January 14, 2020
January 14, 2020
The California Consumer Privacy Act, as amended (CCPA), came into effect on January 1, 2020 and has wide-reaching implications for many companies. Under the CCPA, a California resident can take action regarding their rights with a company and can bring a civil action against a company in certain circumstances. And there is California attorney general enforcement—which means that directors need to have a high-level understanding of the CCPA and the related risks that their company may face regarding the CCPA. Here is what directors need to know.
The CCPA addresses consumer privacy and data security rights for California residents, and requirements for companies to which the CCPA applies, regarding personal information. The CCPA defines “personal information” broadly, meaning information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA contains numerous other definitions that differ from those under other laws and regulations (for example, the European Union’s General Data Protection Regulation). A California data broker law, which also came into effect on January 1, 2020, uses certain CCPA definitions.
In addition to the CCPA, there are proposed CCPA regulations that the California attorney general released in October 2019 (final CCPA regulations must be adopted on or before July 1, 2020).
The California attorney general cannot bring enforcement action until six months after publication of such CCPA regulations or July 1, 2020, whichever is sooner. However, according to the California attorney general, businesses must comply with many requirements of the CCPA starting January 1, 2020.
The CCPA applies to businesses, service providers, and third parties. Among other things, both a business and a service provider, as defined by the CCPA, are for-profit. In addition, a business must have annual gross revenues over $25 million, do business in California, and collect and determine the purposes and means of processing a California resident’s personal information.
A business discloses a California resident’s personal information for a business purpose to a service provider, which processes information on its behalf. A third party is neither a CCPA-defined business nor a person to which a business discloses a California resident’s personal information for a business purpose.
Note that there are a number of exclusions under the CCPA, each of which should be analyzed carefully to determine a specific company’s risks.
A California resident has the right to request from a business regarding the previous 12 months:
A California resident also has the right, at any time, to direct a business that sells their personal information to third parties not to sell their personal information (known as the right to opt out).
In addition, a business must neither sell the personal information of California residents of a certain age (subject to specific requirements), nor discriminate against a California resident who exercises any CCPA consumer rights. Since January 1, 2020, these rights have been in effect for California residents.
After satisfying certain procedural requirements, a California resident can bring a civil action, in an amount neither less than $100 nor greater than $750 per California resident per incident, or actual damages (whichever is greater), regarding their nonencrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information. It is important to note that with respect to a civil action under the CCPA, “personal information” is defined under—and the security procedures and practices language is from—a different law, the California security procedures law, and not the CCPA.
Moreover, any person, business, or service provider that violates the CCPA is subject to an injunction and is liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.
To implement these rights, companies need to:
Directors are increasingly interested in understanding the implications of privacy and data protection-related regulatory requirements on their companies. Potential related topics warranting consideration for discussion in the board room include:
Directors should stay tuned to developments regarding the CCPA and other state and federal privacy regulatory requirements as additional information becomes available.