Understanding the California Consumer Privacy Act

In June of 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. This bill comes on the heels of the European Union’s General Data Protection Regulation (GDPR), adding additional layers to the current process by which state resident are protected. Companies doing business both within and outside the state of California will be affected by the CCPA, the requirements of which go into effect on January 1, 2020.

First and foremost, the CCPA is designed to extend the protections and rights of natural persons “enjoying the benefit and protection of laws and government” of the state of California, even if those persons are “outside the State for a temporary or transitory purpose” but “domiciled” in the state. The bill also expands the scope of who is allowed protection from the collection and sale of personal information to include both the consumer and their household.

Although it mirrors the GDPR, the CCPA’s scope extends only to for-profit companies. There are some additional requirements as well:

  • The company must have an annual gross revenue of at least $25 million.
  • It must share or receive the personal data of more than 50,000 California residents each year.
  • It must earn at least 50 percent of its annual revenue from selling the personal information of residents who are domiciled in California. 

Although most small and medium-sized businesses fall outside the regulatory parameters of the CCPA, the International Association of Privacy Professionals estimates that some 500,000 U.S. companies, both within and outside the state of California, will be affected by the new regulations. Moreover, the industry generally recognizes the bill as a harbinger of changes to come, as more states follow the GDPR, and experts now encourage businesses to start thinking proactively about how to manage and store the personal information they have on file.

The CCPA allows the following rights to California residents: 

  • They will be allowed the right to request access to information of a personal nature that a business has stored in its data files.
  • They will also have a right to know which data these companies are collecting and whether that personal information is being sold or disclosed to third parties.
  • Minors under the age of 16 will receive a mandated right to opt-in before the sale of their personal information.
  • California residents will have the right to delete some personal data and to prevent its being sold to third parties.

Under the CCPA, businesses must make at least two methods available for their consumers to request the disclosure or release of their personal information. At the minimum, they are required to have a toll-free number consumers can call; other methods, such as a dedicated website, are also possibilities. Companies must release the information free of charge within 45 days, and the bill requires all individuals that handle customer inquires be knowledgeable about the new law and regulations. There is a $750 limit to damages that occur with each instance of a breach of personal information.

The CCPA has faced heavy criticism thus far from tech companies with large amounts of personal data on file, including  Facebook, Paypal, and Google. These companies have objected both to technical issues that could have unintended negative consequences and to the short window of time they have been allotted to accommodate the changes. Before the bill’s requirement go into effect, lawmakers are scrambling to add amendments to address these concerns.

SB 1121, the first of such amendments, ensures that the bill itself would go into effect immediately, while at the same time pushing back the date companies affected by the CCPA need to be compliant. The final date of publication for the implementation regulations of the CCPA is now July 1, 2020, and companies do not need to achieve full compliance until another six months after this date.

The CCPA allows California residents to circumvent public agencies altogether — including the attorney general’s office — and take legal action directly against companies that experience any form of security breach that results from a failure to enact sufficient security measures. In this sense, the CCPA stands in contrast to the way HIPAA violations are currently handled.

The bill exempts data already protected by standing legislation, including HIPAA, the Driver’s Privacy Protection Act, and the Gramm-Leach-Bliley Act. Moreover, CCPA protections will not extend either to entities now covered by HIPAA or to information collected by such entities and their business associates when that information has been gathered as part of a clinical trial.