When the California Consumer Privacy Act (CCPA) goes into effect in January 2020, it will impose obligations not seen before in U.S. data security legislation. In order to avoid liability, entities doing business in California need to prepare now to comply with the new statute.
Despite efforts to revise the CCPA since its initial passage in 2018, uncertainty persists as to its scope and enforcement. In general, it applies to any business: of a certain size (over $25 million in gross revenue); or which buys, receives, or shares a material amount of consumer data (over 50,000 persons annually); or which derives more than half its revenue from selling the data of California consumers.
While the statute is full of ambiguities—some of which are the basis for ongoing efforts at clarification through the legislature or the Attorney General of California—businesses should not wait for complete certainty to get ready.
The CCPA grants consumers a host of new rights regarding their data. Businesses must prepare to handle customer requests directed to these new rights and update their privacy disclosures, including at the point of personal data collection.
The statute imposes burdens beyond regulatory compliance. The CCPA gives consumers a private right of action if their data is stolen or otherwise breached. With statutory damages of $100 to $750 per “consumer incident,” businesses can expect an uptick in civil privacy litigation. However, consumers can only base claims on breaches of “nonencrypted or nonredacted personal information,” which is one more reason businesses must act now to ensure such data is protected in accordance with the statute.
Selling or sharing customer data will make compliance more complicated and costly. Businesses that do not monetize data should determine how much personal data they need to keep and whether they want to stay involved in these practices.
Our team tracks all evolving developments related to the CCPA and keeps our clients up to date. We work with companies to update their privacy policies and procedures in preparation for the effective date of the CCPA and can assist with other privacy concerns pre- and post-litigation.
We have experience with complex consumer privacy, data protection and security laws impacting businesses nationwide, including, among others:
Los Angeles/San Francisco Daily Journal | January 23, 2019
Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.
Privacy Law Alert | 11.27.19
NP Privacy Partner | 10.25.19
NP Privacy Partner | 10.18.19
NP Privacy Partner | 09.20.19
Privacy Law Alert | 09.16.19
NP Privacy Partner | 06.13.19
NP Privacy Partner | 05.23.19
NP Privacy Partner | 04.25.19
05.10.19 | Warwick, RI
03.08.19 | Rochester, NY
01.17.19 | Los Angeles, CA
01.16.19 | San Francisco, CA
Practice Group Leader, Data Privacy & Cybersecurity
Deputy Leader, Class Actions and Aggregate Litigation
Leader, Arbitration Team
Member, Firm Policy Committee
Member, Firm Pro Bono Committee
Leader, Class Actions and Aggregate Litigation;
Co-Leader, TCPA & Consumer Privacy Team