Aristi California Consumer Protection Act (“CCPA”)
What is the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a bill passed by the state of California legislature on June 28, 2018. The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.
- Any business that offers products or services to CA residents and collects their personal information, regardless of the location of the business, and:
- has $25 million or more in annual gross revenues;
- Possesses the personal data of 50,000 or more consumers, households, or devices; or
- Earns more than 50% of its annual revenue from selling consumers’ personal data.
- To nonprofit organizations.
- If every aspect of a business’s collection/sale of PI takes place wholly outside of California.
- Sale to/purchase from a consumer reporting agency.
- Deidentified or aggregated PI.
- PI covered by HIPAA or the California Confidentiality of Medical Information Act.
- PI covered by Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.
- Attorney General Enforcement (AG) regulations by July 1, 2020
- Enforceable by AG starting July 1, 2020
- Subject to a 30-day cure period.
- Civil penalty up to $2,500 per violation or $7,500 per intentional violation, plus injunction
- Damages: $100 to $750 per consumer per incident or actual damages.
Highlights of CCPA
- Gives consumers ownership, control and security of their personal information.
- Personal information definition: identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
- Consumers are given rights to:
- Access report
- Remove or erase data from business systems
- Opt out of sell of data at any time
- Opt in consent requirements
- Consent required to prior to any sale of PHI including minors
- Only access for opt in every 12 months if consumer exercises rights
- Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions
- Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports
- Requirements for businesses to reasonably safeguard consumer data
- Significant damage implications for business if fail to comply (enforced by CA AG)
- Compliance required by Jan. 2020