Despite the fact that the California Consumer Privacy Act ("CCPA") regulations have yet to be finalized, the California Attorney General is prepared to begin CCPA enforcement as of July 1, 2020. In 2018, the CCPA was enacted to create enhanced consumer privacy rights by imposing obligations on how businesses collect, use and share California State resident personal information. Over the past two years, the California State Attorney General has been tinkering with the CCPA regulations in an effort to assist businesses with navigating statutory compliance. Given that the CCPA enforcement deadline is upon us, businesses should now be familiar with the various provisions of the CCPA. 

What are the key provisions of the CCPA?

Overview of CCPA Regulations

Businesses fall within the ambit of the CCPA if they: 1) do business in the State of California; 2) collect California State residents' personal information; and 3) satisfy at least one of the following thresholds:

  • Have annual gross revenue of over $25 million;
  • Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes each year; or 
  • Derive 50% or more of annual revenue from selling consumer personal information. 

Dating back to the passage of the CCPA on June 28, 2018, we have blogged about the CCPA compliance measures that businesses need to take in order to avoid private rights of action and/or investigation by the California State Attorney General. Some key CCPA provisions worth noting include:

  • Notice to Consumers: Businesses that collect California consumer personal information must provide notice prior to or at the point of collection. The purpose of this notice is to inform consumers about the categories of personal information that businesses will collect and the purposes for which the information will be used. Additionally, businesses must notify consumers of their right to opt-out from having their personal information sold to third parties. 
  • Privacy Policies: As stated in the CCPA regulations, "[t]he purpose of the privacy policy is to provide consumers with a comprehensive description of a business's online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information." In order to achieve this level of transparency, businesses must disclose: 1) the categories of personal information collected; 2) the sources from which personal information is collected; and 3) the commercial or business purpose for which the personal information was collected or sold.
  • CCPA Forms: The CCPA affords California consumers the right to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information has been collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. The CCPA regulations provide detailed requirements on how to present, process, respond to and store these requests. 
  • Accessibility: All of the foregoing CCPA-related notices should be accessible to consumers with disabilities and conform to standards included in the Web Content Accessibility Guidelines ("WCAG"), version 2.1, as promulgated by the World Wide Web Consortium ("W3C"). 

CCPA Enforcement

Businesses that run afoul of the CCPA face both private rights of action and investigation by the California Attorney General's Office. California consumers can bring private rights of action against businesses for data breaches (and only data breaches) that have exposed their non-encrypted and non-redacted personal information to unauthorized third parties. For private rights of action, statutory damages will amount to the greater of actual damages, or between $100 and $750 per consumer, per incident. Additionally, following the July 1, 2020 CCPA enforcement deadline, the California Attorney General is expected to begin sending notifications of alleged violation to non-compliant businesses. Please note that businesses will be afforded thirty (30) days to cure any instances of non-compliance. Civil penalties levied by the California Attorney General's office will range from $2,500 for non-intentional violations, up to $7,500 for intentional violations. Notwithstanding the foregoing, considering the amount of time and resources that are being devoted to the COVID-19 pandemic response, it is unclear how the California Attorney General's Office will prioritize CCPA enforcement. We expect that the Attorney General will initially focus its attention on the largest companies that have misused the most amount of consumer data. 

Related Blog Posts:

California Data Broker Registration Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

CCPA Record Keeping Requirements

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.