April 24, 2019

April 24, 2019

Subscribe to Latest Legal News and Analysis

April 23, 2019

Subscribe to Latest Legal News and Analysis

April 22, 2019

Subscribe to Latest Legal News and Analysis

The Impending California Consumer Protection Act: The Law’s Scope, Applicability, and Potential Impact

The California Consumer Protection Act (“CCPA”) becomes effective January 1, 2020. The CCPA will impose burdensome, GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees. Given the magnitude of California’s economic footprint in the world, the CCPA’s potential impact is almost as large as the GDPR’s impact.

Specifically, the CCPA will impact any company that handles “personal information” about California residents, operates for profit, and meets one or more of the following triggers: (1) annual gross revenue above US$25 million; (2) annually handles personal information regarding at least 50,000 consumers, households or devices; or (3) derives 50% or more of its revenue from selling personal information. Most CCPA obligations will apply directly to “businesses” (i.e., the entity that determines the purposes and means of processing personal information). But service providers and other third parties that handle personal information will also be impacted.

The CCPA will impose several new or enhanced privacy requirements, including disclosing what personal information is collected, how it is used, and how it is shared. The CCPA will also grant consumers rights regarding their personal information, including a right to access, delete, and opt out of the sale of their information, as well as an accompanying prohibition on discrimination for exercising such rights. Companies will need to contract with service providers to prohibit unauthorized processing and will be required to train employees regarding the CCPA’s requirements. The law also allows consumers to seek statutory damages (no proof of injury required) in the event of a data breach, opening the door to additional data breach class actions in California.

The California Legislature is considering amendments, but we do not believe that they will significantly water down the key requirements of the CCPA or shrink its scope. And it may not stop with California. The US Congress has already started hearings on whether a comprehensive federal data privacy act makes sense. However, with a divided federal government and other pressing distractions, a preemptive federal law is unlikely to pass before the rapidly approaching January 1, 2020, effective date.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

202-457-6407
India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney
Associate

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.

614-365-2719