United States:
What You Need To Know: California's New Privacy Act
09 July 2018
Womble Bond Dickinson
To print this article, all you need is to be registered or login on Mondaq.com.
On June 28, 2018, California enacted the California Consumer
Privacy Act of 2018 ("CCPA"). CCPA, unlike any other law,
requires companies to honor specific privacy rights of California
consumers granted under CCPA.
While this is a California law, it has a national effect.
Practically, companies subject to CCPA may treat all of their
customers the same to avoid implementing a state-by-state approach
or appearing to favor California residents. Other states may follow
California's lead and enact similar laws, like states have done
for other privacy laws currently in effect.
Below is a high-level overview of CCPA. We will update this
chart if CCPA is amended between now and its effective date.
When is CCPA
effective?
|
January 1,
2020
|
Who is subject
to CCPA?
|
A company
doing business in California, collecting or telling others to
collect personal information of California residents, determining
the purposes and means for using that information, and meeting one
of three thresholds:
- Annual gross revenues over
$25MM
- Annually buys, receives, sells, or shares the
personal information of 50,000 or more California residents,
households or devices
- Derives 50% or more of its annual revenue
from selling personal information of California
residents
|
What
information is protected?
|
Personal
information of California residents, which is broadly defined. It
includes any information, directly or indirectly, relating to an
individual or household.
|
What rights
are granted under CCPA?
|
California
residents are granted the following
rights:
- Right to know, at or prior to collection, the
purpose of collection and the categories of personal information
collected
- Right to request certain additional
information, including specific pieces of personal information
collected
- Right to request deletion of their personal
information in certain instances and subject to several
exceptions
- Right to know whether their personal
information is sold or disclosed and to whom
- Right to say no to the sale of personal
information
- Right to equal service and price, even if
they exercise their privacy rights
|
What steps can
my company take between now and CCPA's effective
date?
|
- Determine whether CCPA applies to
you
- Know and map your data: What specific pieces
of personal information do you collect? Who do you collect it from?
Why do you collect it? How do you share it? Where do you store
it?
- Implement processes to respond to requests
from California residents (or all of your customers if you take a
"one size fits all" approach)
- Update your privacy policy and be prepared to
do so at least once a year
|
What are the
penalties?
|
- $7,500 per violation, enforceable by the
Attorney General
- Limited private right of action for data
breaches
|
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
State Data Breach Notification Laws
Foley & Lardner
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice.