May 15, 2021

Volume XI, Number 135


May 14, 2021

Subscribe to Latest Legal News and Analysis

May 13, 2021

Subscribe to Latest Legal News and Analysis

CCPA Enforcement Could Begin on July 1, 2020 - Is Your Privacy Notice Ready?

Beginning next month (as early as July 1, 2020), the California Attorney General's office can begin enforcing the California Consumer Protection Act (CCPA), which was enacted January 1, 2020.

Among other obligations, CCPA requires covered businesses to make specific disclosures in their public-facing privacy notices. Under CCPA, a privacy policy must:

  • Identify the categories of personal information collected, used and shared by the business in the last 12 months, along with category descriptions that provide a meaningful understanding of the information being collected;
  • Describe the purpose for the collection, use and sharing of personal information and the sources from which the personal information is collected;
  • Disclose categories of personal information sold (under CCPA’s definition of sale) in the past 12 months and the categories of third parties to whom personal information is sold;
  • Explain that, subject to certain exceptions, CCPA provides consumers with the right to know what personal information a business has about them, the right to delete that personal information and the right to tell a business that it can no longer sell that information;
  • Provide information about how consumers can contact the business to exercise their privacy rights per CCPA’s requirements;
  • Describe any financial incentives offered to consumers in exchange for their personal information, including the business’s valuation of the data; and
  • State whether the business has actual knowledge that it sells the personal information of minors under 16 years of age.

The Attorney General may enforce CCPA violations after a 30-day notice and cure period seeking penalties of up to $2,500 per violation or up to $7,500 per intentional violation. While the statute and regulations are silent as to what constitutes a violation, it is possible that a business could be exposed to significant fines when factoring in each impacted customer and each non-compliant act.

© 2021 Varnum LLPNational Law Review, Volume X, Number 167



About this Author

Jeffrey M. Stefan II Auto and Emerging Technology Attorney Varnum Law Firm

Jeffrey is a technology-focused corporate attorney with broad legal authority in autonomous and connected vehicles. He previously served as autonomous vehicle counsel for a major global automaker providing regulatory counsel and transactional support. Prior to that role, he supported the automaker's emerging technology portfolio, which included connected vehicle services and other advanced safety technologies.

Jeffrey helps his clients navigate the evolving legal and public policy landscape for new and emerging technologies. He additionally focuses on technology startups assisting...

Charumati Ganesh Data Privacy Attorney Varnum

Charu holds a CIPP/US certification and focuses her legal practice on Data Privacy and Cybersecurity. Charu represents clients in a number of industries, including autonomous and connected vehicles and the consumer data marketplace. Charu is able to skillfully navigate the intricacies of the rapidly-evolving data privacy and cybersecurity regulatory landscape and help her clients develop policies and procedures that comply with both international and domestic privacy laws.

Charu has represented clients in the insurance, manufacturing and agricultural industries through regulatory...