The California Consumer Privacy Act "CCPA" law goes into effect on January 1st, 2020

Below are CCPA Law Firms that our clients and Equisolve work with:

What you should know when interviewing California Consumer Privacy Act Lawyers at CCPA law firms?

The California Consumer Privacy Act (the “CCPA”) goes into effect on January 1, 2020 and sets the standard for U.S. state privacy law. The CCPA applies to organizations, wherever located, that process personal information of California residents (including investors, shareholders, business contacts, consumers, etc.) when (a) doing business in California, (b) providing services to other organizations that do business in California, or (c) otherwise receiving personal information from an organization that falls into (a) or (b) above.

The definition of “personal information” is arguably broader than the definition in the General Data Protection Regulation (the “GDPR”); it includes typical identifiers such as name, address, phone number, and email address but also includes IP address, advertising IDs (e.g., Apple IDFA, Android AAID), cookie IDs, MAC addresses, log information, and even inferences made about the individual.

Given this broad definition, organizations should analyze where they fall under scope of the CCPA and take steps now to comply, as penalties for violations are steep. The CCPA provides for (1) a private right of action for data breaches (including class actions), where each California resident can recover statutory damages between $100-$750 per incident or actual damages, whichever is higher (meaning that a showing of harm is not needed), and any other relief the court deems proper and (2) regulatory enforcement action by the California Attorney General (including for fines between $2,500 to $7,500 per violation).

Though the GDPR inspired the CCPA, the CCPA has unique and complex requirements that require their own compliance initiative. This is true even of requirements that may seem similar conceptually to the GDPR. Among other things, these requirements may include:

  • Providing “access” rights to a California resident upon verifiable request by providing, among other information, the “specific pieces of personal information” collected about that California resident in a portable format;
    • Given the broad definition of “personal information,” this can be very challenging, especially since “inferences” made about the individual falls under the definition of personal information.
  • Updating data protection agreements with service providers to include certain enumerated prohibitions on how they can use personal information;
  • Deleting any personal information collected about a California resident upon verifiable request (unless an exception applies);
  • Annually updating privacy policies to disclose what personal information has been collected, the sources of personal information collected, the “business purpose” or “commercial purpose” for using such personal information, categories of “third parties” with whom the business shares such personal information, information regarding to whom the business “sells” personal information, and other information.
  • Where “selling” personal information, embedding a link that says, “Do Not Sell My Personal Information” on the business’s website (including homepage, privacy policy, and any other page where personal information is collected) that allows consumers to opt-out of such “sales.”

You may be thinking, “I don’t ‘sell’ personal information, so some of these requirements wouldn’t apply to me.”

However, the definition of “sale” is incredibly broad and means, “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” So its reach is expansive and likely includes activities such as retargeting, advertising cookies or pixel tags, certain social media plug-ins, and various other marketing activities.

Finally, the CCPA has a “12-month lookback,” which means that personal information that you’ve collected since January 1, 2019 is still within scope of the CCPA when it comes into effect next year. In other words, personal information that you collect today will need to be considered when fulfilling the above requirements, such as access requests, privacy policy updates, and “opt-outs” through the “Do Not Sell My Personal Information” link, to the extent applicable.

Organizations that may fall under scope of the CCPA should consider hiring an attorney whose practice is focused on global privacy and cybersecurity laws. A privacy attorney should be able to understand how the CCPA impacts your specific organization and how to fulfill its requirements in a way that complements your previous compliance activities with other privacy laws (e.g., the GDPR) and does not unduly disrupt your business. Further, the attorney should be able to set up a privacy compliance framework that puts you in a good position to comply with future U.S. privacy laws with lower incremental costs.

Further, a skilled privacy attorney will have a strong understanding of the regulatory landscape to give practical advice on how the California Attorney General will enforce this law. The attorney should also be aware of activity in the California legislature that may further affect the scope of your obligations under the CCPA.

For more information regarding CCPA compliance, please read our white paper here: https://www.equisolve.com/white-papers/ir-website-ccpa-compliance.