California is preparing to implement its Consumer Privacy Act (CCPA), a data privacy law that is among the strictest in the country. The landmark law requires certain for-profit businesses abide by rules and restrictions regarding the consumer data they collect. With the law going into effect in 2020, businesses need to ensure that they are in compliance with these new data privacy regulations.
Authored by Assemblyman Ed Chau and signed into law by Governor Gavin Newsom in June of 2018, the law gives consumers more rights regarding protecting personal data. The law requires businesses to inform consumers of the personal data collected and allows consumers to delete and prevent the sale of that data. Under the CCPA, penalties for not complying can reach up to $7,500 per violation.
The CCPA will affect for-profit businesses that meet any of the following criteria:
- Greater than $25 million in annual gross revenues;
- 50,000 or more consumers, households or devises have personal information bought, received for commercial purposes, sold, or shared for commercial purposes each year;
- 50% or more of annual revenue is derived from selling consumers’ personal information
At least nine other states have introduced data privacy bills that incorporate similar provisions as the CCPA. We expect more states to introduce similar bills in the 2020 legislative session.
The law is similar, but not identical, to the European Union’s General Data Protection Regulation (GDPR) which took effect in May of 2018. It is important to note that firms that meet GDPR compliance may not necessarily meet CCPA compliance, as there are distinct differences between the two consumer protection efforts. Firms should meet with their general counsel or a lawyer to ensure that they are in compliance.