By: Nishita Patel
In June 2018, the State of California enacted the California Consumer Privacy Act of 2018 (CCPA). The law grants consumers new rights on their personal information, and it imposes data protection duties on certain businesses. Impacted businesses should act now to ensure they comply with CCPA by the effective date of January 1, 2020.
What Does the CCPA Entail?
Under the CCPA, California residents and employees have the right to:
- Disclosure of the categories of their personal information that has been collected
- Deletion of their personal information
- Whether their personal information is sold or disclosed, and to whom
- To opt out of the sale of their personal information
- Receive equal service and price, even if they exercise their privacy rights
The CCPA defines personal information broadly to include different categories of information that can indirectly identify a person, including but not limited to aliases, unique personal identifiers, credit card details, social security numbers, email addresses, internet browsing and search history, geolocation data, and more.
Which Businesses Need to Comply with CCPA?
The CCPA applies to entities that do business in California and collect personal information from California consumers. In addition, they must have one of the following traits to be subject to CCPA regulations:
- Annual gross revenue of more than $25 million;
- Receives personal information for business purposes, from 50,000 or more consumers, households, or devices annually; or
- 50% or more of annual revenue comes from selling consumers’ personal information
Entities that control or are controlled by a business that meets the above requirements must also comply with CCPA if they share common branding with the entity.
How Can Companies Comply with CCPA?
Companies should begin compliance planning now for CCPA by examining:
- How they handle consumers’ personal information; and
- Evaluate and develop processes to comply with CCPA requirements
Many businesses will need to develop new processes related to consumer data. In a post-CCPA world, business processes must address the following:
- Compliant privacy policies and notices
- Consumer choice requirements for selling personal data
- Consumers’ rights to access their personal information
- The right to deletion
- Data production in “portable” or reusable format
Businesses should consult with an experienced California attorney to develop CCPA-compliant processes.
What Happens if I Don’t Comply?
Under CCPA, individuals may recover damages for unauthorized access to their personal information, even if there is no harm. Damages can range between $100 to $750 per consumer per incident, or actual damages.
California’s Attorney General can also bring a civil action for CCPA violations. In this case, companies may be liable for civil penalties for each violation. The California Attorney General must give the offending entity notice of the alleged violation and at least 30 days to fix the problem. If the company does not fix the violation, the California Attorney General may seek civil penalties of up to:
- $2500 per violation, or
- $7500 per intentional violation
Businesses that operate in California and are subject to CCPA should take steps to ensure they comply with the CCPA requirements by January 1, 2020. Contact an experienced Chugh, LLP attorney today to develop a compliance plan for your company.