On June 28, 2018, Governor Jerry Brown of California passed the California Consumer Privacy Act, or CCPA. This comprehensive legislation is intended to deal with a wide range of consumer data and privacy issues in the state of California (similar to the European Union’s GDPR legislation). On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA) which substantially amends CCPA.
CCPA legislation went into effect on January 1, 2020. Most of the substantive CPRA amendments go into effect on January 1, 2023, but some are effective as of January 1, 2021.
In this article, we’ll attempt to answer some common questions about California’s omnibus consumer privacy protection act, how far it reaches, and how it will affect businesses like yours. We’ll also be examining how the CCPA is both the same and different to parallel legislation, such as the GDPR.
Are all companies affected by the CCPA?
Not all, but many are. These are generally enterprise-level businesses. The CCPA affects companies that:
What data is protected?
The 2020 California privacy law protects a wide range of consumer personal data. This California privacy law defines personal data as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked with a particular consumer or household. This includes information such as a real name, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number, passport number or similar identifiers.” (source: California legislative information)
What are the penalties?
Under the California Consumer Privacy Act, companies that are affected by data breaches as a result of unreasonable information security can be ordered in civil class action lawsuits to pay fines between $100 to $750 per California resident involved with the incident, or actual damages, whichever is greater, as well as any other relief that court dictates (Cal. Civ. Code § 1798.150). Each intentional violation can cost a firm up to $7500 and $2500 for each unintentional violation (Cal. Civ. Code § 1798.155) under the new California data privacy law.
Does the CCPA involve data security?
Yes. Companies that fall under these new California privacy laws are responsible for keeping consumer data secure and are responsible for maintaining reasonable information security as detailed above. Specifically, organizations are required to “implement and maintain reasonable security procedures and practices” as part of their routine operations.
What other things should I know?
Companies are responsible for enabling customers to exercise rights of access, deletion and to opt-out of the sale of personal information in an easy and reasonable manner. This includes the following provisions:
How is the CCPA different from the European Union’s GDPR?
Generally, if your firm is already compliant with the GDPR, you already have large sections of the CCPA covered. However, there are important differences, a few of which are listed below -
I need help. What can I do?
This data privacy act obviously introduces a complex set of issues that can impact your business. We’re ready to help you ensure that your business is compliant. Sidley’s cyberlaw team is on hand to help. Contact us today.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to United States. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.