Why the CCPA Matters to You and Your Business
July 8, 2019
Is your company ready for the CCPA?
The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, will require companies to be ready to create greater transparency about the collection, use, and sharing of California consumers’ personal information by:
- Understanding the consumer data being collected
- Complying with new disclosure requirements
- Preparing for customer data requests that include 12 months of data
- Implementing new systems and processes to ensure ongoing compliance
In June 2018, the California legislature adopted, and the governor signed into law, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. Similar to the EU’s General Data Protection Regulation (GDPR), the CCPA creates greater transparency about the collection, use, and sharing of consumers’ personal information by forcing companies to comply with additional requirements regarding the processing of the data.
All residents of California are protected under the CCPA, but not just when they function as consumers. They are also protected as employees 1, patients, tenants, students, parents, children, etc. This legal protection persists as long as the individual can be identified by any unique identifier, even if that individual is out of the state temporarily.
The CCPA protects a wide array of data by defining “personal information” more broadly than other sections of the California Civil Code and other state privacy laws. It applies to all information that relates to a specific consumer or household, protecting various types of data such as a person’s name or government identification number, a household’s annual energy consumption, or a device’s IP address. This is similar to the GDPR’s definition of “personal data,” which includes information that is deemed identifiable; however, while the GDPR’s protections include “publicly available information,” the CCPA excludes it.
Consumers will also now have the ability to opt out of the sale of their personal information to third parties, and the CCPA restricts a company’s ability to penalize individuals who exercise that right. This is done by not allowing businesses to deny goods or services, charge different prices, or provide a different level of quality to the consumer.
However, there is a potentially broad exception that allows businesses to evade the restrictions if their conduct is reasonably related to the value provided to the consumer by the utilization of the consumer’s data. Furthermore, businesses may offer financial incentives, including payments to consumers, for collecting and selling their personal information as long as the action is not unjust, unreasonable, coercive, or usurious in nature.
Compliance is required by all companies, not just those located in California, that receive personal information from California consumers while either: (i) exceeding annual gross revenues of $25 million; (ii) annually obtaining personal information of 50,000 or more California consumers, households or devices; or (iii) gaining 50 percent or more of their annual revenue from selling California consumers’ personal information.
While these three thresholds seem straight forward on their face, application may not be easy. For example, it is not clear whether the $25 million annual gross revenue figure is limited only to sales in California or expanded to sales globally. Additionally, the scope of information that most companies passively capture by utilizing websites, such as IP addresses, could lead to outsized consequences for small businesses inside and outside California by forcing compliance.
Companies worldwide will need to act proactively to comply with these new requirements. Similar to the efforts global companies have undertaken in preparation for the GDPR, it is recommended to prepare data maps, inventories, or other records of all personal information in relation to California consumers, households, and devices.
In addition, it is strongly recommended to commence identifying information sources, storage locations, usage and recipients. This will not only help businesses comply with new disclosures required of company privacy policies, but also prepare for user data access, deletion, and portability requests of up to 12 months of data, known as the “look back” requirement. Businesses will also need to secure prior consent for data sharing for parents and minors, and to comply with opt-out requests.
Businesses should also consider alternative business models, especially with their web preferences, to address the complex nature of the new law, including exploring a California-only website and charging for formerly free services. Under the CCPA, consumers must have a method, such as a toll-free telephone number, to submit data access requests, and be able to access a clear and conspicuous “Do Not Sell My Personal Information” link that enables them to opt out of the sale of their personal information to third parties.
Further, compliance will be aided by adopting new systems and processes that do things such as verify the identity (including the age and authorization) of individuals who make requests for data access, deletion, or portability; respond to these requests within 45 days; avoid requesting opt-in consent of consumers for 12 months after opting out; and update privacy policies.
It’s important to note that the scope of the CCPA is subject to amendment, with several proposed amendments pending, until September 13, 2019, which means companies will need to be ready to comply in this fluid situation.
If the CCPA is not adhered to, companies may find themselves in a civil action brought by the California Attorney General’s Office and will be required to pay penalties of up to $7,500 per intentional violation, or in the case of unintentional violations $2,500 per violation if the company fails to remedy it within 30 days of notice.
Individuals will also be able to bring claims in civil class action law suits, where companies that are victims of data theft or other security breaches can be ordered to pay damages between $100 to $750 per California consumer and incident, or actual damages – whichever is greater – and any other relief deemed proper by the court. The AG will also have the option to prosecute in replacement of a civil suit brought by consumers.
The CCPA was the first in a current trend of comprehensive data privacy laws enacted in the United States. While California is still deliberating amendments that will help define the scope and impact upon its effective date, other states, including Maine and Nevada, have taken notice and recently passed legislation, continuing the trend. The complexity of complying with differing privacy laws in different states has elicited rumblings for federal privacy legislation. However, until a federal act passes, we should expect more laws like the CCPA to follow.
This article was prepared with the assistance of summer associate Jordan Boak.
 Note that employees may be excluded pending an amendment to the CCPA (Bill AB-25 in CA Senate)