The California Consumer Privacy Act (CCPA) Compliance Deadlines Are Approaching

Hahn Loeser & Parks LLP

Hahn Loeser & Parks LLPThe fine points of the groundbreaking California Consumer Privacy Act, California Civil Code §§ 11798.100-1798.199 (“CCPA”) are coming into view now that the California Attorney General has released the draft regulations required by the CCPA. Companies doing business with California residents should consider their compliance in 2020.

We have known for some time that, as of January 1, 2020, the CCPA establishes consumer rights and business obligations with respect to the collection and sale of consumers’ personal data. Generally, for qualifying businesses, the CCPA establishes:

  • The consumers’ right to know what data a business collects, how it is used, whether it is sold, and, if sold, information about the third-party purchaser.
  • The consumers’ right to forbid a business from selling their data or charging consumers more who opt-out of having their data sold.
  • The consumer’s right to be forgotten by having their data deleted.

These rights, along with the existing EU General Data Protection Regulation, explain some of the new “features” we see on major web platforms. For example, in May 2019, Google Search and Maps Production Managers announced Google was introducing auto-deletion controls for consumers’ location history and activity data.

We have also known for some time that the CCPA will impact many businesses not previously subjected to privacy regulations whether or not they are based in California. It applies to all entities “doing business” in California that either:

  • Have a gross annual revenue in excess of $25 million;
  • Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more California consumers, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California consumers’ personal information.

In addition to those entities qualifying pursuant to any of the above requirements, the CCPA also applies to any entity that: (1) controls, or is controlled by, a business that meets the criteria; and (2) shares common branding with that business.

The CCPA carries with it substantial penalties enforceable by either the Attorney General or private citizens. Maximum statutory penalties reach $7,500 per incident.

The CCPA left many details for the California Attorney General to clarify with implementing regulations. The Attorney General recently released draft regulations that provide some, but not all, of the expected and necessary guidance.

The draft regulations generally describe how businesses should procedurally handle consumer data requests, including requests to opt out of the sale of information, processes to verify consumer identity, and obligations to retain records regarding requests. They also provide guidance on the language permitted for providing notices of rights to consumers and emphasize the need for that language to be “plain [and] straightforward.”

The Attorney General’s draft regulations do not address all that was expected. We will stay tuned for additional or revised regulations in December.

The draft regulations are now open for public comment. Changes and additions are expected before they are finalized in December. Every company that qualifies as one to which the CCPA applies should monitor the development of these regulations and prepare to implement compliance procedures as January 1, 2020 approaches.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hahn Loeser & Parks LLP | Attorney Advertising

Written by:

Hahn Loeser & Parks LLP

Hahn Loeser & Parks LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.