California Consumer Privacy Act ("CCPA")

Michael T. Contos and Scott Watnik

11/20/2019

When the California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020, it will be the strictest user rights and data privacy law to ever be enacted and implemented in the United States. Although the CCPA is subject to amendment until it goes into effect, there is no question that the CCPA will imminently impose significant changes with respect to the data collection and privacy policies of most major businesses in the United States. Below we discuss just some of the basic provisions of the CCPA and its potential impact on your business. 

WHO MUST COMPLY? Any company that collects or sells the personal data of California residents must comply with the CCPA, regardless of where the company is located. Additionally, any company with over $50 million in annual revenue that sells at least 100,000 customer records and derives at least 50 percent of its annual revenue from California residents’ personal information must comply with the CCPA. 

WHAT PERSONAL INFORMATION IS COVERED?  The CCPA sets an extremely broad definition of personal information, including geolocation, personal identifiers, psychometric data, and data based on a consumer’s internet browsing history and inferences companies make regarding it. 

WHAT RIGHTS DO CALIFORNIA RESIDENTS HAVE UNDER THE CCPA?  Among other things, the CCPA expressly guarantees California residents the right to:

-          Object to the sale of personal information

-          Know what personal information about them is being collected

-          Access the personal information about them that is being collected

-          Know whether their personal information is being sold or disclosed, and to whom it is being sold or disclosed

Additionally, the CCPA enables consumers to bring private causes of action for privacy breaches and losses without showing any evidentiary loss of property or money. This is a radical departure from traditional civil lawsuits, which ordinarily require a plaintiff to show evidentiary proof of damages. 

WHAT MUST COMPANIES DO TO COMPLY? Some of the basic compliance requirements of the CCPA include the following: Businesses must have a highly transparent privacy policy detailing how data is collected, why it is collected, with whom it is shared, and explaining what rights consumers have concerning such data collection. Businesses must also provide California residents the right to request all of the information, discussed supra, concerning the collection of their personal data. As part of this, businesses must provide California consumers with the ability to “opt out”; i.e., refuse the sale of their personal data, and promote this “opt out” option on a link on their homepage and in their privacy policy. Businesses are required to honor consumers’ requests to completely delete their personal data. The CCPA expressly prohibits companies from discriminating against consumers who choose to exercise any of the privacy rights afforded to them in the statute, and contains an enumerated list of actions that could be considered discriminatory under the statute. 

WHAT ARE THE PENALTIES FOR NON-COMPLIANCE? The CCPA imposes civil penalties for non-compliance of up to $7,500 per violation, as well as civil damages of up to $750 per violation, per consumer. It is not difficult to envision instances where civil penalties and damages under the CCPA will quickly aggregating into the 7-figure range, especially in connection with companies that have many thousands of customers.

WHAT ARE THE IMPLICATIONS OF THE CCPA FOR MY COMPANY? As stated above, your company’s physical location does not exempt it from the CCPA. Moreover, although the CCPA only covers California residents, it is expected to have much broader reach and implications. For instance, companies that deal with California-residents and non-California residents alike will have to decide whether to: (i) maintain two privacy / data protection systems -- one for California residents and one for everyone else; or (ii) revamp their entire privacy / data protection system into a single system that complies with the CCPA, and thus effectively treats all consumers as if they are California residents covered under the CCPA. Cybersecurity experts generally expect that most companies will pick the latter option rather than the former. Indeed, maintaining two separate systems for privacy / data protection poses increased costs and expenses as compared to the increased cost of revamping and maintaining a single system, and risks alienating non-California consumers by depriving them of the same privacy and data protection rights that California consumers are entitled to. 

For any questions concerning the potential impact the CCPA may have on you or your business, please contact either of the co-chairs of our cybersecurity practice:  Scott Watnik or Michael T. Contos .