Starting last month, the California Attorney General began enforcing the California Consumer Privacy Act (“CCPA”).
Although the CCPA went into effect January 1, 2020, it provided a six-month grace period to allow companies to comply. Under the CCPA, California residents, even if temporarily out of the state, are granted substantial data-privacy rights and extensive control over how companies can use their online personal data.
The CCPA applies to a for-profit business (or their parent company or subsidiary) doing business in California and that satisfies one or more of the following: (1) generates mores that $25 million in annual revenue; (2) buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or (3) 50% or more of its revenue comes from selling consumers’ personal data.
This CCPA secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with limited exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses subject to the CCPA are now required to give consumers certain notices explaining their privacy practices. Notably, the business does not have to reside or have any employees in California to be held liable under the CCPA.
If found in violation, companies can face large punitive penalties. The Attorney General can issue fines of up to $7,500 per violation. The CCPA also allows consumers affected by a data breach to seek up to $750 per user in a class-action lawsuit.
Companies should determine whether they must comply with CCPA and whether their policies and procedures should be updated.
Special thanks to Nicole Zeman for her assistance with this article.