Four Things to Know About California’s New Privacy Law
On June 28, 2018, California enacted the California Consumer Privacy Act (CCPA). The CCPA governs all companies that do business in California and collect data with gross revenues over $25 million that collect information on more than 50,000 consumers. It creates sweeping, unprecedented, EU-like rights for California residents: businesses must disclose what information they collect, for what purpose, and with which third parties it is shared.
As companies start to plan compliance activities, and as vendors ramp up to support these needs and efforts, here are four key things to keep in mind:
1. Prepare for Much Broader Consumer Rights to Their Data
CCPA requires any company doing business with a resident of California to comply with its terms, and California has a very expansive view of what constitutes “doing business” that includes many non-California companies. California consumers will have the right to know what personal data is being collected about them, whether and to whom their data is being sold or disclosed, to prohibit the sale, and require the deletion of, their data without suffering loss of access or being charged a higher price for services. If a business wants to provide an incentive for consumers to allow collection and sale of their personal data, the amount of the incentives/price variance must meet specific requirements.
Consumers may request their data for free on 45 days’ notice twice a year. Exemptions from the CCPA include data used for purposes of a transaction with a consumer and publicly available personal data.
The CCPA imposes other obligations on companies that sell consumer data, such as a requirement to include a conspicuous link titled “Do Not Sell My Personal Information” on their homepage and online privacy policy and to provide a toll-free number or website at which consumers may request information about their personal data and receive data after identity verification.
2. EU GDPR Compliance is Nice but Not Necessarily Good Enough
You might think if you’ve already done the work to comply with the European Union (EU) General Data Protection Regulations (GDPR effective May 25, 2018), you’re in compliance with the CCPA. Unfortunately, that is not necessarily true. CCPA has terms that are stricter than the GDPR, including that the definition of Personally Identifiable Information (PII) is more extensive, there are broader consumer access and deletion rights, and there are more restrictions on sharing PII for commercial purposes.
Additionally, if your company engages in trans-border data transfers, note that since the EU GDPR has changed without a related change in U.S. laws, regulations or standard contract terms, Privacy Shield and use of standard contractual clauses for allowing cross-border data transfers may not apply.
Finally, the CCPA explicitly empowers courts to deem unenforceable any provision of a contract that purports to waive or limit a consumer’s rights under its terms. The EU GDPR also has clauses that will impact or defeat certain limitation of liability clauses in commercial agreements.
3. Don’t Wait to Figure Out Compliance
Although the CCPA is not effective until January 1, 2020, a recent amendment allows the California Attorney General to issue regulations as late as July 1, 2020. Some record-keeping requirements kick in by January 1, 2019 and penalties for non-compliance can be severe.
Once a violation of the CCPA has been noted, the company in violation must be given 30 days to correct the problem. If uncorrected, consumers can sue for up to $750 per data breach incident/violation of law or actual damages, whichever is greater. Additionally, the CA state attorney general can sue for intentional violations of privacy at up to $7,500/violation, and $2,500 for unintentional violations if uncured 30 days after notice. The recent amendment removed the authority of the California Attorney General to intervene in a case brought by a private party.
4. Other States May Adopt the CCPA Model, or Congress May Step In and Legislate
Passage of the CCPA occurred at a time of national discussion about data privacy rights and responsibilities. News reports about and compliance obligations under the EU GDPR have fueled the discussion, and there have been calls for a national law on data privacy that would preempt state laws, including the CCPA, in providing fewer rights, or similar rights, to the CCPA. The nature and timing of such a national law, and the ability to enact federal legislation is open to question. Until then, compliance with the CCPA is a necessary activity.
© Peggy A. Miller and MWH Law Group LLP 2018. All rights reserved.
Peggy A. Miller is admitted to practice in New York. This article is a publication of MWH Law Group LLP and is intended to provide general information regarding legal issues and developments to our clients and other friends. It should not be construed as legal advice or a legal opinion on any specific facts or situations. For further information on your own situation, we encourage you to contact the authors of the article or any other member of the firm.
CONTACT ATTORNEY PEGGY A. MILLER
PEGGY A. MILLER
Special Counsel, New York
P: (914) 751-6279 / F: (646) 395-1936
E: peggy.miller@mwhlawgroup.com
Connect on LinkedIn | Download Biography