July 1st marked the beginning of the enforcement of the California Consumer Privacy Act (the “CCPA”).  Despite the fact that a final version of the regulation has yet to be codified, California Attorney General Xavier Becerra announced on June 30, 2020 that his Office would begin to enforce the CCPA the next day.

On June 1, Becerra submitted a draft resolution to California’s Office of Administrative Law for final approval.  The draft resolution provided guidance as to how the Attorney General’s Office would interpret the CCPA and how an organization can comply with its requirements.  It is believed that, once the final regulations are approved, enforcement of the CCPA will be retroactive to January 1, 2020.

The CCPA was signed into law on June 28, 2018 and became effective on January 1, 2020.  At that time, Becerra made clear that his Office would not take action against a non-compliant organization for six months after the CCPA became effective.  Once the CCPA and its regulations are codified, it is expected that its requirements and enforcement will be retroactive to January 1, 2020. 

The CCPA provides California residents with expanded data protection rights, and it applies to businesses—whether located within or outside of California—that have access to the personal data of a California resident.  “Personal data” consists of email addresses, online handles, IP addresses, biometric data, geolocation data, and search histories.  A business must comply with the CCPA if (1) its gross annual revenue is greater than $25 million; (2) it buys, receives, or sells personal information of at least 50,000 consumers, households, or devices; or (3) at least 50% of its revenue comes from selling the personal information of consumers.  An intentional violation of the CCPA could result in penalties up to $7,500 for each violation, and unintentional violations may result in a penalty of up to $2,500.

The CCPA provides California residents with five important rights with respect to their personal data:

1. Consumers can request that a business provide them with information regarding any personal data that the business has collected, shared or sold, as well as the purpose for such action.

• Subject to certain exceptions, consumers can request that a business delete any personal information that it collected from them.

• Consumers can notify a business that it does not have permission to sell their personal information to third parties.

• To sell the personal information of consumers under the age of 16, their permission is required.  Further, a business must obtain parental consent before selling the personal information of any consumer under the age of 13.

• Businesses cannot discriminate against consumers that utilize their rights under the CCPA.

In light of the expanded rights provided to consumers by the CCPA, and the substantial fines that could be incurred if those rights are violated, it is imperative that businesses implement measures to ensure that they are compliant with the CCPA.  These measures should include, for example, a review of all vendor contracts, effective training of all employees, and a review of compliance procedures regarding personal data.