California’s Consumer Privacy Act

In response to the increase in reported consumer data breaches and growing privacy concerns, California Governor Jerry Brown signed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, which grants new rights to consumers with respect to the collection and release of their personal information. The CCPA is part of a global trend toward stronger privacy protections and greater data transparency, as reflected in legislation such as the European Union’s General Data Protection Regulation (“GDPR”) and the Canadian Anti-Spam Law (“CASL”).

The California Attorney General’s Office will be promulgating regulations regarding procedures to protect consumers’ rights and the compliance obligations of businesses under the CCPA. Although various industries continue to lobby the California legislature to modify the CCPA, absent any significant changes, enforcement of the CCPA will commence as scheduled on January 1, 2020.

Definitions

The CCPA imposes obligations on companies doing business in California to protect the personal information of California consumers. “Personal information” is broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A “consumer” is a “natural person who is a California resident”, including employees, parents and children.

Covered Businesses

The CCPA applies to the following businesses:

• Large Companies: For profit businesses with annual gross revenues of at least $25 million;
• Data brokers and other businesses that buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices annually (i.e., 137 records per day); and
• Businesses that derive at least 50% of their annual revenue from selling consumers’ personal information.

Consumer Rights and Remedies Under the CCPA

The CCPA provides California consumers with the rights to:

• Know what personal information is being collected about them;
• Make requests regarding the information about them that is held by the business;
• Obtain copies of the personal information held by the business, free of charge;
• Request deletion of certain personal information; and
• Direct a business that “sells” personal information to third parties not to sell such information (“Opt Out Right”). Importantly, a business does not have to make money from the release of a consumer’s personal information, since “sell” is defined broadly as “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information.”
• The CCPA gives the Attorney General the power to levy sanctions of $7,500 per intentional violation and $2,500 for unintentional violations. It also provides consumers with a private right of action with modest statutory awards for security breaches and greater monetary awards where damages can be proven.

What the CCPA Means for California Businesses

• If a business is subject to the CCPA, it should be prepared to modify its privacy policy and to establish a procedure for complying with consumers’ requests for information and with consumers’ more limited rights to request data transfer and deletion.
• Website Requirement: A business that shares information with third parties – even if not for profit – is required not only to provide notice to consumers of their rights, but it must also post a clear and conspicuous link on its website titled “Do Not Sell My Personal Information” in order to allow consumers to exercise their Opt-Out Rights.
• Affected businesses should be aware that the Attorney General’s office is likely to take an active enforcement role under the CCPA through fines and penalties, and that individual consumers may sue businesses for certain data breaches in order to recover statutory damages.

Summary

The CCPA affects primarily high revenue businesses, marketing companies and others who are in the business of consumer information. However, given the trend in the law towards bolstering consumer privacy protections, businesses of all characteristics and sizes should be cognizant of their practices with respect to the handling of personal information.