On January 1, 2020, the California Consumer Privacy Act (“CCPA”) takes effect and will have an immediate impact on some regional businesses. The CCPA will require certain U.S. companies to implement privacy initiatives that will afford California residents increased data privacy rights. More importantly, the CCPA will likely serve as the foundation for a future omnibus federal privacy law. Becoming familiar with the CCPA requirements now and implementing policies and practices for compliance will better serve regional businesses in the future.
A Few Important Definitions
The CCPA includes a few terms-of-art that are important to understand the scope of the new law:
“Business” – a for-profit entity doing business in California that collects personal information regarding California residents.
“Doing Business” – companies that sell goods or services to California residents even though the business is not physically located in California.
“Personal Information” – information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
“Consumer” – A natural person who is a California resident, which includes every individual who is in the state for other than a temporary or transitory purpose, and every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose.
“Sell” – includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.
Which Regional Businesses Must Comply?
The CCPA covers only businesses that meet one of the following three requirements:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data.
What Information Does the CCPA Not Cover?
The CCPA does not apply to information that is subject to other federal regulation including:
- Health Insurance Portability and Accountability Act (HIPAA);
- Gramm-Leach Bliley Act (GLBA);
- Fair Credit Reporting Act (FCRA); or
- Drivers’ Privacy Protection Act (DPPA).
The CCPA will apply to entities covered by these laws to the extent they collect and process other personal information about consumers.
The CCPA does not apply to a business that collects a consumer’s personal information while that individual is outside California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.
What Data Privacy Rights are Given to California Residents?
- Whether their personal information is being collected;
- Ability to request the specific categories of information a business collects;
- Identify what personal information is being collected about them;
- Ability to “say no” to the sale of personal information; and
- Right to equal service and price.
How Should Regional Businesses Comply?
- Update Privacy Notices and Policies;
- Update Data Inventories, Business Processes, and Data Strategies;
- Implement Protocols to Ensure Consumer Rights;
- Make Security Updates;
- Update Third-Party Processor/Vendor Agreements; and
- Train employees handling customer inquiries.
What are the Penalties?
- Private right of action in instances where there is certain unauthorized access and exfiltration, theft, or disclosure of non-encrypted or non-redacted personal information.
- Statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater.
- Enforcement by the California Attorney General
- $7,500 per intentional violation and $2,500 for unintentional violations
What is the Outlook for the Privacy Landscape outside of CCPA?
In 2019, Nevada enacted a “Do Not Sell” Privacy Law. This took effect on October 1, 2019, and provides business with 90 days to respond to a request. This law applies to “covered information” as defined by Children's Online Privacy Protection Act (COPPA), and businesses must provide opt-outs of covered information sales. There is no private right of action under Nevada’s new law.
Other states that are debating legislation include New Jersey, Maine, Washington, New York, Connecticut, and Illinois. At the federal level, there is significant interest and serious bipartisan effort to draft a federal privacy bill in the Senate. Businesses are more willing to engage in a negotiation for an omnibus privacy bill with various states enacting or discussing privacy legislation with differing requirements. Privacy groups and a large block of California congressional members will push any federal omnibus bill to include large portions of the CCPA.
It is unlikely that a federal omnibus privacy bill will be debated during an election year, but it would not be surprising to see a bill introduced in the next several years. That bill is likely to look similar to the CCPA, so regional businesses should begin evaluating their privacy policies now even if the CCPA does not apply to them.
If you have any questions please contact Dan VeNard at (574) 807-8243 or at firstname.lastname@example.org.