The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020. The CCPA is a landmark data privacy law that substantially expands the rights of California residents with respect to commercial uses of their personal information.
In order to be subject to the CCPA, a business must transact business in California (whether through a physical presence or e-commerce) and satisfy one of the following requirements: (1) have annual gross revenues of $25,000,000 or more, (2) possess the personal information of at least 50,000 consumers, or (3) derive at least 50% of its annual revenue from the sale of consumers’ personal information. Enforcement of the CCPA is not limited to California businesses.
A California resident may submit a request to a business covered by the CCPA and obtain the following information:
•The categories of personal information collected about the individual;
•The categories of sources from which the personal information of the individual is or has been collected;
•The business or commercial purpose for collecting or selling the personal information of the individual;
•The categories of third parties with whom the covered business shares the individual’s personal information; and
•The specific pieces of personal information the covered business has collected about the individual.
The CCPA also provides consumers with the right to request that the covered business delete the personal information it has collected for that particular consumer and the right to “opt-out” of having their personal information sold or disclosed for business purposes. Moreover, consumers have the right not to be discriminated against for exercising their rights under the CCPA, although covered businesses may offer financial incentives to consumers who agree to the sale of their personal information.
Within 45 days of receiving a consumer request, a covered business must verify the identity of the consumer making the request, provide the requested information, and/or delete the consumer’s personal information. Covered businesses must provide the requested information for the 12-month period immediately preceding the consumer request. Notably, the definition of “personal information” under the CCPA excludes publicly available information, de-identified information, and aggregate consumer information. Covered businesses must maintain records of consumer requests and their responses to such requests for 24 months.
The California Attorney General’s office will be primarily responsible for the enforcement of the CCPA by civil penalty. However, the CCPA notably provides consumers a private right of action against covered businesses that don’t comply with the CCPA under certain circumstances, which would allow consumers to sue non-compliant covered businesses for damages. Enforcement of the CCPA will begin on July 1, 2020.
Businesses that are subject to the CCPA need to begin compliance efforts immediately. It will be necessary to revise businesses’ websites and online privacy policies to reflect the new requirements of the CCPA. Businesses will need to implement a system in which they review and verify consumer requests and take appropriate action within the timeframe provided in the CCPA. The CCPA has initiated a domino effect in which states across the country have introduced similar privacy laws expanding consumers’ rights relating to the commercial use of their personal information, including one such bill that was introduced in the current session of the Nebraska legislature. To ensure compliance with the CCPA and stay up to date with other consumer privacy laws, contact Chris Estwick at (402) 392-1250 or by email at [email protected].