New California Data Privacy Law Is Now A Reality
California has recently passed and amended a new data privacy law that took effect on January 1, 2020. The law is called the California Consumer Privacy Act (CCPA) and is codified as California Civil Code Section 1798.100. Compliance with the current law and regulations may require that affected businesses revise their online privacy policies, prepare additional public disclosures, and provide a means for consumers to exercise their rights under this new law by January 1, 2020. The California Attorney General is supposed to have additional rules and regulations finalized by July 1, 2020, so additional adjustments to compliance programs may be necessary at that time.
Who Must Comply?
The CCPA is written to regulate the collection and sharing of any data about California residents (“consumers”) and applies to any for-profit business that meets any of the following criteria:
$25 million in gross revenues (including from outside California); or
obtains information about 50,000 or more California residents, households, or devices annually; or
generates 50% or more of its annual revenue from selling California resident’s personal information or disclosing it to third parties.
“Devices” are defined as “any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.”
What Kind Of Data Is Regulated?
Data regulated under the CCPA includes not only “sensitive personal information” (which may be subject to additional regulations) but also a broader category of “personal information” which includes data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What Do Businesses Need To Do To Comply?
The CCPA gives consumers the right to be told what data is collected about them, to have data corrected or deleted, and to ask that businesses stop selling or disclosing data about them. Businesses need to be able to meet these requirements without discriminating or offering different services or pricing based on these requests, subject to some specific limitations.
The CCPA requires that businesses respond within 45 days to consumer requests about the data a business keeps about them.
In addition, the CCPA also makes more specific requirements of businesses, including:
There must be a toll-free number that a California resident can call to make any requests about data under the CCPA, in addition to at least one other means of making requests.
There must be a clear and conspicuous link titled “Do Not Sell My Personal Information” (in quotes in the CCPA), which will allow a California resident to opt-out of the sale or transfer of their personal information.
A California resident must be offered equal service and pricing, even if they exercise their rights under the CCPA.
Businesses that are subject to the CCPA will need to carefully review their data collection and retention practices to ensure that each of these requirements can be met as well as adding new disclosures to their websites and privacy policies.
How Is The CCPA Enforced?
Most of the CCPA is enforced by the California Attorney General, but there is also a private right of action for data breaches that disclose more sensitive data. An individual may sue after giving notice and thirty days to cure a violation, and if not cured, may bring a lawsuit for statutory damages of up to $750 or actual damages, whichever is greater. The claims must relate to a breach that discloses 1) an individual’s name and 2) an associated social security, driver’s license, or California identification card number; account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account or medical or health insurance information.
Contact Paul Godfread in Larkin Hoffman’s Intellectual Property Law Group if you have questions regarding these changes in the law or if you need assistance to comply with them.