May 9, 2021

Volume XI, Number 129


May 07, 2021

Subscribe to Latest Legal News and Analysis

How The California Consumer Privacy Act Could Affect Your Business

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA affects all businesses collecting or storing data about California residents (an estimated 500,000 businesses nationwide). It imposes significant compliance obligations upon the businesses within its scope and carries large penalties for those who fail to comply.

The California Attorney General released draft regulations for the law on October 10, 2019. The comment period for the regulations was open until December 6, 2019. In that time, hundreds of businesses weighed in on the regulations and expressed concerns about the law’s fast-approaching enforcement timeline and its many ambiguities and complexities. Final rules are not expected until spring of 2020, and the Attorney General’s office will be able to enforce the rules starting July 1, 2020.

Which Entities are Subject to the CCPA?

The CCPA applies to any for-profit entity that:

  1. does business in California;

  2. collects personal information about California residents (or has such information collected on its behalf);

  3. determines on its own or jointly with others the purpose and means of processing that information; and

  4. meets one or more of the following criteria:

    • has annual gross revenues in excess of $25 million;

    • annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or

    • derives 50 percent or more of its annual revenue from selling consumers’ personal information.

What is Considered to be “Personal Information”?

Personal information includes any information relating to or capable of being associated with a particular consumer or household. This includes email addresses, IP addresses, mailing addresses and even just consumer names. There are some limited exceptions to this definition.

What Actions are Considered to be the “Collection” of Personal Information?

Collection is defined as “buying, renting, gathering, obtaining, receiving or accessing” the personal information of a consumer by any means. This includes receiving information either actively or passively and observing the consumer’s behavior.

What Does the CCPA Require Businesses to Do?

The CCPA imposes extensive compliance obligations upon businesses within its scope. It requires workforce training, specific disclosures in privacy policies and mechanisms for handling consumer requests to access or delete their information, among other things.

© 2021 Varnum LLPNational Law Review, Volume X, Number 6



About this Author

Charumati Ganesh Data Privacy Attorney Varnum

Charu holds a CIPP/US certification and focuses her legal practice on Data Privacy and Cybersecurity. Charu represents clients in a number of industries, including autonomous and connected vehicles and the consumer data marketplace. Charu is able to skillfully navigate the intricacies of the rapidly-evolving data privacy and cybersecurity regulatory landscape and help her clients develop policies and procedures that comply with both international and domestic privacy laws.

Charu has represented clients in the insurance, manufacturing and agricultural industries through regulatory...

Jeffrey M. Stefan II Auto and Emerging Technology Attorney Varnum Law Firm

Jeffrey is a technology-focused corporate attorney with broad legal authority in autonomous and connected vehicles. He previously served as autonomous vehicle counsel for a major global automaker providing regulatory counsel and transactional support. Prior to that role, he supported the automaker's emerging technology portfolio, which included connected vehicle services and other advanced safety technologies.

Jeffrey helps his clients navigate the evolving legal and public policy landscape for new and emerging technologies. He additionally focuses on technology startups assisting...