May 19, 2022

Volume XII, Number 139


May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

May 17, 2022

Subscribe to Latest Legal News and Analysis

The California Consumer Privacy Act What to Know—and What to Do

Part I:

What is the CCPA, and Why Should I Care?

The California Consumer Privacy Act (CCPA) is a wide-ranging privacy law that will come into effect in a bit over eight months. For-profit businesses with (even attenuated) ties to California, the fifth-largest economy in the world, should start to prepare for this sea change in United States privacy law.

Over the next few weeks, we will be providing a series of articles about the CCPA and what you should be doing to prepare. This week, we start with the most basic: What is the CCPA, and why should I care?

What is the CCPA?

The CCPA regulates how businesses collect, use and disclose just about any kind of information that can be related to an individual. Despite an effective date of January 1, 2020, the CCPA remains a work in progress: parts of the law remain ambiguous; key regulatory guidance is still missing; and the law itself is likely to be amended in the near future.

Recent experience with the EU's General Data Protection Regulation (GDPR) shows that it takes time, forethought and preparation to address this sort of broad privacy regulation. Waiting until there is certainty as to what the law requires will not provide enough time for complianceso it is important to get started.

So Why Should I Care?

The CCPA regulates common business practices across a range of industries, imposes new consumer protections and compliance challenges, and creates new and significant potential liability. These include:

  1. A class-action-friendly private right of action, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain "reasonable" security standards in the event of a data breach (and, if proposed amendments pass, for any violation of the CCPA). Unless there are significant changes to the law, it could spawn the next wave of class action claims.1
  2. Attorney general enforcement authority, with maximum civil fines of $2,500 per "violation" and $7,500 for each "intentional" violation.
  3. The scope of "personal information" protected by the CCPA is extremely broad and reaches throughout a business's operations. "Personal information" includes "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California resident] or household."

    Further, despite the name, the CCPA doesn't just apply to personal information about actual consumers; it also covers personal information of a business's California employees.

  4. The CCPA applies to a wide range of "businesses," but the definition of "business" can restrict transfers of personal information between affiliates. At first glance, the CCPA seems designed to apply to the major technology companies that collect consumer data. However, as discussed in our next installment, its reach is much broader than that, and could sweep in many companies that would not otherwise expect to be significantly impacted by a California online consumer law.

    It is also important to note that because of the limited definition of "business," entities that are "affiliates" under most current legal definitions would only be considered part of the same "business" if they are direct parents or subsidiaries that share common branding. As a result, even transfers of personal information within a corporate family may constitute "sales" of personal information that are subject to consent/opt-out rights, if the transfer is for "valuable consideration."

  5. The CCPA creates new consumer rights for California residents. Businesses will have to comply with individuals' requests to exercise these rights within 45 days. These rights include:
    • A right to opt out of the "sale" of personal information(defined broadly as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . personal information by the business to another business or a third party for monetary or other valuable consideration"), which limits a wide range of ordinary business activity that was previously minimally regulated;
    • Rights of access, transparency and portability (which include a requirement to disclose "the specific pieces of personal information . . . collected" upon request);
    • Right of deletion; and right of non-discrimination.

      Businesses must respond to these requests within 45 days of receipt, and requests for deletion must be passed to a business's service providers.

  6. There are specific contractual terms that must be included in your agreements with vendors that process personal information. Failure to include these terms means: (1) you might be subject to liability for the vendor's violation of the CCPA, and (2) transferring personal information to a vendor for valuable consideration could be considered a "sale," imposing additional obligations on you.
  7. The CCPA is likely only the beginning. Other states are discussing, or have already proposed, broad privacy laws similar to the CCPA and GDPR.2 Federal lawmakers continue to hold hearings on federal privacy legislation. So, even if the CCPA doesn't apply to you today, one of these other laws probably will.

Coming Up Next: "Does the CCPA Affect Me"?

Now that you have an idea of what the CCPA is and why you should care about it, see our next installment for more information about whether the CCPA will affect your organization.

(Spoiler Alert: It probably will.)

1 Note that this breach liability currently only applies to personal information covered by California's data breach notification statutes (e.g. 1798.82)—but California recently proposed legislation to expand those definitions as well.

2 For example, Washington, New Jersey, and Texas, among others, have all proposed privacy legislation that draw upon the CCPA and GDPR.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume IX, Number 107

About this Author

Matthew R. Baker, Environmental White Collar Attorney, Katten Muchin Law Firm

Matthew Baker focuses his practice on environmental white collar, internal investigation, complex electronic discovery and information governance issues, and domestic and international data privacy compliance. Matthew represents clients in connection with a variety of environmental and regulatory criminal matters, as well as assists corporate clients with information governance, data privacy and litigation preparedness issues.

Matthew's pro bono work includes assisting nonprofit organizations with data privacy and information governance issues,...

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability...