Back in July 2018, we introduced you to some of the sights and smells of the new California Consumer Privacy Act of 2018 (the CCPA). Not long after, the California legislature issued some technical corrections to the legislation. But there are still a number of open questions and issues that require attention from the legislature and Attorney General’s office with respect to this groundbreaking privacy law, which was written and passed in 7 business days. While those questions may be resolved (or not) before the law’s enforcement date,, companies that do business in California should not wait for all of the answers before they start planning for it.
One of the pressing open issues is when the privacy provisions of the CCPA take effect (the data breach class action provisions take effect on January 1, 2020. In the August 2018 technical corrections, the California legislature added new Section 1798.185(7)(c), which states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” As such, enforcement of the CCPA may begin on January 1, 2020, July 1, 2020, or sometime in between – we don’t know yet.
What we do know, however, is that companies should take time to determine if the CCPA applies to them and start thinking about some of the key requirements under that Act. We also know that the CCPA isn’t the GDPR-lite as it was initially described. The CCPA lacks the teeth of the European privacy regulation. The fines for non-compliance are significantly lower ($2,500 per violation not cured within 30 days of receiving notice from the CA AG, or $7,500 per intentional violation, versus GDPR’s 2-4% of global annual revenues); private rights of action only exist for data breaches with respect to nonencrypted or nonredacted personal information; and cross-border data transfers aren’t addressed. That said, the CCPA does include some important rights for Californians that are similar to GDPR and additional requirements related to the right to opt out of the sale of personal information.
Does It Apply to My Company?
So, while the details are being hammered out, companies should be thinking about whether the CCPA applies to them and what they need to do, at minimum, to comply with this new law.
Most of the CCPA obligations apply only to “businesses” that are for-profit entities “that collect[] consumers’ personal information” and which “alone, or jointly with others, determines the purposes and means of the processing” as it does business in California. The businesses also must meet one or more of the below thresholds to be subject to the CCPA:
(i) Annual gross revenues in excess of $25,000,000;
(ii) Buys, sells, receives, or shares personal information of 50,000 California residents for commercial purposes; or,
(iii) Derives 50% of more of revenue from selling personal data of California residents.
When a business has been identified as being subject to the CCPA, its parent companies and subsidiaries may qualify automatically even if they would not individually be subject to the CCPA. And, as with the GDPR’s definition of processing, “collect” is defined very broadly under the CCPA to include “buying, renting, gathering, obtaining, receiving, or accessing any personal information” of a consumer, regardless of if such collection is active or passive.
Okay, CCPA Applies to My Business. What Should I do First?
If the CCPA applies to your business, it’s time to consider some of the basic requirements for compliance. These include facilitating the exercise of privacy rights by California residents, including the right to access personal data (similar to GDPR) and five new rights that differ from GDPR:
- the right to cancel (erase) data (but only when that data is collected by a business directly from the California resident exercising the right);
- the right to know what is being collected;
- the right to know what information has been shared;
- the right to opt out of the sale of personal information (or opt-in for individuals under age 16); and
- the right not to be discriminated against for the exercise of these privacy rights (meaning charging different prices or providing different quality goods/services is prohibited if that difference is reasonably related to the value provided by the consumer’s data, but this right doesn’t prevent up-charging for enhanced services above the baseline).
The CCPA will require businesses to update their privacy policies to reflect these rights, as well as provide at least 2 reasonably accessibly means for California residents to exercise the rights, including a toll free phone number and, if the business has a website, a web address.
In addition, the CCPA requires businesses to provide a link on their homepage and privacy policy explicitly titled “Do Not Sell My Personal Information” to enable California consumers to opt-out of the sale of their personal information without having to create an account with the business.
- For businesses that went through the practice of reviewing their data practices and updating their privacy policies and websites for GDPR, the process should feel familiar and many of the steps you have already taken will help inform you as to whether the CCPA applies to your business. For those who haven’t had a sweeping privacy law apply to them yet, there are careful considerations to address to ensure compliance and minimize your exposure to claims that your company is not meeting its obligations under the CCPA.
As with any important business planning effort, start early. The team at Protorae Law continues to track developments with the CCPA, and other state, federal, and international privacy laws, and is here to answer your questions and help you understand your compliance obligations.
Associate
703.639.0683