background image
18
T H E P R I M E R U S P A R A D I G M
California's Consumer Privacy Act:
Implications for Counsel and Clients
On June 28, 2018, California Governor
Brown signed the California Consumer
Privacy Act (CCPA), which will become
effective on January 1, 2020. The CCPA
(Civil Code § 1798.100 et seq.), is the most
significant state privacy legislation passed
in the United States for many years. The
CCPA has been compared to the most
important privacy legislation of recent
years ­ the European Union's General Data
Protection Regulation (GDPR), which came
into effect on May 25, 2018.
1
Having only recently undertaken
substantial efforts to comply with the
GDPR, including revising privacy and
other policies, many companies in the
United States may well be wary of having
to undertake new work to comply with
the privacy legislation passed by a single
state. Whether such efforts are required
will depend on the extent of California
consumer data collected and shared by
a business and whether the CCPA will
be modified or preempted by federal
legislation before it comes into effect.
What is the CCPA?
The CCPA forestalled a substantially
stricter privacy measure sponsored by
Californians for Consumer Privacy, headed
by San Francisco real estate developer
Alastair Mactaggart, that had qualified
as an initiative for the Fall 2018 ballot.
Because the California legislature passed
the CCPA in relatively short time, the
technology industry, privacy professionals
and advocacy organizations continue to
lobby the California legislature to modify
the CCPA. However, barring unforeseen
changes and timely promulgation of
regulations by the California Attorney
General, enforcement of the CCPA will
commence on July 1, 2020.
Four aspects of the law are particularly
salient for businesses considering whether
their operations fall under the CCPA:
·
The CCPA imposes substantive new
obligations on companies "doing
business in California"
2
to protect the
"personal information" of California
"consumers." "Personal information"
is broadly defined as "information
that identifies, relates to, describes, is
capable of being associated with, or
could reasonably be linked, directly or
indirectly, with a particular consumer
or household." A "consumer" is a
"natural person who is a California
resident," including employees, parents
and children.
·
The CCPA is applicable to a for-profit
business (wherever located) if it
(1) has annual gross revenues in excess
of $25 million; (2) "annually buys,
receives for the business' commercial
purposes, sells or shares for commercial
purposes, alone or in combination,
the personal information of 50,000
or more consumers, households, or
devices;" or (3) derives 50 percent or
more of its annual revenues from selling
consumers' personal information.
3
·
The CCPA gives California consumers
substantive new rights, including:
(1) the right to obtain information
regarding the categories and specific
pieces of personal information collected
by the business about that person;
(2) the right to make requests regarding
the information held by the business
about them; (3) the right to obtain
(free of charge) copies of the personal
information held by the business;
(4) the right to request deletion of
certain personal information; and
(5) the right to direct a business that
"sells" personal information to third
parties not to sell such information
("opt out right").
4
For the purpose
of the statute, "sell" is broadly
defined as including "releasing,
disclosing, disseminating, making
available, transferring, or otherwise
communicating ... a consumer's
personal information."
5
·
The CCPA gives the California Attorney
General enforcement authority and the
power to levy sanctions of $7,500 per
intentional and $2,500 for unintentional
North America ­ United States
Timothy Toohey leads Greenberg Glusker's
cyber security practice, working to assure
that his clients' proprietary, personal,
customer and employee information, and
other sensitive data is fully protected
and serves its intended purposes. He is a
United States and European Union Certified
Information Privacy Professional and a
Certified Information Privacy Manager.
Greenberg Glusker
1900 Avenue of the Stars
21st Floor
Los Angeles, California 90067
310.553.3610 Phone
ttoohey@greenbergglusker.com
greenbergglusker.com
Timothy Toohey