by Leila Javanshir, Miller Nash Graham & Dunn 2018 Summer Associate
On June 28, 2018, yet another new law hit the data privacy world that will impact the ways companies around the world will handle their data. The implementation of the California Consumer Privacy Act (CCPA) is a landmark moment for consumers and businesses alike.
What Does It Mean for Your Business?
This comprehensive privacy law, which will take effect on January 1, 2020, will cause a drastic shift in the way companies may collect and use personal information of California residents.
First, the new law grants California residents the right to know what information is being collected about them, why that information is being collected, and with whom that data is being shared. Further, it provides consumers the right to prohibit companies from selling or sharing their information as well as the right to tell companies to delete their information (subject to certain exceptions).
Second, if your company fails to comply with the new law, there is a private right of action available to consumers, and intentional violations of the CCPA may subject you to fines of up to $7,500 per violation in an action brought by the state attorney general.
Third, the CCPA broadly defines the term “personal information,” extending it well beyond what other U.S. laws consider "personal information," and instead more closely mirroring the definition of "personal data" from the European Union's General Data Protection Regulation. For example, the term includes “any information that…relates to…a particular consumer or household.” By inclusion of the term “household,” the data itself does not need to relate to a single individual or require a name to allow for protection. The expansive definition covers information such as household water or energy consumption, web browsing history, and purchasing patterns.
Who is Impacted?
The CCPA applies to for-profit entities located both inside and outside of California that receive personal data from California residents and meet any one of the following three criteria:
- Annual gross revenue of more than $25 million;
- Receives or shares (or otherwise "processes," another broadly defined term) personal information for more than 50,000 consumers, households, or devices; or
- Receives more than 50 percent of its annual revenue from the sale of personal information.
The CCPA generally does not apply, however, to data already regulated under the Confidentiality of Medical Information Act (a California law), the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act. But to the extent that your company is actively or passively receiving additional personal information of California residents, as a parent company or subsidiary, the law will require you to make changes to your current operations and policies by January 1, 2020.
Plan Ahead and Take Action to Avoid Penalties
Historically, California has been a leader in consumer privacy protections. And as the fifth largest economy in the world, the new privacy law is expected to apply to more than 500,000 U.S. companies, a majority of which are small- to medium-size businesses. It is vital that your business take the proper steps early to ensure compliance by January 1, 2020.
To ensure your business is ready for California’s sweeping new privacy law:
- Prepare data maps, inventories, or other records reflecting how personal information of California residents, households, and devices, is received, stored, shared, and otherwise processed, to enable your company to respond to access, deletion, and other informational requests;
- Consider alternative business models and web presences such as California-only sites and offerings;
- Strategize ways in which you will fund and implement new processes to comply with the new requirements such as verifying the identity and authorization of individuals making data requests and responding to data requests within 45 days;
- Implement a system to determine the age of California residents to comply with the opt-in consent requirements pertaining to children under the age of 16;
- Provide a clear link titled, “Do Not Sell My Personal Information” on your business’ Internet homepage to allow consumers to opt out of the sale of their personal information; and
- A description of a consumer’s rights under the law;
- Methods by which consumers may submit requests to the business;
- A list of the categories of personal information collected about the consumer in the preceding 12 months; and
- Lists detailing the categories of personal information sold or disclosed to third parties in the preceding 12 months, or confirmation that such information has not been sold.
How We Can Help
Our privacy and data security team regularly advises clients on data security best practices, compliance with legal requirements, and industry specific rules in a rapidly changing market. We work closely with our clients to develop strategic plans and to draft polices that successfully comply with newly implemented laws. Reach out to our team with your questions and concerns to ensure you are up to speed before the effective date, January 1, 2020.