December 1, 2021

Volume XI, Number 335

Advertisement
Advertisement

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

How The California Consumer Privacy Act Could Affect Your Business

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA affects all businesses collecting or storing data about California residents (an estimated 500,000 businesses nationwide). It imposes significant compliance obligations upon the businesses within its scope and carries large penalties for those who fail to comply.

The California Attorney General released draft regulations for the law on October 10, 2019. The comment period for the regulations was open until December 6, 2019. In that time, hundreds of businesses weighed in on the regulations and expressed concerns about the law’s fast-approaching enforcement timeline and its many ambiguities and complexities. Final rules are not expected until spring of 2020, and the Attorney General’s office will be able to enforce the rules starting July 1, 2020.

Which Entities are Subject to the CCPA?

The CCPA applies to any for-profit entity that:

  1. does business in California;

  2. collects personal information about California residents (or has such information collected on its behalf);

  3. determines on its own or jointly with others the purpose and means of processing that information; and

  4. meets one or more of the following criteria:

    • has annual gross revenues in excess of $25 million;

    • annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or

    • derives 50 percent or more of its annual revenue from selling consumers’ personal information.

What is Considered to be “Personal Information”?

Personal information includes any information relating to or capable of being associated with a particular consumer or household. This includes email addresses, IP addresses, mailing addresses and even just consumer names. There are some limited exceptions to this definition.

What Actions are Considered to be the “Collection” of Personal Information?

Collection is defined as “buying, renting, gathering, obtaining, receiving or accessing” the personal information of a consumer by any means. This includes receiving information either actively or passively and observing the consumer’s behavior.

What Does the CCPA Require Businesses to Do?

The CCPA imposes extensive compliance obligations upon businesses within its scope. It requires workforce training, specific disclosures in privacy policies and mechanisms for handling consumer requests to access or delete their information, among other things.

© 2021 Varnum LLPNational Law Review, Volume X, Number 6
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jeffrey M. Stefan II Auto and Emerging Technology Attorney Varnum Law Firm
Counsel

Jeffrey is a technology-focused corporate attorney with broad legal authority in autonomous and connected vehicles. He previously served as autonomous vehicle counsel for a major global automaker providing regulatory counsel and transactional support. Prior to that role, he supported the automaker's emerging technology portfolio, which included connected vehicle services and other advanced safety technologies.

Jeffrey helps his clients navigate the evolving legal and public policy landscape for new and emerging technologies. He additionally focuses on technology startups assisting...

313-481-7343
Advertisement
Advertisement
Advertisement