New Privacy Rights for Consumers: What Businesses Need to Know About the California Consumer Privacy Act
January 22, 2020
In June of 2018 the California Consumer Privacy Act (the “CCPA”) was signed into law. Passed on the heels of the European General Data Protection Regulation, the CCPA vastly expands the data privacy rights of California residents. The CCPA became effective on January 1, 2020. The overriding purpose of the CCPA is to provide California’s consumers greater control over their personal information, promote transparency in businesses’ data practices, and safeguard against the misuse of consumer data. In furthering these goals, the CCPA provides privacy rights for consumers and imposes reciprocal obligations on businesses. As such, businesses collecting the data of California consumers may need to comply with the CCPA.
Businesses subject to the CCPA include for-profit entities that: (i) have annual gross revenues exceeding $25 million; or (ii) buy, sell, share, or receive the personal information of at least 50,000 consumers, households, and/or devices per year; or (iii) derive 50% or more of their annual revenues from selling consumers’ personal information. Importantly, the CCPA defines consumer as California residents only.
In an effort to provide consumers a greater degree of control over their personal information, the CCPA allows consumers to:
- request that a business disclose what personal information is collected, from what sources, for what purpose, and to whom that information is given;
- request that a business delete personal information unless retaining such information is necessary for a business purpose (i.e. completing a transaction or maintaining an on-going business relationship); and
- “opt-out” of having their information shared, sold, or collected at any point.
A corollary of these consumer rights is that businesses must be prepared to meet consumer demands for disclosures and be equipped to handle requests for deletion or opt-out. The CCPA mandates significant changes for affected businesses. Businesses need to develop internal procedures for handling consumer requests and to modify privacy policies and websites to meet new CCPA obligations. Although certain one-year exemptions may temporarily reduce the burden of compliance for some businesses (see our latest post regarding these exemptions), these exemptions are limited in both scope and time. Any business subject to the CCPA is, therefore, encouraged to promptly take appropriate compliance steps.
Affected businesses were expected to be compliant as of January 1, 2020. Though enforcement actions may not be brought until July 1, 2020, the Attorney General of California may review a business’s compliance with CCPA as of January 1 when assessing penalties for violations of the law. As such, there is limited time for businesses subject to the mandates of the CCPA to remedy any compliance issues.
For more information regarding the CCPA and compliance efforts businesses should be taking, contact Amber Lawyer, Hannah Redmond, or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.