Tuesday, July 10, 2018


American businesses were just getting used to compliance with the European Union’s General Data Protection Regulation (GDPR) when, on June 28, California Governor Jerry Brown signed into law the 2018 California Consumer Privacy Act (CCPA). 

The CCPA was passed quickly with little debate after a consumer privacy organization agreed to withdraw a much broader privacy initiative that would have appeared on the November ballot. The law does not go into effect until January 1, 2020 and will likely go through several revisions as efforts are made to amend and clarify this hastily drafted piece of legislation.

CCPA is GDPR-like in the notification and access rights it gives consumers and may become the de facto national standard for how businesses use personal information to market their products and services. New systems, processes, and policies may need to be implemented.

Get ready for even more requests from individuals seeking access to or deletion of their data. 

The same data mapping exercises performed for GDPR regarding personal data processed of EU residents will now have to be performed for Californians.

Here is a glimpse into some of the key provisions of the current version of the CCPA: 

Must My Business Comply?

The CCPA applies to any business that collects personal information from California residents and: 

  • Has annual gross revenues of $25 million or more;
  • Buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually; or 
  • Derives a minimum of 50% of its annual revenue from selling California residents’ personal information. 

Disclosures and Right to Opt-Out

Consumers must be able to opt out of the sale of their personal information and businesses are required to notify consumers of this right. The opt-out notification must list the categories of information collected about consumers in the past 12 months and identify whether the business sells or discloses personal information. 

These disclosures must appear in the online privacy policy. Businesses must also provide a clear and conspicuous link on their website that says “Do Not Sell My Personal Information.” The link must allow consumers to actually opt-out of the sale of their personal information.

No Discrimination 

A business cannot discriminate against a consumer because the consumer asserts any rights under the CCPA, including exercising their right to opt-out of the sale of their personal information. 

Right to Deletion

With certain exceptions, California residents will have the right to have any personal information collected by a business deleted upon request. 

Enforcement by Attorney General and Limited Private Right of Action 

The CCPA is enforceable by the California Attorney General and authorizes a civil penalty of up to $7,500 per violation. California residents have a private right of action under the CCPA only when unencrypted information is accessed during a data breach. The withdrawn privacy initiative would have provided more private rights of action by consumers.


California has always been a trendsetter in the United States relative to data privacy laws. It was the first state to enact a data breach notification statute in 2002. The ubiquitous privacy policies that appear on most websites are the result of a 2004 California law. CCPA will likely see significant modifications and amendments as we get closer to January 1, 2020. There is, however, no doubt that CCPA, along with the recently implemented GDPR, are indicative of a major shift in consumer expectations that goes beyond mere compliance with the law. 

Some Practical Steps  

If CCPA will apply to your business, here are a few steps you should take:

  • Perform data mapping as necessary to inventory the personal information collected on California residents, households, and devices. 
  • Implement internal policies and procedures for handling data access requests.
  • Update privacy policies with new disclosures regarding data access and deletion.   
  • Prepare incident response plans and teams as necessary to handle data breach notification requirements.

Businesses should all take a close look at how they collect, use, and share personal data. Data minimization and transparency are key principles to follow. You cannot lose what you do not have and your customers deserve to know what you are doing with their personal data.

No comments :

Post a Comment