Client Alert: The California Consumer Privacy Act

Are you subject to it? If so, are you ready?

Action Items

Determine if your company’s operations in California subject you to the CCPA.
If they do, begin taking steps to comply in calendar year 2019.

What Is The CCPA And When Is It Effective?

The California Consumer Privacy Act (the “CCPA”) enacted by the California legislature earlier this year represents the most comprehensive privacy legislation enacted in the United States to date.
The CCPA regulates the collection, disclosure, and sale of "personal information," which is defined broadly to include any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with, a California resident or household.
The CCPA will go into effect January 1, 2020. However, there will be a one-year lookback period for enforcement, so subject companies should begin compliance measures as of January 1, 2019.

Am I Subject To The CCPA?

The CCPA applies to any entity that does business in California, that processes personal information, and that (either directly or through a parent or subsidiary) meets one or more of the following thresholds:

Generates $25 million or more in annual revenue (not limited to activities in California);
Generates 50% or more of its annual revenue from selling consumers’ personal information; or
Receives, buys, shares or sells the personal information of 50,000 or more California consumers, households or devices annually.

What Does The CCPA Require?

Generally, the CCPA:

Requires companies to document their data collection and use practices;
Expands the rights of California residents to be informed about and control how personal information is used; and
Requires vendor agreements to include restrictions on service providers’ use of personal information.

Is There An Exemption For Financial Institutions?

Not exactly. The CCPA states that the law does not apply to data that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (the “GLBA”).
However, because this exception refers only to data that is subject to the GLBA, not to organizations that are subject to the GLBA, the CCPA will apply to financial institutions to the extent that they collect and use data that is not otherwise addressed by the GLBA.
Therefore, these organizations will need to develop a compliance plan that distinguishes between personal data that is covered by the GLBA and personal data that is not. Examples of personal data covered by the CCPA that may not be addressed by the GLBA are employee records and online tracking behavior.
The interaction of these two laws is an evolving issue, and we expect to provide updates as further guidance is developed.

Is The CCPA The Same As Europe's General Data Protection Regulation?

No. While the CCPA has been compared to the General Data Protection Regulation enacted earlier this year in the European Union because they both broadly focus on individual privacy rights, the laws are quite different in scope and application.
Therefore, your organization will need to evaluate your response to each law independently.

What Are The Penalties For Violating The CCPA?

Statutory penalties for violations assessed by the California attorney general will range from up to $2,500 for negligent violations to up to $7,500 for intentional violations.
Individuals will also have a private right of action under the CCPA, with penalties ranging from $100 to $750 per person per incident, or actual damages if greater. However, the private right of action is limited to certain data security breaches.
Businesses will have an opportunity to cure violations before penalties will be assessed.

How Can I Prepare For The CCPA?

First, it is important to be aware that the CCPA is subject to refinement. It has already been amended once, and further amendments are possible. In addition, the California attorney general will be issuing implementing regulations, which may clarify exemptions and/or set out additional procedures for compliance.
However, the core of the CCPA mandates are not likely to change, and if you do business in California, you should begin making efforts to comply.
The first recommended step is an internal audit – data mapping – to understand how your business collects, processes, stores, uses, and shares data of California residents.
Once you understand your data, your business will need to (a) review your internal processes to ensure that data is appropriately used and protected, (b) review and update your public-facing policies and notices to ensure that the consumer rights afforded by the CCPA are honored, and (c) review and update third-party contracts to ensure that they are CCPA-compliant.

We Can Help You

Please contact us if you will be affected by the CCPA, and would like assistance in evaluating the steps your organization should be taking with respect to compliance.

This Client Alert is for general information purposes, and is not intended to be and should not be taken as legal advice.