal Information”?
The CCPA derives from the California Constitution’s inalienable right of privacy. The Legislature reasoned that Californians’ ability “to control the use, including the sale, of their personal information” is fundamental to protecting their right of privacy. For purposes of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” such as name, internet protocol (IP) address, email address, postal address, driver’s license number, social security number, and passport information. Publically available information (i.e., information lawfully made available by federal, state, or local government records) is expressly excluded from the CCPA’s definition of “personal information.”
What “Businesses” Are Covered?
The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.
Summary of Consumer Rights, and Business Requirements and Prohibitions:
The following table highlights the CCPA’s most important consumer rights, as well as business requirements and prohibitions.
CCPA Consumer Rights |
CCPA Business Requirements and Prohibitions |
Consumers may request that a business disclose:
(a) the categories and specific pieces of personal information that it collects about the consumers;
(b) the categories of sources from which that information is collected;
(c) the business purposes for collecting or selling the information; and
(d) the categories of third parties with which the information is shared. |
Businesses are required to make disclosures about the information they collect and the purpose for which it is used. |
Consumers may request that a business selling consumers’ personal information, or disclosing it for business purposes, disclose (a) the categories of information it collects, and (b) the categories of information and the identity of third parties to which the information was sold or disclosed. |
Businesses are required to provide this information in response to a verifiable consumer request. |
Consumers may opt out of the sale of personal information by a business. |
Businesses are prohibited from discriminating against a consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
However, businesses may offer financial incentives for collection of personal information.
Businesses are prohibited from selling the personal information of a consumer under the age of 16, unless affirmatively authorized (known as “the right to opt in”). |
The CCPA is considered one of the toughest data privacy laws in the United States and will dramatically impact how businesses handle data. A more detailed analysis of the CCPA, and how it may impact our clients will be published shortly. To be included on our distribution list, please contact Susan Orona. In the meantime, to get more information about the CCPA, including assistance on updating your processes to comply in advance of the January 1, 2020, effective date, please contact Andy Castricone, Craig Mariam or Christina Vander Werf.