California Consumer Privacy Act of 2018 – October 2019 Update

Recap of California Consumer Privacy Act of 2018 Requirements

In February 2019, we wrote a blog post that outlines the new California Consumer Privacy Act of 2018 (CCPA). Since February, there have been several amendments to the CCPA that passed on October 11, 2019. This blog post provides updates on the CCPA and the recent changes that have been published in the last few months.

To give you a recap, the California Consumer Privacy Act of 2018, also known as the CCPA is a new act that will be effective January 1, 2020. This act includes new regulations on privacy policies, the handling of data breach occurrences, the handling of Personally Identifiable Information (PII), and third-party data sharing/selling of California residents’ PII to third-parties.

The goal of the act is to offer more transparency and control for California residents in regards to how their PII is handled. Although the act goes into effect in January of 2020, July 1, 2020 is the date when the California Attorney General can begin to file suits on behalf of California State.

Companies around the world will have to comply with the California Consumer Privacy Act of 2018 if they receive, process, or sell personal data from California residents. If the company (or their parent company or subsidiary) meets one or more of the these criteria they must be in compliance:

• Annual gross revenue of $25 million;
• Obtain personal information of 50,000 or more California residents, households or devices annually; or
• Receive 50% or more of their annual revenue from selling California residents’ PII.

Businesses that fail to comply with the CCPA requirements could face civil action law suits and state levied fines. There are varying levels of actions that can be taken on behalf of the California Attorney General for violations:

• Civil action suits can include actual damages and statutory damages between $100-$750 for data theft or data breaches; and
• State levied fines are separated into two categories with different fines: $2,500 fine per unintentional violation and a $7,500 fine per intentional violation.

Want more details? Read the California Consumer Privacy Act of 2018

Recently Approved Amendments

The original version of the CCPA contained several gray areas; leaving many compliance requirements loosely described. Several amendments have passed since, here are a few:

• Employee Exemption (AB 25) – This bill would exempt employment information from the definition of “consumer”. This amendment passed in September 2019.
• (AB 874) excludes “publically available information” from the definition of “personal information”, and clarifies that de-identified or aggregate information is “not personal information”. This amendment passed in September 2019.
• (AB 1146) exempts vehicle and ownership data for purpose of vehicle repair relating to a warranty or recall. This amendment passed in September 2019.
• (AB 1202) requires “data brokers” to register with the Attorney General of California and pay a fee; the amount is undetermined at the moment. The fees go towards the cost of creating and maintaining a page on the Attorney General website where data brokers provide their contact information as well as an explanation of their data collection practices. “Data brokers” will be fined $100 for each day they fail to register with the Attorney General.

A survey went out earlier this year and revealed that 71% of companies expect to spend more than six figures to comply with the CCPA; 1 in 5 expect to spend more than $1 million to achieve CCPA compliance. 71% plan to invest in technology to prepare for the CCPA, while 61% plan to spend on consulting expertise.

What Do You Do Now?

Since the CCPA has passed, it is time to act now. The first thing that you should do is get in contact with your Legal Counsel to determine if the CCPA applies to you. If your business does need to comply with the CCPA there are some actions you may need to take:

• Work with you lawyer to create or update your Privacy Policy, as well as review existing contracts between vendors.
• Contact your web firm to implement “DO NOT SELL MY PERSONAL INFORMATION” consent modals on your website.
• Adjust Google Analytics settings to ensure it is compliant with the CCPA’s requirements.

California is not the only state who is proposing stricter privacy around personal information, many others are working on their own privacy act; time will tell.

Disclaimer: This notice is meant to provide you with initial information regarding recent regulations and developments; this should not be construed as legal advice or a solicitation. Speak with your Legal Counsel to verify that your business does, or does not need to comply with the California Consumer Privacy Act of 2018 (CCPA).