Shortly after the European Union's much-anticipated privacy law (known as the General Data Protection Regulation, or 'GDPR') went to effect, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA). The law takes effect on January 1, 2020, and is expected to create one of the most significant and strict regulations around data collection and privacy practices in the United States.
The CCPA shares many similar features to the GDPR and has broad application. It will affect your organization if any of the following are true, even if your organization is not located in California:
- You have over $25 million in annual revenues;
- You buy, hold, sell, or share personal information of 50,000 or more California consumers, households, or devices; or
- You derive at least 50% of your revenue from selling residents' personal information.
- Under the CCPA, your organization's data collection practices will need to be carefully reviewed and your capability to respond to consumer data requests will need to be robust. Specifically, you will need to properly disclose what data you collect and sell and be able to properly delete it upon request (under certain conditions). It is likely that CCPA compliance will also need to be certified to your contractual partners if your company has contractual arrangements with larger companies, most typically in the form of supply agreements.
Penalties for non-compliance can be severe. For example, consumers may, under certain circumstances, have a private right of action against companies that violate the CCPA's data security requirements. The law also allows recovery of damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
We Can Help
Whether through advising on an assessment process or refreshing your policies and procedures, our attorneys can help ensure your company takes the necessary steps to comply with the CCPA ahead of implementation on January 1, 2020.