In June of 2018, the California Legislature passed the California Consumer Privacy Act (“CCPA”) which created rights in the collection, use, disclosure and sale of consumer data.The law took effect on January 1, 2020 and became enforceable on July 1, 2020.
Broadly speaking CCPA gave consumers the right to notice, disclosure and to opt out of the sale and use of personal data and placed the onus on covered business to keep personal information from unauthorized disclosure Immediately after the enactment of CCPA, California voters approved by a 56%-44% margin, a ballot initiative billed as the California Privacy Rights Act. CPRA builds on the basic framework of the CCPA but adds additional enforcement powers through a new state agency, new consumer rights and new classifications of consumer data. CPRA will go into effect on January 1, 2023 and become enforceable on July 1, 2023.
KEY POINTS TO EXAMINE YOUR EXPOSURE UNDER CALIFORNIA PRIVACY LAWS
Does CCPA or CPRA apply to my business?
CCPA expressly covers a) Any business that generates more than $25mm in annual revenue, b) Any business that generates more than 50% of its revenue through the sale of consumer data; and c) Any business that collects consumer data from more than 50,000 devices, households or individuals. Under CPRA the threshold number of devices, households or individuals will be 100,000.
However, a determination that your business doesn’t meet any of these requirements doesn’t end the inquiry over whether CCPA or CPRA will have any impact on your operations. Both CCPA and CPRA mandate that covered business mandate compliance for their third party vendors and partners. This is to say that if your business has a contractual relationship with a covered entity that involves the sharing, sale or transmission of consumer data, you should also be prepared to comply with the notice, disclosure, deletion and opt-out of CCPA and CPRA.
CCPA/CPRA Compliance is Inextricably Linked to Data Security
CCPA and CPRA do not provide a private right of action except when an unauthorized theft, disclosure or exfiltration is the result of a business’ failure to implement reasonable security measures. Where such inadequate security measures result in data breaches, the penalties are quite steep with the minimum penalty of $100 and a maximum of $750 per violation, given the scale of data collection practices, generally, this is has the potential to be extremely costly. The upshot is that CCPA/CPRA compliance cannot be assessed without an examination of data security practices.
What Do I Need to Do to Comply?
The actions a business must take to get into compliance are unique to each business. This is because the responsibilities of businesses under CCPA and CPRA are determined by each business’s collection, use, disclosure and sale of consumer information. Therefore the adequacy of compliance measures basically turn on a few key questions:
• What consumer information is my business collecting?
• How is that consumer information being used?
• Is my business selling consumer information?
• What am I doing to safeguard the storage of the consumer information that I collect?
Any questions regarding Data Privacy Law, please contact at Arthur S. Gaus 510-835-6811.