The California Consumer Privacy Act (“CCPA”), scheduled to go into effect in January 2020, is a sweeping, complicated piece of legislation set to change the privacy landscape in California and beyond. Passed by the California legislature in seven days in order to avoid a looming ballot initiative, the 10,000+ word CCPA is poised to grant California residents a host of new rights in connection with personal information held by businesses. This legislation, the first of its kind in the United States, is similar in purpose and scope to the European Union’s General Data Protection Regulation (“GDPR”), but differs in many key respects.
CCPA will apply to for-profit entities, and any entities they control or control them, that “do business” in California. Doing business, however, is a facts and circumstances test not clearly defined under California law, but will likely include businesses that (1) have annual sales of over $500,000 in California; (2) own real or personal property in California worth $50,000 or more; or (3) pay an employee who is a California resident $50,000 or more per year. The law contains other threshold requirements: a business must earn $25 million in revenue per year, earn 50% of its revenue from selling the personal information of California residents, or buy, receive, or sell the personal information of 50,000 or more California consumers, households, or devices per year to be covered under CCPA. Carve-outs also exist for Covered Entities under HIPAA, or the processing of Nonpublic Personal Information by Financial Institutions under the Gramm-Leach-Bliley Act, but these carve-outs are limited and specific in scope.
The types of personal information covered by CCPA go beyond things like name, address, and financial account information. Rather, CCPA covers any information that can be linked, directly or indirectly, to a consumer or household. This includes things like IP addresses, online identifiers, products or services purchased by a household, geolocation data from a cell phone, or even inferences drawn about a consumer using these types of information.
Noncompliance with CCPA could result in steep penalties, with fines of up to $2,500 per non-intentional violation. If the non-compliance is intentional, the per-violation amount rises to $7,500. At either level, a multi-record incident of noncompliance can quickly escalate to many thousands of dollars or more, with no statutory cap. The CCPA also provides for a private right of action by any California resident if a company fails to maintain adequate security safeguards concerning the resident’s personal information. No breach is required for this cause of action. It could be based on a whistleblower, a breaking news story, or be brought by an insider, objecting to how his or her employment information is protected.
How We Can Help
This type of privacy legislation is new to many U.S. companies, and the scope of CCPA is vast and nuanced. The Harter Secrest & Emery team has extensive privacy and data security experience and is helping numerous clients in various industries get ready for CCPA, including by implementing a comprehensive privacy management program to address all obligations under the Act. Please contact a member of our Privacy and Data Security practice group.