Sunstein Insights Shape Created with Sketch.

Back to All Publications

The California Consumer Privacy Act: More Relevant Than You Think

Thomas C. Carey

Thomas C. Carey | Partner, Business Chair View more articles

Thomas is a member of our Business Practice Group

The California Consumer Privacy Act (CCPA), which we discussed last year, goes into effect on January 1, 2020. Its record-keeping requirements become effective on July 1, 2019. If your small- or medium-size business is based on the East Coast with no particular focus on California, why should you care?

The CCPA has three separate tests for determining what businesses are covered by its regulation. The provision that is likely to trip us the most out-of-state businesses is the one that extends the statute to any business that obtains information about more than 50,000 “consumers, households, or devices.” While “consumers” is limited to California residents, “devices” is not geographically limited.

Thus, any consumer-facing website or app that collects the names or IP addresses of its visitors or users and that is accessed by more than 50,000 visitors or users annually may be subject to the CCPA, particularly if its California customer base is significant. If your business fits that description, it is time to pay attention. Enforcement activity will not be limited to the attorney general’s office; the CCPA allows for class action lawsuits on behalf of consumers.

The CCPA was modeled loosely on Europe’s General Data Privacy Regulation (GDPR). If you went through the exercise of GDPR compliance last year, you are ahead of the game. Both laws include a right to be forgotten and a right of consumers to correct erroneous data. Both require companies that share personal information with subcontractors such as cloud-storage providers to do so only pursuant to a written contract that protects consumer privacy. While the GDPR mandates specific contractual clauses, the CCPA does not. Under both laws, the consumer’s rights regarding its personal information must flow through to the service provider.

The CCPA allows consumers to opt out of having their personal information sold. It is far more prescriptive in this regard than the GDPR: It requires that the home page of the business’s website contain a link with the title “Do Not Sell My Personal Information”. Unlike the GDPR, the CCPA has no exceptions to the consumer’s right to object to the sale of its personal information. In addition, the CCPA requires that a business’s privacy policy describe:

  • The consumer’s right to request the categories of information collected, the specific information collected, the sources of the information, the purpose of its collection, and the categories of the third parties with whom it is shared;
  • One or more means of making such a request, one of which must be an 800 telephone number (although that may change) and the other must be on the company’s website, if it has one;
  • The consumer’s right not to be discriminated against for making a request authorized under the CCPA; and
  • The right to have personal information deleted.

Like the GDPR, the CCPA requires businesses, upon request, to provide consumers with their personal information in electronic, readily usable format that allows the consumer to transfer that information to another business.

This description of the CCPA is general. Many specific provisions may require your attention if the law applies to you. Gearing up to comply with such requests may involve considerable operational changes.

Under the CCPA, the attorney general pay impose civil money penalties of up to $2,500 per violation, and up to $7,500 per intentional violation. In the case of data breaches stemming from poor security practices, the CCPA allows for consumers to sue for damages of between $100 and $750 for each person affected. The penalty amount could skyrocket in the event of a successful consumer class action.

The California legislature is weighing revisions to the CCPA that may be adopted before January 1, 2020. One bill would exclude employees and job applicants from the definition of “consumer.” Another would extend the ability of consumers to sue for any violation of the CCPA, not just data breaches. Yet another would consider an exfiltration of biometric information to be a data breach requiring notification to those affected. Several other states, including Washington, Massachusetts, Rhode Island, Maryland, Hawaii and New Mexico, have bills in process that are more or less modeled on the CCPA. Preparing now for CCPA compliance will put you ahead of the curve when these copycat bills are enacted

We use cookies to improve your site experience, distinguish you from other users and support the marketing of our services. These cookies may store your personal information. By continuing to use our website, you agree to the storing of cookies on your device. For more information, please visit our Privacy Notice.

Subscribe to our Newsletters

Subscribe to: