Post authored by Stephanie Nikitenko

The CCPA was passed into California law on June 28, 2018. While it does not go into effect until January 1, 2020, it shows that legislators are increasingly aware of bolstering privacy protection in the United States.[1] Known as AB 375, the bill is similar to the EU’s General Data Protection Regulation (“GDPR”).[2] But what does the CCPA do for California residents? Generally, it guarantees Californians the right to “know what personal information is being collected about them, knows whether their personal information is sold or disclosed, and to whom,” and it also gives Californians the right to “access their personal information.”[3] California has often pioneered legislation in the area of privacy. For example, in 2002, it enacted the first U.S. laws requiring notifications of data security breaches. Also, in 2004, California was the first state to require websites to maintain privacy policies.[4]

The CCPA was enacted to address people’s concerns about the amount of their data being consumed, what that data was, who consumed the data, and what was being done with that data. The law applies to any consumer who is a “natural person who is a California resident”; this is defined as: (1) any individual in the state for any purpose that’s not transitory or temporary, and (2) any individual who is domiciled in the state but currently or occasionally is outside the state for a temporary or transitory purpose.[5] Anyone who travels or has partial residency in other states would be protected by the CCPA, as long as they are domiciled in California.[6]

What Businesses Must Comply With the CCPA?

Under the CCPA, a business is a for-profit entity that makes more than $25 million or more in annual revenue; buys, receives, or sells the personal data of at least 50,000 consumers or households; and obtains at least half of its revenue selling California residents’ personal data.[7] The business must also meet all of the following conditions: (1) be a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized and operated for the profit or financial benefit of shareholders or other owners; (2) collects consumers’ personal information, or has someone collect it on its behalf; (3) alone, or jointly, determines the purposes and means of processing consumers’ personal information; and (4) does business in California.[8]

Complying with the CCPA

  • Ensure the data being collected is well organized. Any consumer can request specific information about themselves, so companies will need to search, compile, and send reports with that information to the requesting consumer.[9]
  • Have clear and transparent policies informing consumers how their data is being collected and used.[10]
  • Understand the statutory provisions of CCPA.[11]

Many people are not pleased by big tech companies, such as Facebook and Google, whose business models center focus on using personal data to sell targeted advertising.[12] In addition, people are concerned about how the law will be enforced, due to a “cure” provision that pardons companies if they take steps to fix the data violation.[13] Due to this “cure” provision, class action attorneys are reluctant to bring CCPA cases, because they believe companies will rely on it anytime there is a breach.[14] Ultimately, the courts will need to provide guidance about the practical effects of the law.[15]

[1] Juliana De Groot, What is the California Consumer Privacy Act?, Data Insider (July 15, 2019), https://digitalguardian.com/blog/what-california-data-privacy-protection-act.

[2] California Consumer Privacy Act: Everything You Need to Know About CCPA, the New California Data Privacy Law, Fair Warning (Oct. 30, 2019), https://www.fairwarning.com/insights/blog/california-consumer-privacy-act-of-2018-everything-you-need-to-know-about-the-new-california-data-protection-law.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] California Consumer Privacy Act of 2018, Assembly Bill 375, Ch. 55 (2008).

[8] Id.

[9] De Groot, supra note 1.

[10] Id.

[11] Id.

[12] Jeff John Roberts, Here Comes America’s First Privacy Law: What the CCPA Means For Business and Consumers, Fortune (Sept. 13, 2019), https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/.

[13] Id.

[14] Id.

[15] Id.

About the Author:

Stephanie Nikitenko is currently a 3L at UIC John Marshall Law School in Chicago. At UIC John Marshall, she’s the President of the Intellectual Property Law Society (IPLS) and primarily concentrates her studies on the subject of Intellectual Property. She recently spent a semester working in the JMLS Trademark Clinic where she assisted clients with the Trademark Registration process with the USPTO. Additionally, under the supervision of an attorney, she currently assists a law firm with both their trademark and patent matters.