The California Consumer Privacy Act of 2018 (“CCPA”) creates new compliance obligations and operational challenges for companies doing business in California, effective January 1, 2020. Given the broad reach of the law, the CCPA may have significant impact on entities that collect and process personal data.

The CCPA grants California residents new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. The CCPA is considered the most stringent privacy law in the United States. The Act’s requirements include, but are not limited to:

• Disclosing data collection, data use and data sharing practices to consumers;
• Complying with a consumer’s requests to opt-out of the sale of personal information to third parties, subject to certain defenses;
• Providing personal information to a consumer in a readily useable format to enable a consumer to transmit the information from one entity to another;

A business must respond to consumer requests within 45 days after receipt, and consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limitations to requests for data deletion or do not sell requests.

Covered Businesses

The CCPA applies to any for-profit entity doing business in California that:

• Has a gross revenue greater than $25 million;
• Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes;
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law also applies to any entity that either:

• Controls or is controlled by a covered business;
• Shares common branding with a covered business, such as a shared name, service mark, or trademark.

The CCPA also applies to certain service providers and third parties. Even if the entity does not meet the requirements listed, some business partners or service providers supporting covered business may be impacted.

Penalties

Intentional violations of the CCPA can bring civil penalties of up to $7,500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. The maximum fine for other violations is $2,500 per violation. However, enterprises have 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure it, and only thereafter are they subject to an enforcement action for violating the law.

This system is the same as that used to enforce the California Online Privacy Protection Act (“CalOPPA”), a 2003 law which required website operators to “conspicuously” post a privacy policy on their website if the site collects personally identifiable information. It is likely that the enforcement of the CCPA will follow the same rules as CalOPPA and other, similar laws, which use §17206 for a penalty. This means that damages will be tabulated on a per-capita basis. Each user whose profile is illegally processed, sold, etc., will represent an independent violation.

The CCPA also grants a private right of action to individual Californians. The section gives any natural person with California residency a right of action if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. Californians can seek statutory damages between $100 and $750, injunctive or declaratory relief, or any other relief the court deems proper. Actions can be aggregated into a class action.

Rulemaking Process

The California Attorney General’s Office is set to draft implementing regulations for the new law on or before July 1, 2020. The regulations will likely include:

• Clarifications to key definitions, including updates to the CCPA’s categories of personal information and definition of unique identifiers;
• Exceptions necessary to comply with state or federal law;
• Rules and procedures to facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information and compliance with a consumer’s opt-out request;
• Rules and procedures for the development and use of a recognizable and uniform opt-out logo or button for businesses to use to promote consumer awareness of the ability to opt out of the sale of personal information;
• Adjusting the monetary threshold for businesses to be covered by the CCPA;
• Consumer accessibility to notices, including the establishment of rules, procedures and any exception necessary to ensure that notices are provided in a manner easily understood by the average consumer, are accessible to consumers with disabilities and are available in the language primarily used to interact with consumers, including establishing rules and guidelines regarding financial incentive offerings.

Once the California Attorney General has drafted and promulgated the implementing regulations, the California Department of Justice will likely hold public hearings and permit further opportunity for public comment.

Similar to the European Union’s General Data Protection Regulation, the CCPA will require organizations to focus on consumer data and provide transparency in how they are collecting, sharing and using such data. Several policies, processes and systems will need to be in place to address the Act’s requirements. Businesses should assess whether the CCPA applies to their business, develop an action plan to tackling the CCPA’s requirements and work to come into compliance before the Act’s January 1, 2020, effective date.

For more information about how this may affect your business, please contact one of the attorneys on the Cybersecurity & Privacy Team: