January 15, 2019

Client Alert: No Rest for the Privacy Weary in the New Year: Out with GDPR, in with CCPA

+ Follow Contact

Send

Embed

Neal, Gerber & Eisenberg LLP

The past year brought an onslaught of new data privacy risks and compliance obligations to many companies led in large part by the EU’s landmark General Data Protection Regulation (GDPR) that came into effect last May. The GDPR sparked a significant amount of media attention and caused most organizations to devote their privacy-related resources to determining whether the law applied to them and fast-tracking compliance programs where necessary. However, during the GDPR hoopla, the California legislature quickly and somewhat quietly passed a privacy law that will impose compliance burdens and risks on most US businesses that will likely prove to be far greater than those caused by the GDPR. This law, the California Consumer Privacy Act of 2018 (CCPA), has been dubbed “GDPR Light” because it imposes GDPR-like notice and transparency obligations onto companies that collect or sell personal data of California residents.

Specifically, the CCPA will apply to any entity doing business in California that meets at least one of the following criteria:

Annual gross revenue in excess of $25,000,000
Buy, sell, receive, or share personal information of 50,000 or more consumers, households, or devices for commercial purposes
Derive 50% or more of annual revenue from selling consumer personal information

As a practical matter, this means that a very high number of US companies will fall within the ambit of the CCPA. In addition, the exposure for non-compliance will be significant: the law provides for both public enforcement by the California Attorney General as well as a private right of action in some circumstances with statutory fines up to $7,500 per individual whose data was processed in violation.

The CCPA goes into effect January 1, 2020 with enforcement likely beginning in the second half of 2020. However, early compliance efforts will be complicated by the fact that the law is likely to be amended at least once this year by the legislature, and the California Attorney General is empowered to issue a set of implementing regulations (also expected later this year) that will no doubt have an impact on certain nuances of compliance. Nonetheless, companies should start mapping out their compliance initiatives now to ensure appropriate programs are in place before the end of the year. This is especially imperative for organizations that are not already GDPR compliant because they will be starting from ground zero and will likely need at least 12 months to become fully compliant with CCPA.

The NGE data privacy team stands ready to assist with any and all aspects of CCPA compliance.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Neal, Gerber & Eisenberg LLP

Contact + Follow

less

Published In:

California Consumer Privacy Act (CCPA)

+ Follow

Consumer Privacy Rights

+ Follow

Cybersecurity

+ Follow

Data Protection

+ Follow

General Data Protection Regulation (GDPR)

+ Follow

International Data Transfers

+ Follow

Personal Data

+ Follow

Personally Identifiable Information

+ Follow

Regulatory Requirements

+ Follow

Risk Management

+ Follow

Communications & Media

+ Follow

International Trade

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Neal, Gerber & Eisenberg LLP on:

Client Alert: No Rest for the Privacy Weary in the New Year: Out with GDPR, in with CCPA

Related Posts

Latest Posts

Written by:

Published In:

Neal, Gerber & Eisenberg LLP on:

"My best business intelligence, in one easy email…"