California Enacts Expansive Data Privacy Law

Eric DiIulio, Jacqueline Klosek
Goodwin
Contact
LinkedIn
Facebook
X
Send
Embed

Goodwin

Scope

The CCPA applies to any company doing business in California (whether or not located in California) that either (a) brings in more than $25,000,000 in revenue; (b) collects personal information from 50,000 or more Californians; or (c) gets at least half of its revenue from selling personal information. The law exempts the sale of personal information to consumer reporting agencies for use in consumer reports, and personal data subject to HIPAA, Gramm-Leach-Bliley, or the Driver’s Privacy Protection Act.

Personal Information

The CCPA expands California’s definition of personal information to include any data that relates to or can be associated with a particular consumer, including contact information; online identifiers; government ID numbers; purchase history and other commercial data; biometric information; browsing/search history; sensory, geolocation, professional, employment, or education data; and any data used “to create a profile reflecting preferences, characteristics, … behavior, attitudes, intelligence, abilities, and aptitudes.” 

Data Privacy Rights

The CCPA grants the following GDPR-like data privacy rights, several of which could alter current business models in advertising and other sectors and arguably impede innovation.

  • The right to access and know what personal information is collected. Prior to collection, companies must make a number of mandatory disclosures, including the categories and uses of personal information in transactional and other contexts – all of which could stymie efforts to simplify already complex privacy policies. 
  • The right to know whether personal information is sold or disclosed and to whom. Companies must inform requesting consumers about the categories of personal data sold to third parties or disclosed in connection with a transaction. Third-party recipients of personal information are prohibited from selling the data without notice and an opt-out. 
  • The right to object to the sale of personal information. Upon request, companies must stop selling personal information. The sale of children’s personal information requires opt-in consent from the child (if the child is 13-16 years old) or the child’s parent or guardian (if the child is younger than 13).
  • The right to have personal data deleted. Subject to certain exceptions, a company that receives a deletion request must erase the consumer’s personal data from its systems and direct its service providers to do the same. 
  • The right to be free from undue discrimination for exercising privacy rights. The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights.

Private Right of Action

The CCPA creates a private right of action with the potential to recover damages of $100-750 for each affected consumer, exposing companies to an enhanced risk of class actions and costly litigation. For example, a breach that affects 1 million Californians could result in up to $750 million in statutory damages alone. Coupled with the GDPR’s new private right of action for breaches, the CCPA enhances the risk of costly multi-jurisdictional legal and regulatory actions. 

Violations, Penalties, and Enforcement

Companies will violate the CCPA if they fail to cure within 30 days of receiving notice from the AG. Such violations will be subject to civil penalties of up to $2,500 per violation. Intentional violations can result in civil penalties of up to $7,500 per violation. The AG could seek to multiply penalties by the number of affected consumers and/or the number of days the violation occurred. If that happens, the penalty amounts could escalate quickly.

Now What?

The CCPA requires the AG to “solicit broad public participation to adopt regulations to further the purposes of the [CCPA],” including “establishing any exceptions necessary to comply with state or federal law” such as “those relating to trade secrets and intellectual property rights.” This provides companies with an opportunity to shape the law that will ultimately be enforced.

In addition, companies can consider taking the following actions:

  • Mapping current data practices and flows;
  • Analyzing gaps in current privacy and security programs and making necessary changes;
  • Whether it is feasible or practical to implement a unified GDPR/CCPA privacy program;
  • Reviewing vendor agreements to determine if they need to be renegotiated;
  • Whether databases and systems need to be modified to facilitate addressing consumer privacy rights requests; and
  • Reviewing incident response plans for compliance with new obligations and potential impediments to identifying which jurisdictional (e.g., state, EU or CCPA) requirements apply.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:

Goodwin
Goodwin
Contact
more
less

Goodwin on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide