California Consumer Privacy Act Now In Effect

Cybersecurity & Technology

2020 ushered in significant new privacy rights for residents of California.  The California Consumer Privacy Act (CCPA), which took effect January 1, 2020, provides important rights to California consumers concerning how businesses collect and sell their personal information.  Critically, even though the goal of the CCPA is to create rights for residents of California, its reach is much larger and will affect many companies located outside that state.  Here's a brief overview of what you should know:

  1. The CCPA applies to any company "that does business in the State of California" and meets certain other conditions. Unfortunately, California has not yet offered any guidance about what it means to do "business" in the state.  Factors making it more likely that California will consider your company as doing "business" within the state include the following:
    • Does your company market specifically to California residents?
    • Does your company maintain a physical presence in California?
    • Does your company engage in numerous transactions in California?
  2. If your company "does business in the State of California," the CCPA will apply to it only if your company:
    • Has annual gross revenues in excess of $25,000,000; or
    • Buys or uses the personal information of 50,000 or more California residents; or
    • Derives 50% or more of annual revenue from selling consumers' personal information.
  3. If the CCPA applies to your company, what does it require? There are four main requirements for how a business must treat a Californian's personal information:
    • Inform: A business that collects a consumer's personal information must tell consumers what type of information it is collecting and for what purpose;
    • Disclose: A consumer may request that a business tell it what personal information it has collected about the consumer, and details about how it is shared or sold;
    • Delete: When requested by a consumer, a business shall delete the consumer's personal information, with certain exceptions;
    • Don't Sell: A business that engages in the sale of consumer's personal information must inform consumers of that practice. If the consumer directs the business not to share their information, the business must not sell the consumer's personal information to a third party.
  4. The CCPA applies to "personal information" of a consumer. What is "personal information?"
    • It's defined very broadly, and generally means any information that can reasonably be linked to a particular consumer or household.
    • This includes (but is not limited to):
      • Common identifiers such as name, address, social security number, physical description, telephone, passport numbers, and driver's license numbers;
      • Biometric information;
      • Internet activity, such as browsing and search history;
      • Geolocation data;
      • Employment data.
    • "Personal information" does not include information that is publicly and lawfully available from federal, state, or local government records.
  5. What if your company fails to comply with CCPA?
    • The California Attorney General may assess a civil penalty of $7,500 for every violation not cured after 30 days.
    • The CCPA also provides a private right of action. Consumers may bring suit against businesses to recover for CCPA violations.
      • A consumer may recover $750 for each violation without proving actual harm.
      • A consumer may recover more than $750 per violation if they can prove their actual harm exceeded that amount.

The CCPA is complex legislation that imposes serious demands on businesses.  Businesses affected by the CCPA must analyze their data management practices to cure any areas of non-compliance.  Due to the size of the California market, these are steps that many businesses even outside of California must take.  If your company has questions about this process, contact our Cybersecurity & Technology team for guidance.

 

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek