As you may already be aware, the CCPA goes into effect on January 1, 2020. California’s Attorney General has issued draft regulations under the CCPA and final regulations are expected to be issued shortly. Below are some frequently asked questions and answers about the CCPA as a short guide to assist you with understanding what the CCPA may require.
It is the new California Consumer Privacy Act (CCPA) that creates new “consumer” rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The CCPA defines “consumer” as any “natural person who is a California resident.” More specifically, consumers’ rights under the CCPA include:
The CCPA defines personal information broadly to include any information that “…identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Note that this definition is more expansive than other privacy laws that may not include information such as email addresses, webtracking information (including IP addresses, web cookies, and browsing activity) and biometric information.
Businesses subject to the CCPA must:
Potentially yes. Businesses are subject to the CCPA if they have gross annual revenues in excess of $25 million and collect personal information from California residents. You need to consider whether you have current investors, prospective investors, employees, independent contractors, or other business contacts in California. You should also consider whether you collect personal information on your website which may come from Californian residents. There are some recent amendments that effectively have delayed implementation of the CCPA to January 2021 for employees, job applicants and for business to business contacts (the so-called B2B exemption) but you should begin your compliance efforts now.
If you are an SEC-registered investment adviser, then you are already subject to the Gramm-Leach-Bliley Act (GLBA). The CCPA exempts information collected pursuant to the GLBA. In other words, the typical information collected in a subscription agreement such as name, address, email information, social security or other tax identification number and bank routing information. CCPA should not change your existing business practices with current or prospective investors as you should already be complying with GLBA. The CCPA may still apply to other information that you collect; for example, information collected through a public-facing website may still be subject to the CCPA. You have a window of time until January 2021 to consider CCPA implications for your employees and business contacts.
The California Attorney General is responsible for enforcement of the CCPA. The Attorney General cannot bring an action until six months after publication of the final regulations (which are still pending) or July 1, 2020 (whichever occurs sooner). Actions brought after July 1 however may relate to conduct between January 1 and July 1, 2020. Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is not liable if it cures any noncompliance “within 30 days after being notified of alleged noncompliance” (although there may be some breaches that are not capable of being cured).
The CCPA also contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach. Importantly, the GLBA exemption does not apply to this provision of the CCPA.
Unfortunately no, the European Union’s General Data Protection Regulations and the CCPA are separate legal frameworks with different scopes, definitions and requirements. The work done for the GDPR will however be very useful with complying with the CCPA.
The area of privacy law is a rapidly changing regulatory environment. In the absence of a single federal law, it is expected that other states may follow with new privacy laws and regulations. For more information on CCPA, please contact your lawyer at Foley Hoag LLP or visit our Foley Hoag blog here.