California Consumer Privacy Act Monitor (CCPA)
What You Need to Know
California Consumer Privacy Act
On June 28, 2018, Governor Jerry Brown of California passed the California Consumer Privacy Act, or CCPA. This comprehensive legislation is intended to deal with a wide range of consumer data and privacy issues in the state of California (similar to the European Union’s GDPR legislation). On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA) which substantially amends CCPA.
CCPA legislation went into effect on January 1, 2020. Most of the substantive CPRA amendments go into effect on January 1, 2023, but some are effective as of January 1, 2021.
In this article, we’ll attempt to answer some common questions about California’s omnibus consumer privacy protection act, how far it reaches, and how it will affect businesses like yours. We’ll also be examining how the CCPA is both the same and different to parallel legislation, such as the GDPR.
Are all companies affected by the CCPA?
Not all, but many are. These are generally enterprise-level businesses. The CCPA affects companies that:
- Earn gross revenue of $25 Million or more per year.
- Possess the information of 50,000 or more consumers, households or devices.
- Earn more than half of their annual revenue from selling consumer’s personal information.
What data is protected?
The 2020 California privacy law protects a wide range of consumer personal data. This California privacy law defines personal data as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked with a particular consumer or household. This includes information such as a real name, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number, passport number or similar identifiers.” (source: California legislative information)
What are the penalties?
Under the California Consumer Privacy Act, companies that are affected by data breaches as a result of unreasonable information security can be ordered in civil class action lawsuits to pay fines between $100 to $750 per California resident involved with the incident, or actual damages, whichever is greater, as well as any other relief that court dictates (Cal. Civ. Code § 1798.150). Each intentional violation can cost a firm up to $7500 and $2500 for each unintentional violation (Cal. Civ. Code § 1798.155) under the new California data privacy law.
Does the CCPA involve data security?
Yes. Companies that fall under these new California privacy laws are responsible for keeping consumer data secure and are responsible for maintaining reasonable information security as detailed above. Specifically, organizations are required to “implement and maintain reasonable security procedures and practices” as part of their routine operations.
What other things should I know?
Companies are responsible for enabling customers to exercise rights of access, deletion and to opt-out of the sale of personal information in an easy and reasonable manner. This includes the following provisions:
- Creating processes to obtain parental or guardian consent for persons under the age of 13 (Cal. Civ. Code § 1798.120(d)
- Links so that customers can “opt-out” of the company selling personal information. This should usually involve a prominently displayed link to a landing page that enables the customer to opt-out of the sale of the respondent’s personal information. (Cal. Civ. Code § 1798.102).
- This should also include displays of privacy notices about the California resident’s rights.
How is the CCPA different from the European Union’s GDPR?
Generally, if your firm is already compliant with the GDPR, you already have large sections of the CCPA covered. However, there are important differences, a few of which are listed below -
- Right to access – Under the GDPR, right to access personal information by customers lasts a lifetime. The CCPA instead covers the last 12 months of data, with delineation between sold and transferred.
- Right to portability – Both sets of laws require that data be exported in an easy to read, user friendly fashion.
- Right to correction – an important piece of the GDPR, but not covered under CCPA.
- Right to stop processing – Both include mechanisms to withdraw consent. The CCPA mandates that opt out links be included on websites. They should be included along with a full explanation of rights for California residents.
I need help. What can I do?
This data privacy act obviously introduces a complex set of issues that can impact your business. We’re ready to help you ensure that your business is compliant. Sidley’s cyberlaw team is on hand to help. Contact us today.
