January 21, 2020,

The California Consumer Privacy Act of 2018 (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) will be effective starting January 1, 2020. The CCPA is considered to be the first comprehensive consumer privacy bill in the U.S., very similar to what the General Data Protection Regulation or GDPR was for citizens of the European Union. Who Must Comply? The CCPA applies to organizations that collect, store, use, share, sell or disclose the personal information of California residents. The CCPA requires, among other things, the organizations collecting information from California residents to: 1. specifically identify what type of information is being collected from residents; and 2. How that information is used and shared. Most importantly the CCPA provides California residents with the right to request that the organization collecting data delete the data and/or choose how long the organization can store the data. The CCPA allows California residents to opt out of the sale of their information, even if the resident providing the information willingly as a result of using your website. The CCPA also allows residents the right to make a “verifiable consumer request” to request any information about the data that has been collected about them over a particular period of time. Who does the CCPA cover? The CCPA applies to California residents. However, the CCPA defines a California resident as any individual who is: 1) in the state of California for other than a temporary or transitory purpose; or 2) domiciled in the state of California and outside of the state for a temporary or transitory purpose. As a result, the CCPA can apply to California residents located outside the state. What data does the CCPA cover? The CCPA applies to consumers’ personal information. The CCPA defines personal information as “information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Because the CCPA defines household data as personal information, that data may be protected even if it does not relate to a single individual. The CCPA also includes an enumerated list of examples of personal information, including identifiers, commercial information (such as purchase histories and consuming tendencies), internet or other electronic network activity (such as browsing history, search history, and interactions with apps, websites, or advertisements), geolocation data, and inferences drawn from other personal information to create a profile about the consumer. The California legislature amended this definition to clarify that the enumerated categories only qualify as personal information if they are linked or linkable to a consumer or household. Enforcement: The CCPA preempts local laws regulating the collection and sale of consumer personal information by businesses. The CCPA caps fines at $2,500 per violation and $7,500 per intentional violation. In addition, the California Attorney General has the authority to seek injunctive relief against businesses alleged to be violating the CCPA. If you have questions about whether your business is subject to compliance with the CCPA, seek legal advice before the CCPA becomes effective on January 1, 2020.