May 25, 2020

May 22, 2020

Subscribe to Latest Legal News and Analysis

The California Consumer Privacy Act: What the Far-Reaching Privacy Law Means for Retailers

The California Consumer Privacy Act (CCPA) is the first truly comprehensive state privacy law, and will take effect January 1, 2020. Estimates suggest the CCPA will impact over 500,000 for-profit businesses that conduct business in California. While the CCPA will be enforced by the attorney general, it provides for a number of new rights, including a new private right of action for California residents impacted by data breaches. The CCPA has been compared to the EU’s General Data Protection Regulation (GDPR), which became effective May 25, 2018, because of its breadth and because of the robust rights it provides to California consumers.

The CCPA will apply to a business (1) with annual gross revenues over $25 million; or (2) that buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more California residents annually; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Most major retailers will likely meet one of these criteria.

The definitions of “personal information” and “consumer” are also very broad. Specifically, the definition of “personal information” includes any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household," and includes IP addresses. The definition of “consumer” includes any natural person who is a California resident, which includes business customers and employees. In addition, the CCPA defines the selling of personal information to include renting, releasing, disclosing, making available, or transferring a consumer’s personal information to a third party for monetary or other valuable consideration.

Retailers are increasingly collecting and using personal data to create a more personalized, seamless, and frictionless experience for consumers and to communicate with the consumer about promotions and incentives that may be of interest to them. Under the new law, businesses that collect such data will be required to provide specific notices to consumers about what data is collected and how it is used, and with whom it is shared, as well as to provide consumers with specific rights relating to their data.

The CCPA provides California residents with the right to know what personal information is being collected about them, to know whether their personal information is sold or disclosed and to whom, and to say “no” to the sale of their information. It also provides these residents with the right to access their personal information. The CCPA imposes a number of obligations on businesses to accomplish these aims:

  • Businesses will be required to provide notices about their data collection practices, including the categories of personal information collected, the categories of sources from which the data is collected, and the purpose for which the data will be used. 

  • Businesses will need to establish processes to provide Californians with the ability to access, correct, delete and provide explanations regarding how the business uses or shares personal information. 

  • Businesses that sell personal information to third parties must provide links on their website homepages titled “Do Not Sell My Personal Information” and include specific provisions in online privacy policies. 

  • Upon receipt of a verifiable consumer request, businesses must, among other things, provide that person with access to his or her personal data and take steps to honor requests that personal information not be shared with third parties or that it be deleted. 

  • Businesses must implement data security measures and will face increased liability for failing to do so.

Because of similarities between the CCPA and GDPR, businesses that are GDPR compliant may be well on their way to compliance with the CCPA or may need to apply their GDPR frameworks to data about Californians. For others, it will be necessary to develop and implement compliance programs after conducting assessments of both internal and external data flows to understand what data is collected, the sources of the data, the purposes for collecting the data, and with whom it is shared.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Reed Abrahamson Faegre Drinker Biddle

As a member of the firm’s Privacy and Cybersecurity Team, Reed Abrahamson assists clients with identifying and addressing data privacy and security risks in business operations. A Certified Information Privacy Professional - United States (CIPP-US), he helps companies design and implement privacy and data security policies and programs, and advises clients on compliance issues related to the GDPR, CCPA, HIPAA, CAN-SPAM Act, TCPA, and other privacy laws. Reed also has experience working with companies to respond to data breach incidents.

Reed counsels clients on managing risk through appropriate policies and contractual arrangements, including drafting and modifying customer and consumer-facing privacy policies and statements. He has helped clients retain service providers and enter into arrangements with customers. Reed works with in-house teams to create frameworks for international transfers of regulated personal information, particularly from the European Union to the United States.

In addition, as a member of the firm’s Consortia Management Team, Reed works on the formation, management and representation of consortia in the life sciences industry that address matters of science, policy, law and business operations. He assists in the creation of appropriate collaboration mechanisms and provides legal support for the day-to-day activities of these organizations.

Reed served as a law clerk to the senior judges for the District of Columbia Court of Appeals.