23 Dec The New California Privacy Laws for 2020: The Basics
The European Union was first to take the initiative to protect consumer’s privacy rights following the Facebook privacy scandal, by enacting the General Data Protection Regulation (“GDPR”). California followed suit and recently announced The California Consumer Privacy Act (“CCPA”), a comprehensive new set of rules to protect consumer data which takes effect on January 1, 2020. It is only a matter of time before similar requirements are adopted by the rest of the world. All businesses should make sure they are either compliant or exempt, as the penalties for non-compliance can be substantial.
The CCPA law, as the GDPR did last year, greatly expands consumers’ rights and abilities to control the data which they submit to companies, and creates numerous obligations for such companies with respect to managing the consumer data they collect. While Congress still contemplates enacting a national data privacy statute, California is taking the lead and setting its own sweeping new privacy laws.
Do I Need To Comply?
The CCPA applies to companies doing business in California (meaning you engage in commerce with, or store the personal information of, California residents) that either:
- have gross annual revenues in excess of $25 million;
- possess the personal information of 50,000 or more consumers, households, or devices; or
- earn at least half of their annual revenue from selling consumer information.
The CCPA also applies to any entity that controls or is controlled by a business that meets any of the above thresholds and shares common branding with that business. If you meet the criteria, either you must comply or restrict California residents from your business, which is not a practical option.
How Do I Comply?
California residents will have the right to know the information large companies collect about them, the right to tell those businesses not to share or sell their information, and to sue if businesses don’t keep their information safe. The CCPA requires businesses to allow users to find out what personal data is being collected about them by calling a toll free phone number or clicking a link on a website. Businesses must set up the means by which California residents can do this. Users must be able to find out whether their information is being sold or disclosed and to whom. Companies must ensure that users are able to obtain information easily, as companies must set up a simple way for users to access their data or to “opt-out” of having their personal data sold.
Affected businesses must disclose:
- what categories of data will be collected (prior to collection);
- the categories and specific pieces of information they collect about the consumer (at no cost to the consumer); and
- the business and commercial purposes for which the categories of personal information are collected and used, and which categories of third parties the data is shared with.
Upon user request, businesses must delete any personal information about a consumer that they have collected (subject to certain exceptions). Depending on how your website and databases are set up, this may not be an easy task to accomplish.
What Are The Penalties?
Violations of the CCPA can become very expensive very quickly. Businesses can be fined up to $2,500 for each violation and up to $7,500 for each intentional violation of the CCPA if a violation is not cured in 30 days. Data breach incidents concerning California resident information which is “non-encrypted” or “nonredacted” are subject to additional penalties. California residents have the right to enforce the CCPA via private action, through which a consumer may recover damages of up to $750 per incident, or actual damages, whichever is greater.
The information contained in this post is a general summary and not meant to be a full analysis of every CCPA requirement and exemption. If you think your business could be affected, contact us for a review of all your rights, requirements and exemptions.