The California Consumer Privacy Act (“CCPA”) takes effect January 1, 2020 and is similar to the European Union’s General Data Protection Regulation (GDPR). The CCPA requires transparency from businesses regarding their collection and usage of personal information, and provides California consumers certain rights with respect to their data.
TO WHOM DOES THE CCPA APPLY?
Businesses will be subject to the CCPA if they meet the following requirements:
- have gross annual revenues in excess of $25 million;
- buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices annually; or
- derives 50 percent or more of annual revenues from selling consumers’ personal information.
WHAT DOES THE CCPA REQUIRE?
Businesses subject to the CCPA will be required to provide California consumers with a notice “at or before the point of collection” that details the following two items:
- The categories of personal information that the business will collect about them; and
- The purposes for which the personal information will be used.
Subject to certain exceptions, under the CCPA California
consumers have certain rights with respect to their data. Upon a verifiable
request, consumers may exercise their rights to access the information
collected by the business, can request that their information be deleted, and
have the right to opt out of the sale of their personal information.
Among other requirements, businesses subject to the CCPA must make available two methods for submitting a consumer request, including a toll-free number. Additionally, the subject business must post a clear and conspicuous “Do Not Sell My Personal Information” link on their website homepage (or on a specific page for California consumers), that links to a webpage that enables consumers to opt out of the sale of their personal information. Training and procedures are required for employees fielding these requests, and businesses are prevented from discriminating when handling the request.
DOES THE CCPA APPLY TO MY EMPLOYEES?
- a description of the categories of personal information to be collected, and
- the purpose(s) for which the disclosed categories of personal information will be used.
Generally speaking, businesses subject to the CCPA will want to closely mirror their privacy policies for both consumers and their employees.
WHAT ARE THE PENALTIES FOR VIOLATING THE CCPA?
The CCPA can be regulated and enforced by the California Attorney General. Civil penalties can be up to $2,500 per violation, with the penalty for intentional violations up to $7,500 per violation. Importantly, the Act also provides a private right of action for consumers.
Data privacy continues to be a major concern. Businesses would be wise to take note of the CCPA requirements, regardless of whether the CCPA applies. Currently, proposed federal legislation, similar to that of the CCPA, is making its way through congress. Complying with the CCPA now may help with future federal compliance. Business with questions on whether the CCPA applies, or how the business can comply with the CCPA, should consult legal counsel before the January 1 deadline.
The attorneys at Carmel & Naccasha have extensive experience advising businesses clients in data privacy and protection.
Link to Morris & Garritano Insurance newsletter for more information: