On June 28, 2018, Governor Jerry Brown of California passed the California Consumer Privacy Act, or CCPA. This comprehensive legislation is intended to deal with a wide range of consumer data and privacy issues in the state of California (similar to the European Union’s GDPR legislation). On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA) which substantially amends CCPA.
CCPA legislation went into effect on January 1, 2020. Most of the substantive CPRA amendments go into effect on January 1, 2023, but some are effective as of January 1, 2021.
In this article, we’ll attempt to answer some common questions about California’s omnibus consumer privacy protection act, how far it reaches, and how it will affect businesses like yours. We’ll also be examining how the CCPA is both the same and different to parallel legislation, such as the GDPR.
Are all companies affected by the CCPA?
Not all, but many are. These are generally enterprise-level businesses. The CCPA affects companies that:
- Earn gross revenue of $25 Million or more per year.
- Possess the information of 50,000 or more consumers, households or devices.
- Earn more than half of their annual revenue from selling consumer’s personal information.
What data is protected?
The 2020 California privacy law protects a wide range of consumer personal data. This California privacy law defines personal data as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked with a particular consumer or household. This includes information such as a real name, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number, passport number or similar identifiers.” (source: California legislative information)
What are the penalties?
Under the California Consumer Privacy Act, companies that are affected by data breaches as a result of unreasonable information security can be ordered in civil class action lawsuits to pay fines between $100 to $750 per California resident involved with the incident, or actual damages, whichever is greater, as well as any other relief that court dictates (Cal. Civ. Code § 1798.150). Each intentional violation can cost a firm up to $7500 and $2500 for each unintentional violation (Cal. Civ. Code § 1798.155) under the new California data privacy law.
Does the CCPA involve data security?
Yes. Companies that fall under these new California privacy laws are responsible for keeping consumer data secure and are responsible for maintaining reasonable information security as detailed above. Specifically, organizations are required to “implement and maintain reasonable security procedures and practices” as part of their routine operations.
What other things should I know?
Companies are responsible for enabling customers to exercise rights of access, deletion and to opt-out of the sale of personal information in an easy and reasonable manner. This includes the following provisions:
- Creating processes to obtain parental or guardian consent for persons under the age of 13 (Cal. Civ. Code § 1798.120(d)
- Links so that customers can “opt-out” of the company selling personal information. This should usually involve a prominently displayed link to a landing page that enables the customer to opt-out of the sale of the respondent’s personal information. (Cal. Civ. Code § 1798.102).
- This should also include displays of privacy notices about the California resident’s rights.
How is the CCPA different from the European Union’s GDPR?
Generally, if your firm is already compliant with the GDPR, you already have large sections of the CCPA covered. However, there are important differences, a few of which are listed below -
- Right to access – Under the GDPR, right to access personal information by customers lasts a lifetime. The CCPA instead covers the last 12 months of data, with delineation between sold and transferred.
- Right to portability – Both sets of laws require that data be exported in an easy to read, user friendly fashion.
- Right to correction – an important piece of the GDPR, but not covered under CCPA.
- Right to stop processing – Both include mechanisms to withdraw consent. The CCPA mandates that opt out links be included on websites. They should be included along with a full explanation of rights for California residents.
I need help. What can I do?
This data privacy act obviously introduces a complex set of issues that can impact your business. We’re ready to help you ensure that your business is compliant. Sidley’s cyberlaw team is on hand to help. Contact us today.
PartnerWashington, D.C., New York