In response to the increase in reported consumer data breaches and growing privacy concerns, California Governor Jerry Brown signed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, which grants new rights to consumers with respect to the collection and release of their personal information. The CCPA is part of a global trend toward stronger privacy protections and greater data transparency, as reflected in legislation such as the European Union’s General Data Protection Regulation (“GDPR”) and the Canadian Anti-Spam Law (“CASL”).
The California Attorney General’s Office will be promulgating regulations regarding procedures to protect consumers’ rights and the compliance obligations of businesses under the CCPA. Although various industries continue to lobby the California legislature to modify the CCPA, absent any significant changes, enforcement of the CCPA will commence as scheduled on January 1, 2020.
The CCPA imposes obligations on companies doing business in California to protect the personal information of California consumers. “Personal information” is broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A “consumer” is a “natural person who is a California resident”, including employees, parents and children.
The CCPA applies to the following businesses:
- Large Companies: For profit businesses with annual gross revenues of at least $25 million;
- Data brokers and other businesses that buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices annually (i.e., 137 records per day); and
- Businesses that derive at least 50% of their annual revenue from selling consumers’ personal information.
Consumer Rights and Remedies Under the CCPA
The CCPA provides California consumers with the rights to:
- Know what personal information is being collected about them;
- Make requests regarding the information about them that is held by the business;
- Obtain copies of the personal information held by the business, free of charge;
- Request deletion of certain personal information; and
- Direct a business that “sells” personal information to third parties not to sell such information (“Opt Out Right”). Importantly, a business does not have to make money from the release of a consumer’s personal information, since “sell” is defined broadly as “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information.”
- The CCPA gives the Attorney General the power to levy sanctions of $7,500 per intentional violation and $2,500 for unintentional violations. It also provides consumers with a private right of action with modest statutory awards for security breaches and greater monetary awards where damages can be proven.
What the CCPA Means for California Businesses
- Website Requirement: A business that shares information with third parties – even if not for profit – is required not only to provide notice to consumers of their rights, but it must also post a clear and conspicuous link on its website titled “Do Not Sell My Personal Information” in order to allow consumers to exercise their Opt-Out Rights.
- Affected businesses should be aware that the Attorney General’s office is likely to take an active enforcement role under the CCPA through fines and penalties, and that individual consumers may sue businesses for certain data breaches in order to recover statutory damages.
The CCPA affects primarily high revenue businesses, marketing companies and others who are in the business of consumer information. However, given the trend in the law towards bolstering consumer privacy protections, businesses of all characteristics and sizes should be cognizant of their practices with respect to the handling of personal information.
CIRCULAR 230 DISCLOSURE – Pursuant to rules and regulations imposed by the Internal Revenue Service, any tax advice contained in this communication, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another person any transaction or matter addressed herein.
The summary which appears above is reprinted for information purposes only. It is not intended to be and should not be considered legal advice nor substitute for obtaining legal advice from competent, independent, legal counsel. If you would like to discuss these matters in more detail, please feel free to contact us so that we can provide the clarification and resources you need to make effective decisions.