The California Consumer Privacy Act (CCPA), which we discussed last year, goes into effect on January 1, 2020. Its record-keeping requirements become effective on July 1, 2019. If your small- or medium-size business is based on the East Coast with no particular focus on California, why should you care?
The CCPA has three separate tests for determining what businesses are covered by its regulation. The provision that is likely to trip us the most out-of-state businesses is the one that extends the statute to any business that obtains information about more than 50,000 “consumers, households, or devices.” While “consumers” is limited to California residents, “devices” is not geographically limited.
Thus, any consumer-facing website or app that collects the names or IP addresses of its visitors or users and that is accessed by more than 50,000 visitors or users annually may be subject to the CCPA, particularly if its California customer base is significant. If your business fits that description, it is time to pay attention. Enforcement activity will not be limited to the attorney general’s office; the CCPA allows for class action lawsuits on behalf of consumers.
The CCPA was modeled loosely on Europe’s General Data Privacy Regulation (GDPR). If you went through the exercise of GDPR compliance last year, you are ahead of the game. Both laws include a right to be forgotten and a right of consumers to correct erroneous data. Both require companies that share personal information with subcontractors such as cloud-storage providers to do so only pursuant to a written contract that protects consumer privacy. While the GDPR mandates specific contractual clauses, the CCPA does not. Under both laws, the consumer’s rights regarding its personal information must flow through to the service provider.
Like the GDPR, the CCPA requires businesses, upon request, to provide consumers with their personal information in electronic, readily usable format that allows the consumer to transfer that information to another business.
This description of the CCPA is general. Many specific provisions may require your attention if the law applies to you. Gearing up to comply with such requests may involve considerable operational changes.
Under the CCPA, the attorney general pay impose civil money penalties of up to $2,500 per violation, and up to $7,500 per intentional violation. In the case of data breaches stemming from poor security practices, the CCPA allows for consumers to sue for damages of between $100 and $750 for each person affected. The penalty amount could skyrocket in the event of a successful consumer class action.
The California legislature is weighing revisions to the CCPA that may be adopted before January 1, 2020. One bill would exclude employees and job applicants from the definition of “consumer.” Another would extend the ability of consumers to sue for any violation of the CCPA, not just data breaches. Yet another would consider an exfiltration of biometric information to be a data breach requiring notification to those affected. Several other states, including Washington, Massachusetts, Rhode Island, Maryland, Hawaii and New Mexico, have bills in process that are more or less modeled on the CCPA. Preparing now for CCPA compliance will put you ahead of the curve when these copycat bills are enacted