Big changes are coming to how business will be required to manage personal information gathered and used in California beginning in 2020. If your business makes sales in California, then you need to be aware of the recently passed California Consumer Privacy Act (CCPA), which was signed into law in June 2018. The CCPA is the first United States law following in the footsteps of the European Union’s privacy law, the GDPR.
Who is subject to the CCPA? The CCPA applies to for-profit entities that both collect and process the “personal information” of California residents and do business in the State of California. However, a physical presence in California is not a requirement as it appears that making sales in the state would be sufficient. Additionally, businesses must meet one of the following thresholds to be subject to the CCPA:
- Has annual gross revenues in excess of $25 million;
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What Information is Protected: Much like the GDPR, the CCPA includes a broad definition of “personal information,” much broader than typical privacy-related laws normally seen in the United States. “Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA provides consumers with more control over their personal information by granting them the right to request a business to disclose (i) the categories and specific pieces of personal information that it collects about the consumer; (ii) the categories of sources from which that information is collected; (iii) the business purposes for collecting or selling the information; and (iv) the categories of third parties with which the information is shared. The CCPA would also require a business to make disclosures about the information and the purposes for which it is used.
Furthermore, consumers must be presented with an easy, simple and straightforward process to opt-out of having their personal information sold to a third party and may request that a business delete their personal information. Businesses must comply with these deletion requests and ensure the consumer’s personal information is also deleted by third-party contractors with whom the business may have previously shared that consumer’s personal information, with some limited exceptions.
Penalties: Not only does the CCPA provide consumers with a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices”, but businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation.
Next Steps: While the CCPA has already been amended once, and regulations clarifying its impact have not yet been released, businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. If nothing else, your business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request it may receive from California residents under the CCPA.
If you own a business and have not yet undertaken an analysis to determine how the CCPA may impact you, contact our office to discuss what the next step is to ensure that you do not find yourself in the crosshairs of the State of California for violating this new law.