It was only one year ago that the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA is a landmark privacy law providing California residents various protections with regard to personal information. Even though the CCPA is in effect, it is still undergoing rulemaking with the 4th Set of Modifications to the Proposed Modifications released December 10, 2020. The deadline to submit comments to this round of modifications was December 28, 2020. This blog revisits the CCPA and provides some information about CCPA compliance.
What is CCPA?
The CCPA is a privacy and data protection law passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018. The law with its initial amendments went into effect on January 1, 2020. The CCPA applies to any business doing business in California that collects “personal data” and meets one of the following thresholds:
- Annual gross revenues in excess of $25 million;
- Buys, receives, or sells the personal data of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal data.
Under the CCPA, personal data is generally understood as information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular California consumer or household. Where CCPA applies, businesses must then implement and maintain reasonable security procedures and practices to protect that personal data. Such procedures and practices include:
- Parental or guardian consent for minors.
- A “Do Not Sell My Personal Information” link on the home page of the business’ website. The link should enable users to opt-out of the sale of personal data.
- A method for submitting data requests.
- To Refrain for one year from requesting a user opt-in to certain privacy practices after a user has opted out.
Interestingly, CCPA allows third parties to be authorized to exercise opt-out rights on behalf of users.
Generally, CCPA provides statutory damages. Businesses might be liable up to $750 per California resident or incident, in addition to actual damages, whichever is greater for data breaches. As well as a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation of CCPA requirements. To date, some estimates show there have been around fifty lawsuits invoking CCPA since going into effect, with nearly all of them being class action lawsuits.
The California Privacy Rights Act
CCPA Compliance for Your Business