California Consumer Privacy Act

California Consumer Privacy Act

Recently, there have been attempts to pass a comprehensive federal privacy legislation law for all 50 states, but this seems unlikely in the near future. For the time being, US Privacy legislation will continue to be in the hands of each individual state.

In June of 2018, California enacted the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. The law firm Lewis Brisbois has shared three articles about the CCPA that cover details about the new law, general observations, and trends and planning.

The European Union’s General Data Protection Regulation (GDPR) has been in effect since May, of 2018. The new CCPA legislation has been seen as the US “answer” to the EU’s GDPR.

Similar to the GDPR, the CCPA legislation achieves the following:

  • Expands the privacy rights of California residents regarding collection, use, sale and disclosure of their personal information
  • Grants California residents the right to know how their personal information is being used by businesses and allows them to exert some control over businesses’ usage of their personal information. 
  • Requires covered businesses to be more transparent in how they collect, share and use consumer data.

The CCPA controls the collection or processing of California consumers’ personal information. The regulation applies to for-profit organizations that operate or do business in California and meet one of the below criteria:

  • Gross revenue over $25 million.
  • Process over 50,000 records of California consumers or devices’ personal information in a given year.
  • Receive 50% or more of their revenue from selling California consumers’ personal information.

Under the CCPA, personal information has a much broader definition than most other states. It is defined as information “that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular household.”

As outlined in the Lewis Brisbois Blog, CCPA creates a private right of action for any consumer whose unencrypted “personal information” is acquired without authorization as a result of a business’ failure to implement and maintain “reasonable security procedures” to protect personal information.

  • Civil actions to recover statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater.
  • For intentional violations of the CCPA, the attorney general may assess a $7,500 penalty per violation.  

The CCPA is the “strictest privacy legislation in the United States, and it is representative of a general trend nationally and globally that has strengthened consumer protections as well as consumers’ rights over data.” Businesses need to understand that this law, along with others, will continue to grow and strengthen the rights of all consumers. Once the CCPA is implemented and enforced, the potential fines due to violations of this new law can mount up quickly. California is taking a stance by implementing this new legislation, and there are expectations that more states will follow this trend of enacting stricter privacy laws as well.

All businesses should be implementing privacy risk management processes in conjunction with the trend for stricter privacy legislation if they haven’t already started doing so. Talk to a trusted advisor today if you need assistance implementing a privacy risk management process.