Happy New Year! At long last, the California Consumer Privacy Act of 2018 ("CCPA") went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law's expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation.

Overview of the California Consumer Privacy Act of 2018

Generally, the CCPA applies to companies that collect and process personal information from or about identified natural persons (i.e., not entities) who are California residents (referred to in the CCPA as "consumers"). More specifically, the law applies to any covered "business," which is defined as a for-profit sole proprietorship or legal entity that:

  • does business in California;
  • collects California consumers' personal information (either online, offline or through third-party intermediaries);
  • determines the means and method (the why and how) of the processing of personal information; and
  • satisfies one or more of the following thresholds:
    1. has annual gross revenues over $25 million; or
    2. derives 50 percent or more of its annual revenues from selling consumers' personal information; or
    3. buys, sells, receives or shares (for commercial purposes) the personal information of 50,000 or more consumers, households or devices annually.

In addition, the law applies to any entity that:

  • controls or is controlled by a CCPA covered "business" (>50% ownership, control of majority of board, or controlling influence over management); and
  • shares common branding with that covered "business" (shared name, service mark or trademark).

Such an entity is also referred to as a "business" under the CCPA. The CCPA imposes a number of obligations on covered businesses, including requiring a business to:

  • provide detailed disclosures to consumers about the collection, use, disclosure and sale of personal information, as well as the rights available to consumers under the CCPA, in online and, potentially, off-line disclosures ("Notice to Consumers").
  • provide consumers access to the underlying personal information collected about them and individualized details about their personal information in response to a verifiable request ("Right to Know").
  • delete personal information the business has collected from the consumer in response to a verifiable request, subject to exceptions ("Right to Delete").
  • if "selling" personal information, add a "Do Not Sell My Personal Information" link to the business's website and mobile application that allows a consumer to opt out of the "sale" of personal information ("Right to Opt Out").
  • not knowingly "sell" personal information about a consumer under the age of 16 without proper affirmative authorization or opt-in consent ("Right to Opt In").
  • not discriminate against a consumer for exercising a right under the CCPA ("Right to Nondiscrimination").

The California Attorney General may seek an injunction and statutory civil penalties of up to $2,500 per violation or $7,500 per intentional violation of the CCPA after a 30-day cure period. In addition, the CCPA permits a consumer the right to bring an individual cause of action or a class action against a business if certain nonencrypted or nonredacted personal information is subject to a data breach resulting from a business's failure to implement and maintain reasonable security procedures and practices.

Changes Past, Present and Future

There have been many CCPA-related developments since it was signed into law on June 28, 2018, and more are certain to come in 2020. The first major change occurred on August 31, 2018, with the passing of SB-1121, which amended the CCPA in certain respects, including prohibiting enforcement of the CCPA by the California Attorney General until July 1, 2020, or six months after publication of implementing regulations, whichever is sooner. Given that the final implementing regulations have not yet been published, the enforcement date will be July 1, 2020. Our team summarized the other changes from SB-1121 here.

On October 1, 2019, Nevada stole a bit of the CCPA's thunder by passing its own, much narrower, privacy law amendment addressing the "sale" of personal information. More information about the change in Nevada's law can be found here. California was quick to reclaim the spotlight, with the California Attorney General publishing draft CCPA regulations for public comment on October 10, 2019. The final regulations are yet to be published, but in the meantime please find our team's summary of the proposed regulations here. Lastly, on October 11, 2019, California's Governor signed six CCPA amendments into law, including amendments creating a one-year exception to most of the CCPA's obligations for information relating to a business's personnel and certain information in a B2B context. Please find our team's overview of these comprehensive amendments and their significant impact on CCPA compliance here.

With the law and the recent CCPA amendments all coming into effect yesterday, January 1, 2020, we have much to look forward to in the new year. For starters, the private right of action under the CCPA for certain data breaches is now in effect and we anticipate it won't take long for the plaintiff's bar to jump at the opportunity to try out its new statutory damages. Please find our team's summary of the likely impact of this private right of action here.

In addition, changes to the CCPA are likely to continue as the California Attorney General must still publish its final implementing regulations in advance of the July 1, 2020 enforcement date and additional amendments are likely to be presented in the 2020 California legislative session. The critical personnel and B2B exceptions described above are also scheduled to sunset on January 1, 2021, so we expect to see at least some early discussion about the long-term prospects for extending or making these exceptions permanent.

Lastly, like we saw in 2019, other states will likely present CCPA-like bills in their own 2020 legislative sessions, and it is more likely these bills will be received positively after a year of discussion. Please find our team's overview of CCPA-like state privacy bills from 2019 here, which very well may be resurrected in 2020.

Takeaway for 2020:

The time to think about CCPA compliance is now, and it is not too late to get started. Taking our CCPA Readiness Assessment is a great first step. Or, feel free to download our Orrick team's PowerPoint, "CCPA Compliance – It's Not Too Late to Get Started!," which covers the critical components of the CCPA and suggests practical ways to begin addressing CCPA requirements. Our Orrick team is here to guide you each step of the way toward CCPA compliance, and we will continue to monitor CCPA developments and share updates here on Trust Anchor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.