In June 2018, the California State Legislature passed the California Consumer Privacy Act of 2018 (CCPA), a comprehensive consumer privacy law that marks a monumental shift in U.S. data privacy regulation. With the effective deadline just months away on January 1, 2020, businesses are scrambling to understand and meet the law’s extensive requirements. The CCPA, which ranks as the strictest privacy law in the nation, applies to most companies, even those outside of California, that do business in California and possess data on California residents. Given the sheer size of California’s economy—currently the fifth-largest in the world—the CCPA is expected to have a far-reaching economic impact, both domestically and worldwide. With many other states following California’s lead and introducing similar privacy bills, now is the time to prepare your business for the CCPA.
DOES THE CCPA APPLY TO YOUR BUSINESS?
The CCPA applies to any for-profit business, regardless of location, that does business in California and possesses information on California residents, as long as one of the following three criteria is met:
- An annual gross revenue of $25,000,000 or more;
- Possessing the personal data of more than 50,000 consumers, households, or devices; or
- Earning more than half of a business’s annual revenue selling consumers’ personal data.
If your business meets any one of the above three requirements, you may be one of the more than 500,000 estimated U.S. companies that will have to comply with the CCPA.
DOES YOUR BUSINESS HAVE DATA THAT IS REGULATED BY THE CCPA?
A major change that the new law brings to the U.S. privacy regime is its expansive definition of “Personal Information.” This new definition includes information that was never before considered to be “personal” under any U.S. law. Under the CCPA any information that is capable of being associated with, or could be reasonably linked to, a person or household is considered Personal Information regulated by the law. This means that, for example, an IP address of a California resident qualifies as Personal Information under the CCPA. Businesses must re-evaluate the data they collect and receive that could possibly include information relating to California residents, from email lists to website server logs.
Is your business prepared to comply with the ccpa’s NEW personal data rights?
Similar to the transparency requirements under the European Union’s General Data Protection Regulation (GDPR), the CCPA requires companies to update their privacy notices, including by requiring businesses to disclose the types of Personal Information they receive and collect about California residents, where that information is stored, and with whom it is shared. In addition, the CCPA grants California residents a series of enforceable data privacy rights, including the right to access their Personal Information held by companies, the right to request deletion of that data, and the right to opt-out of the sale of their data. Without due preparation and implementing technical procedures, these individual rights can cause significant operational difficulties, as many companies learned during preparation for the GDPR last year. It is also important to note that while there is certainly some overlap between the requirements of the GDPR and the CCPA, companies must still address several compliance variances between the two laws.
What are the possible risks and PENALTIES?
Large data privacy class action lawsuits have become a regular occurrence in today’s privacy-sensitive climate, and when the CCPA becomes effective, class action attorneys are expected to lead a surge of consumer litigation. Under the CCPA’s private right of action, plaintiffs are permitted to seek statutory damages of up to $750 per consumer, per incident, or actual damages, whichever is higher. Given that there are approximately 40 million California residents, the liability risk can be staggering.
In addition to lawsuits, businesses may be subject to costly fines for violations as well, which are enforced by the California Attorney General. Under the CCPA, the Attorney General may assess fines of up to $7,500 per violation. Compliance violations also have the potential to quickly become PR nightmares for any organization, as public support continues to swell for stricter data protection laws, making effective compliance all the more important.
With January 1, 2020 right around the corner, now is the time for businesses to prepare for the CCPA’s wide-ranging requirements. Although there is still some uncertainty and pending amendments to the law, there are concrete steps that businesses can take today to drastically reduce the risk of fines, costly litigation, and other financial & PR nightmares. If you have any questions about the CCPA or its applicability to your business, we can help. Winthrop & Weinstine’s Data Privacy & Security team provides cost-effective, easy-to-adopt CCPA solutions for companies of all sizes.
For more information on this or other data privacy & security issues, contact Nadeem Schwen.