News & Insights
-
ブログAn Agency Is Born: California Appoints Board of Its New California Privacy Protection AgencyMarch 19, 2021
-
ブログAll Buttoned Up: The California AG Proposes Additional CCPA RegulationsDecember 14, 2020
-
著書CPRA's Impact on CCPA Enforcement and ComplianceNovember 20, 2020
-
ブログCalifornia Privacy Law Overhaul – Proposition 24 PassesNovember 4, 2020
-
ブログCCPA Update: Comment Period Closes on Third Round of Proposed Modifications to CCPA Regulations; CCPA Litigation Gaining Steam; Consumer Groups and Major Newspapers Urge “No” Vote on California’s Privacy InitiativeOctober 29, 2020
-
ブログCalifornia Amends Privacy Laws Again: CCPA Health Information Amendment and Employee/B2B Exemption Signed into Law; Vetoes for Genetic Privacy and Social Media Parental Consent BillsOctober 14, 2020
-
ブログThird Time’s the Charm: CCPA Regulations Finally Approved With Limited Substantive Changes from June 2020 VersionAugust 20, 2020
-
ブログThe Return of the Mac: CCPA 2.0 Qualifies for California’s November 2020 Ballot and Could Usher In Sweeping Changes to CCPAJune 26, 2020
-
ブログCCPA Enforcement Date Rapidly Approaching: California Attorney General Proposes Regulations for Final Review With July 1, 2020 Less Than One Month AwayJune 4, 2020
-
ブログStay At Home Orders May Have Killed California’s Ballot Initiative to Expand CCPA [**Update – But Californians for Consumer Privacy Say Maybe Not**]May 4, 2020
-
ブログCCPA Marches On: California Attorney General Proposes Further Revisions to CCPA Regulations, Industry Pleads for Enforcement Delay Amid COVID-19 CrisisApril 10, 2020
-
ブログA February 2020 Surprise: California Attorney General Proposes Significant Revisions to CCPA RegulationsFebruary 12, 2020
-
ブログExamining Legislative Proposals to Protect Consumer Data PrivacyDecember 19, 2019
-
ブログCCPA 2.0 Moves to Next Critical Stage of Referendum ProcessDecember 18, 2019
-
ブログComments Submitted on California Consumer Privacy Act of 2020—Initiative 19-0021November 12, 2019
-
シドリー最新情報Attorney General Issues Draft CCPA Regulations, Prompting New Compliance Needs Before Effective DateOctober 29, 2019
-
ブログCCPA In-Depth Series: Draft Attorney General Regulations on Verification, Children’s Privacy and Non-DiscriminationOctober 24, 2019
-
ブログCCPA In-Depth Series: Draft Attorney General Regulations on Consumer RequestsOctober 23, 2019
-
ブログCCPA In-Depth Series: Draft Attorney General Regulations on Consumer NoticeOctober 22, 2019
-
ブログCalifornia Attorney General Releases Proposed CCPA RegulationsOctober 10, 2019
-
ブログFinal California Consumer Privacy Act Amendments Bring Practical Changes (But Your Business May Now Be a California “Data Broker”)September 17, 2019
-
著書Navigating the CCPA’s ‘Notice and Cure’ ProvisionAugust 16, 2019
-
著書Where Does Privacy Go From Here: California, EU and Indian Data Privacy Laws and Global Compliance ProgramsAugust 5, 2019
-
ブログNew York Enacts Stricter Data Cybersecurity LawsAugust 5, 2019
-
ブログA Closer Look at California Privacy Law Bar on Two Contract ClausesJuly 16, 2019
-
ブログCrunch Time in California – CCPA Amendments Hotly Debated and (Some) Defeated – Employee Data Is Back, Reasonable Definition of Personal Information Is Gone (For Now), and More!July 15, 2019
-
ブログMaine’s Act to Protect the Privacy of Online Consumer InformationJune 20, 2019
-
ブログThe CCPA Ripple Effect: Nevada Passes Privacy LegislationJune 11, 2019
-
シドリー最新情報California Consumer Privacy Act Will Likely Prompt Class ActionsJune 11, 2019
-
ブログWashington State Comprehensive Privacy Bill Loses Steam, Data Breach Law Amendment Heads to Governor’s DeskMay 2, 2019
-
ブログCalifornia, Here We Come: Getting Ready for the California Consumer Privacy Act of 2018March 26, 2019
-
ブログThe New Congress Turns to an Old Issue – The Possibility of Comprehensive Federal Privacy LegislationMarch 18, 2019
-
ブログTakeaways From CCPA Public ForumsFebruary 12, 2019
-
ブログDebate Continues on the Future of US Privacy Regulation from California to Capitol HillDecember 27, 2018
-
ブログCalifornia and PreemptionOctober 10, 2018
-
ブログThe Trump Administration’s Approach to Data Privacy, and Next StepsOctober 2, 2018
-
ブログDeveloping IoT Policy from California to Washington, D.C.September 26, 2018
-
ブログClean-Up Bill Advances to Amend the New California Consumer Privacy ActSeptember 5, 2018
-
ブログCoalition Groups Weigh In on CCPA Clean Up LegislationAugust 16, 2018
-
ブログCalifornia’s GDPR? Sweeping California Privacy Ballot Initiative Could Bring Sea Change to U.S. Privacy Regulation and EnforcementJune 27, 2018
Events
-
ブログThe California Consumer Privacy Act: What Happened and What’s to ComeJanuary 22, 2020
-
イベントThe CCPA and Litigation Mitigation: What You Need to Know Before January 1Thursday, November 21, 2019
-
イベントThe Final Countdown: What You Need to Know About the CCPA and its Draft Regulations Before January 1Tuesday, November 5, 2019
-
イベントRetail Law Conference 2019October 16 - 18, 2019
-
イベントLitigation Exposure in The New Era of The California Consumer Privacy ActThursday, August 8, 2019