August 9, 2020

Volume X, Number 222

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

The Impending California Consumer Protection Act: The Law’s Scope, Applicability, and Potential Impact

The California Consumer Protection Act (“CCPA”) becomes effective January 1, 2020. The CCPA will impose burdensome, GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees. Given the magnitude of California’s economic footprint in the world, the CCPA’s potential impact is almost as large as the GDPR’s impact.

Specifically, the CCPA will impact any company that handles “personal information” about California residents, operates for profit, and meets one or more of the following triggers: (1) annual gross revenue above US$25 million; (2) annually handles personal information regarding at least 50,000 consumers, households or devices; or (3) derives 50% or more of its revenue from selling personal information. Most CCPA obligations will apply directly to “businesses” (i.e., the entity that determines the purposes and means of processing personal information). But service providers and other third parties that handle personal information will also be impacted.

The CCPA will impose several new or enhanced privacy requirements, including disclosing what personal information is collected, how it is used, and how it is shared. The CCPA will also grant consumers rights regarding their personal information, including a right to access, delete, and opt out of the sale of their information, as well as an accompanying prohibition on discrimination for exercising such rights. Companies will need to contract with service providers to prohibit unauthorized processing and will be required to train employees regarding the CCPA’s requirements. The law also allows consumers to seek statutory damages (no proof of injury required) in the event of a data breach, opening the door to additional data breach class actions in California.

The California Legislature is considering amendments, but we do not believe that they will significantly water down the key requirements of the CCPA or shrink its scope. And it may not stop with California. The US Congress has already started hearings on whether a comprehensive federal data privacy act makes sense. However, with a divided federal government and other pressing distractions, a preemptive federal law is unlikely to pass before the rapidly approaching January 1, 2020, effective date.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 80


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.