Privacy Essentials: The California Consumer Privacy Act (CCPA)

Over the last several years, we've started to peek behind the curtain of Big Data - and most people are not pleased with what they see. Few are comfortable with the idea that their private information can be sold. And even if consumers are not aware of how their data is being used, they are at least aware their data is being collected.

Enacted in 2018, the California Consumer Privacy Act (CCPA) is one of the most robust and broad privacy laws in the United States. Although similar to the European Union's General Data Protection Regulation, the CCPA is a separate framework that imposes (in some cases) additional obligations. The law officially took effect on January 1, 2020, with full compliance expected by July 2020.

Consumer Rights Under the CCPA

The CCPA grants California consumers four rights:

  • The right to know what personal information is collected, used, shared, or sold
  • The right to access their data and able to request for a company to delete it
  • The right to opt-out of having their data sold
  • Freedom from discrimination in terms of price or services if they exert one of the other privacy rights

Are All Businesses Subject to the CCPA?

A business must comply with the CCPA if it meets one or more of the following criteria:

  • Gross annual revenues of more than $25 million
  • 50% or more of yearly revenue derives from selling consumers' personal information
  • It buys, sells, or receives the personal information of 50,000 or more consumers, households or devices

Draft regulations released in October 2019 outline additional obligations for entities that handle the personal information of more than 4 million consumers.

What Obligations Do Businesses Have Under the CCPA?

Businesses subject to the CCPA have obligations in six categories:

  • Notice
  • Procedures
  • Response
  • Verification
  • Disclosure
  • Record-keeping

Under the CCPA, companies have a responsibility to provide notice to customers before or at the time their data is collected. They must have procedures in place to respond to consumer requests regarding their personal information. When consumers exert their CCPA rights, businesses have to verify their identity - even if they do not have a password-protected account.

The draft regulations also require businesses to disclose any financial incentives related to the retention or sale of consumers' personal information, as well as how they calculate the value of the data. Finally, they must maintain records of consumer requests and the responses for two years to demonstrate compliance.

What Does All This Mean For Attorneys?

Although most law practices will not fall under the purview of the CCPA, this privacy law is worth brushing up on. It will certainly not be the last state law to take on data privacy, and federal legislation is likely on the horizon. The CCPA may generate significant litigation in the wake of data breaches, opening up a whole new world of cases for those inclined to take them on. From social media to e-commerce, consumers are already exerting their rights over their data - and there's no putting the lid back on that box.