Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.
The CCPA applies to companies that:
- Conduct business in California
- Collect the personal information of California residents
- Satisfy at least one of the following:
- Produce annual gross revenues in excess of $25,000,000
- Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration
Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data. California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties. Further, California residents can opt out a company’s terms of service without losing access to its offerings. The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.
To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.
The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information. The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data. In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.
For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations. If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.
For full documentation of the CCPA, please visit the website of the California legislature.
Tahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.