California Consumer Privacy Act
January 1, 2020 marks the effective date of the California Consumer Privacy Act (CCPA). This new data protection law, which is similar to the EU General Data Protection Regulation (GDPR), requires companies to comply with numerous requirements related to collecting and processing personal information of California consumers, including a 12 month look back period for consumer requests. With California’s new privacy law around the corner, companies are facing many new compliance issues and questions.
CCPA FAQ
If you’ve heard about the California Consumer Privacy Act (CCPA), but are confused about whether it actually applies to your company or unsure about what CCPA compliance actually requires, you are not alone. Below are answers to some of these questions to get you on the right track. If you have questions or need help, please reach out to a member of our Data, Privacy & Cybersecurity Group.
Yes, the CCPA differs from the GDPR in certain aspects, so unfortunately all that time and energy your team put into GDPR compliance does not make your organization CCPA compliant - although it may make CCPA compliance easier. If a company is not subject to the GDPR but is subject to the CCPA, starting the compliance process immediately is crucial.
The CCPA applies to any business that is organized or operated for profit, does business in the State of California, collects consumers’ personal information, determines the purposes and means of the processing of such information, and meets at least one of the following criteria:
- has annual gross revenues in excess of $25 million (not limited to California revenue);
- buys, sells, receives, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices annually; or
- derives 50% or more of its annual revenues from the sale of personal information.
Any entity that controls or is controlled by a “business,” and that shares common branding with the business is also a “business.” The CCPA’s definition of “personal information” is very broad.
- While portions of the CCPA will go into effect January 1, 2020, the California Attorney General (CA AG) is not permitted to enforce the CCPA until July 1, 2020, or six months after the attorney general issues regulations to implement the law, whichever is sooner.
- If a key amendment is approved, however, individuals will be able to file suit directly against businesses as soon as the law comes into effect which could result in a large uptick in privacy-related litigation in California, and the six-month enforcement delay will be irrelevant.
- The CA AG may initiate civil actions against companies that fail to cure CCPA violations, with penalties reaching $2,500 per violation or up to $7,500 per intentional violation.
- The CCPA also contains a limited private right of action for data breaches. Should such breaches be the result of a company’s failure to implement reasonable security standards, individuals may each seek to recover the greater of actual damages or statutory damages up to $750 per violation or such damages may be sought in a class action)
- While the CCPA permits a private cause of action only in relation to data breach claims, the CA AG’s Office has proposed an amendment to the bill allowing a private cause of action for any CCPA violation. If the amendment is approved, there could be a large uptick in privacy-related class action litigation in California.
Basically, consumers now have the following rights:
- Transparency/Access
- CA consumers can request businesses to identify the categories of personal information collected, the sources from which personal information is collected, the business or commercial purpose of such collection and categories of third parties with whom personal information is shared.
- Consumers have a right to know whether and to whom their personal information was sold or disclosed for a business purpose.
- Deletion
- Upon receipt of a verifiable request, a company must delete personal information held about a consumer unless an exception applies (compliance with a legal obligation, exercise free speech or enable internal uses that are aligned with consumer expectations, etc.).
- Opt-out of Sale of Personal Information
- The CCPA allows consumers to opt-out of the “sale” of their personal information. The CCPA defines “sale” broadly to include “renting, releasing, disclosing or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration.”
- Some data sharing is exempt from the definition of sale, including certain information sharing with service providers.
- Any business selling personal information must include a clear link on their websites’ homepage, mobile app, or platform and in their privacy policies labeled “Do Not Sell My Personal Information” that enables consumers to opt-out.
CCPA compliance is complex and an organization must have a clear understanding of all of the personal information that it collects on each consumer and the entities to whom it sells the personal information or transfers the personal information for valuable consideration. Some of the issues organizations will need to address are listed below:
- how to authenticate and respond to CA consumer access requests and deletion requests;
- how to allow consumers to opt-out of the sale of their personal information;
- how their website privacy policy needs to be updated
- how to ensure third parties’ assistance with consumer requests;
- the appropriate training for employees who handle consumer inquiries so they are familiar with consumer rights available under the CCPA and how consumers can exercise them; and
- whether to extend the CCPA rights to all consumers or limit to just California consumers.
CCPA Services
Greenberg Traurig assists clients in understanding how the CCPA impacts their organization’s data handling and data security practices. We work with our clients to identify options for CCPA compliance taking into account their specific operations. Our team has helped hundreds of companies, at various stages of development, operationalize compliance with diverse data protection laws, including, most recently, the GDPR.
In relation to the CCPA, we can provide the following services:
- Lobbying on legislation to amend the CCPA
- Advocacy before the Attorney General, or other state agencies, in connection with proposed regulations to implement the CCPA
- Advising on other state and federal privacy legislation that could impact the CCPA
- Preparing data maps tracking an organization’s data processing activities to determine how CCPA impacts the organization
- Reviewing data sharing contracts and advising on CCPA amendments to same
- Revising websites to address CCPA requirements
- Updating privacy policies
- Preparing procedures to handle consumer access requests and requests to opt out
- Drafting document retention and destruction policies
- Reviewing and revising security policies and incident response plans
- Training and table top exercises relating to specific data protection procedures
- Defending privacy-related litigation and responding to regulatory enforcement actions