The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA affects all businesses collecting or storing data about California residents (an estimated 500,000 businesses nationwide). It imposes significant compliance obligations upon the businesses within its scope and carries large penalties for those who fail to comply.
The California Attorney General released draft regulations for the law on October 10, 2019. The comment period for the regulations was open until December 6, 2019. In that time, hundreds of businesses weighed in on the regulations and expressed concerns about the law’s fast-approaching enforcement timeline and its many ambiguities and complexities. Final rules are not expected until spring of 2020, and the Attorney General’s office will be able to enforce the rules starting July 1, 2020.
Which Entities are Subject to the CCPA?
The CCPA applies to any for-profit entity that:
- does business in California;
- collects personal information about California residents (or has such information collected on its behalf);
- determines on its own or jointly with others the purpose and means of processing that information; and
- meets one or more of the following criteria:
- has annual gross revenues in excess of $25 million;
- annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or
- derives 50 percent or more of its annual revenue from selling consumers’ personal information.
What is Considered to be “Personal Information”?
Personal information includes any information relating to or capable of being associated with a particular consumer or household. This includes email addresses, IP addresses, mailing addresses and even just consumer names. There are some limited exceptions to this definition.
What Actions are Considered to be the “Collection” of Personal Information?
Collection is defined as “buying, renting, gathering, obtaining, receiving or accessing” the personal information of a consumer by any means. This includes receiving information either actively or passively and observing the consumer’s behavior.
What Does the CCPA Require Businesses to Do?
The CCPA imposes extensive compliance obligations upon businesses within its scope. It requires workforce training, specific disclosures in privacy policies and mechanisms for handling consumer requests to access or delete their information, among other things.
Varnum’s data privacy and cybersecurity attorneys have already begun assisting domestic and international clients in a number of industries with their CCPA compliance obligations.