CCPA Is Here! Happy New Year?
POSTED BY Joshua S. Devore
The California Consumer Privacy Act officially goes into effect on January 1, 2020. As a result, any business – as specifically defined – that interacts with California consumers will need to update its privacy policy and related business practices. To be subject to the CCPA, a “business” must have either $25 million in revenues; buy, sell or receive for commercial purposes the personal information of 50,000 or more consumers, households or devices annually; or derive 50 percent or more of its revenue from selling consumers’ personal information. Note that the 50,000 “devices” threshold is not hard to reach: if your website is collecting data from every device that contacts it, you would pass 50,000 devices with an average of only 137 visitors per day.
Due to delays in developing the regulations under the CCPA, the time where the bulk of the CCPA’s provisions become enforceable by the state Attorney General has been extended until past July 1, 2020. As such, there is still time to implement the necessary policies and procedures; and indeed, the regulations that spell those out are not yet final. But even if your business recently updated its privacy policy, such as to comply with Europe’s GDPR, you will need to make additional changes to comply with the CCPA.
More importantly, despite the delay in the regulations, the statute is effective January 1, 2020, putting into law a private right of action for consumers in the event of a data breach. As a result, a consumer can sue in the event that their nonencrypted and nonredacted personal information is subject to unauthorized access as a result of a business’s failure to implement and maintain reasonable security procedures and practices to protect the information. For that reason, businesses should take steps to ensure that their consumers' data is secure as their first resolution for the New Year.
The foregoing is for informational purposes only and not intended to be a complete description of the obligations under the CCPA and is not specific legal advice.
For further information on complying with the CCPA contact Joshua Devore.