The California Consumer Privacy Act What to Know—and What to Do
Wednesday, April 17, 2019
ccpa and data privacy

Part I:

What is the CCPA, and Why Should I Care?

The California Consumer Privacy Act (CCPA) is a wide-ranging privacy law that will come into effect in a bit over eight months. For-profit businesses with (even attenuated) ties to California, the fifth-largest economy in the world, should start to prepare for this sea change in United States privacy law.

Over the next few weeks, we will be providing a series of articles about the CCPA and what you should be doing to prepare. This week, we start with the most basic: What is the CCPA, and why should I care?

What is the CCPA?

The CCPA regulates how businesses collect, use and disclose just about any kind of information that can be related to an individual. Despite an effective date of January 1, 2020, the CCPA remains a work in progress: parts of the law remain ambiguous; key regulatory guidance is still missing; and the law itself is likely to be amended in the near future.

Recent experience with the EU's General Data Protection Regulation (GDPR) shows that it takes time, forethought and preparation to address this sort of broad privacy regulation. Waiting until there is certainty as to what the law requires will not provide enough time for complianceso it is important to get started.

So Why Should I Care?

The CCPA regulates common business practices across a range of industries, imposes new consumer protections and compliance challenges, and creates new and significant potential liability. These include:

  1. A class-action-friendly private right of action, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain "reasonable" security standards in the event of a data breach (and, if proposed amendments pass, for any violation of the CCPA). Unless there are significant changes to the law, it could spawn the next wave of class action claims.1
  2. Attorney general enforcement authority, with maximum civil fines of $2,500 per "violation" and $7,500 for each "intentional" violation.
  3. The scope of "personal information" protected by the CCPA is extremely broad and reaches throughout a business's operations. "Personal information" includes "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California resident] or household."

    Further, despite the name, the CCPA doesn't just apply to personal information about actual consumers; it also covers personal information of a business's California employees.

  4. The CCPA applies to a wide range of "businesses," but the definition of "business" can restrict transfers of personal information between affiliates. At first glance, the CCPA seems designed to apply to the major technology companies that collect consumer data. However, as discussed in our next installment, its reach is much broader than that, and could sweep in many companies that would not otherwise expect to be significantly impacted by a California online consumer law.

    It is also important to note that because of the limited definition of "business," entities that are "affiliates" under most current legal definitions would only be considered part of the same "business" if they are direct parents or subsidiaries that share common branding. As a result, even transfers of personal information within a corporate family may constitute "sales" of personal information that are subject to consent/opt-out rights, if the transfer is for "valuable consideration."

  5. The CCPA creates new consumer rights for California residents. Businesses will have to comply with individuals' requests to exercise these rights within 45 days. These rights include:

    • A right to opt out of the "sale" of personal information(defined broadly as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . personal information by the business to another business or a third party for monetary or other valuable consideration"), which limits a wide range of ordinary business activity that was previously minimally regulated;
    • Rights of access, transparency and portability (which include a requirement to disclose "the specific pieces of personal information . . . collected" upon request);
    • Right of deletion; and right of non-discrimination.

      Businesses must respond to these requests within 45 days of receipt, and requests for deletion must be passed to a business's service providers.

  6. There are specific contractual terms that must be included in your agreements with vendors that process personal information. Failure to include these terms means: (1) you might be subject to liability for the vendor's violation of the CCPA, and (2) transferring personal information to a vendor for valuable consideration could be considered a "sale," imposing additional obligations on you.
  7. The CCPA is likely only the beginning. Other states are discussing, or have already proposed, broad privacy laws similar to the CCPA and GDPR.2 Federal lawmakers continue to hold hearings on federal privacy legislation. So, even if the CCPA doesn't apply to you today, one of these other laws probably will.

Coming Up Next: "Does the CCPA Affect Me"?

Now that you have an idea of what the CCPA is and why you should care about it, see our next installment for more information about whether the CCPA will affect your organization.

(Spoiler Alert: It probably will.)

1 Note that this breach liability currently only applies to personal information covered by California's data breach notification statutes (e.g. 1798.82)—but California recently proposed legislation to expand those definitions as well.

2 For example, Washington, New Jersey, and Texas, among others, have all proposed privacy legislation that draw upon the CCPA and GDPR.


NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins


Sign Up for e-NewsBulletins