During a recent CLE presented by Natalya Northrip, Global Chief Privacy Officer at Arthur J. Gallagher & Co.; David Shonka, Partner at Redgrave LLP; Alex Pilmer, Partner at Kirkland & Ellis LLP; and Erin Plante, Director of Strategy & Consulting at Inventus, we learned a lot about the pending California Consumer Privacy Act – from what it covers (and what it doesn’t), who is subject to its regulations, what the consequences for noncompliance may entail, and some of the steps we should be taking to prepare. Read on below for some of our key takeaways.
Set to go into effect next month, the California Consumer Privacy Act (CCPA) will grant Californians the right to see what data a company holds on them. It has many similarities to the 2018 European General Data Protection Regulation (GDPR), which lets Europeans access and delete their data in many circumstances.
Even though the law is a California one, it affects every significant business that may hold the personal data of California residents – essentially extending to any medium to large-size company that has, does, or ever will do business in or sell products or services to citizens of California.
What Exactly Is the California Consumer Privacy Act?
Put simply, the Act will provide all California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed, the purposes of such disclosures and the types of businesses with which that data is disclosed.
- Say no to the sale of their personal data.
- Access their personal data.
- Request a business to delete any personal information held about them.
- Not be discriminated against for exercising theirprivacy rights.
Who is Affected by the CCPA?
All California residents will be affected by the CCPA. The regulation opens up a world of transparency for consumers who for years have had their person data used for various purposes with very little insight into what exactly is known about them and by whom; where their data has gone; how it’s been used; how long it’s been stored; or the security practices applied to it.
But it’s primarily businesses who will be tasked with updating their processes to comply with this new regulation. How do you know if your organization will be affected? The CCPA sets out some very clear guidelines:
The CCPA applies to any for-profit entity that does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues of more than $25 million
- Buys, sells, shares, or receives for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Earns more than half of its annual revenue from selling consumers' personal information
CCPA Violations Can Be Expensive
Organizations that fail to comply with the CCPA can face potentially stiff fines in two specific categories:
Private rights of action
In the event of a data breach involving nonencrypted, nonredacted personal information, California residents are entitled to private rights of action.
In those cases, each injured consumer may get statutory damages ranging between $110 and $750 per incident – or actual damages, whichever is greater.
No notice is required for consumers who file suits for statutory or actual damages – presumably because the harms of a data breach of personal information cannot be remedied on mere notice.
Attorney General action
Conversely, the Attorney General can bring actions seeking between $2500 and $7500 per violation of the Act or the AG's regulations.
In this case, organizations found in violation of the Act or regulations will receive 30 days notice and an opportunity to cure. If they do not remedy the violation, they will be subject to AG action. (See 1798.150(a),(b))
While at first glance these fines may appear low, keep in mind they are per violation, per consumer. Privacy or data breach incidents often affect thousands or tens of thousands of consumers – which means these fines could reach well into the hundreds of thousands or millions of dollars.
What the CCPA Means for You: Specific Actions
Organizations can get ahead of the new regulations by taking a proactive look at their data collection policies and privacy policies and evaluating and updating current compliance procedures. At a minimum, evaluate:
- Risk Management: Begin identifying risks in your data policies and procedures and, where necessary, create new and/or updated risk management policies.
- Necessary Data: In order to minimize their risks, organizations should only keep data that is necessary to provide whatever service or product they are in the business of delivering.
- Data Tracking System: Because consumers will have the right to request data collected within the past twelve months starting on January 1, 2020, organizations should have a data tracking – and secure data storing – system in place as soon as possible.
The CCPA represents a new level of privacy requirements as it relates to personal data within the United States. All organizations subject to this statutemust put processes in place to ensure compliance and the ability to respond in a timely manner to any and all consumer requests for data deletion or data collection opt-out.