The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

Posted by:

You may have noticed a recent influx of personal emails about updates to businesses’ privacy policies and terms and conditions. This may be due, in part, to the California Consumer Privacy Act (“CCPA”) allowing individuals to bring private rights of action against businesses. While the CCPA was effective January 1, 2020, it will be enforceable by the California Attorney General beginning July 1, 2020.

What is the CCPA?

The CCPA grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information. Under the CCPA, personal information is any data that identifies, relates to, or describes a particular person or household. Information such as a person’s name, address, and email address (even a computer IP address) are considered personal information. This applies to information collected online and offline, so the CCPA may apply to businesses even if they do not have a website.

Not all businesses need to comply.

The CCPA applies to for-profit businesses that collect consumers’ personal information and meet one or more of these criteria:

(1) The business has an annual gross
revenue in excess of $25M;

(2) The business collects, buys,
receives, sells, or shares the personal information of 50,000 or more
California-resident consumers, household, or devices; or

(3) The business derives 50% or more of
its annual revenue from selling consumers’ personal information.

Even small consumer-oriented businesses should take particular note of the second criteria: If the business’ website collects what the Act classifies as “personal information,” such as email addresses or the IP Address of the computer accessing the website, it may not take very long to collect that kind of information about 50,000 California-resident devices or consumers and make the business subject to the Act.

Upon receiving a verified consumer request, businesses meeting any of the above-mentioned criteria must give California residents the means to exercise their rights under the CCPA and cannot discriminate against them for exercising these rights. Businesses must complete the consumer’s request within 45 days, although an extension of time may be available, and the process of responding to consumer requests must be supported by reasonable security procedures and practices.

What happens if a business does not comply?

A failure to cure any alleged violation of the CCPA within 30 days of notification of alleged noncompliance will subject businesses to an injunction and civil penalties of no more than $2,500 per violation or $7,500 per intentional violation. And if personal information is improperly disclosed or stolen due to the absence of reasonable security procedures and practices, businesses may be subjected to civil action for injunctive or declaratory relief, damages of $100 to $750 per consumer, per incidentor actual damages (whichever is greater), or any other relief that the court deems proper.

Are you ready to comply with the CCPA? Attorneys at Conkle, Kremer & Engel are staying current with the CCPA to guide their clients through compliance.

0

California Consumer Privacy Act of 2018 – A U.S. Version of EU’s GDPR

Posted by:

The California Consumer Privacy Act of 2018, regarded as the most comprehensive privacy law in the United States, was unanimously passed by the California legislature and signed into law by governor Jerry Brown on June 29, 2018. The bill (AB 375) was fast-tracked through the State Senate and Assembly in a rush to defeat an even stricter privacy ballot initiative, which was introduced by Californians for Consumer Privacy. After weeks of intense negotiations with technology companies, Californians for Consumer Privacy agreed to withdraw the initiative if AB 375 was signed into law.

The  new law, which takes effect January 1, 2020, is a reactive measure to recent privacy and data breaches, including the Cambridge Analytica scandal, and governs the use of California consumers’ data by larger companies. Businesses are required to disclose the categories of information to be collected prior to collection, as well as the identity of third-parties that are allow to access that information. Consumers also have the right to request the data that has been collected on them and may also request that the data be deleted. While consumers over 16 years old may opt out of having their data sold to third-parties without being penalized, businesses are prohibited from selling data collected from consumers under 16 years old unless these underage consumers affirmatively opt-in. The bill also gives California consumers the right to sue for up to $750 in the event of a data breach involving non-encrypted personal information due to the failure to implement and maintain reasonable security procedures and practices.

While this California law is the strictest in the nation, it is less restrictive than the EU GDPR.  For example, the GDPR requires consumers opt into, or give consent, by “clear affirmative action,” prior to the collection of personal data, whereas the California law only requires disclosure prior to the collection of personal data and allows them to opt-out of the sale of personal data. Most importantly, the GDPR requires any business that offers goods or services to consumers in the EU and collects any personal data from those EU residents to comply with the GDPR, while the California law only applies to companies that do business in California and satisfy one of the following criteria: (1) have an annual gross revenue exceeding $25 million; (2) in connection with a commercial purpose, annually buy, receive, sell, or share the personal information of 50,000 or more consumers; or (3) derive 50% or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act may not remain in final form as passed. Tech companies have already expressed their desire to lobby legislators to change certain provisions of the law which they believe will result in unintended consequences. Lawmakers are expected to make amendments to the bill over the course of the next 18 months.

Conkle Kremer & Engel will continue to monitor the status of the California Consumer Privacy Act and will report on changes to the final version of this law, if any. CK&E has many years of experience advising clients about regulatory compliance issues they face, and helping them prepare for foreseeable changes in the law.

 

0