• New privacy legislation is coming soon, but what does it mean?    

    #1 CCPA grants California residents comprehensive privacy rights. 

    Among the most important aspects of CCPA is the expansive new consumer privacy rights granted to California residents. CCPA, currently slated to go into effect January 1, 2020, grants residents new rights, along with traditional rights of transparency and choice. Californians will be able to request the “what, who, and why” surrounding their personal information, including data collected, purposes of collection, with whom it was shared, to whom it was sold, and more. 

    They will also receive the right to request access to the actual pieces of data collected, the right to request opt out (directing a company to not sell their personal information to third parties), and the right to deletion (the ability to request that a company delete the personal information it has collected about them).  

    #2 Businesses don’t have to be located in California to be impacted. 

    Any for-profit business collecting and using personal information on California residents (representing over 12% of the U.S. population) is subject to CCPA, as long as it meets any one of the following three conditions: 

    1. if the business has annual gross revenues exceeding $25 million 
    2. if it annually buys or sells personal information of 50,000 or more California consumers, households, or devices 
    3. if it derives more than 50% of its annual revenue from selling California consumers’ personal information. 

    Currently, and unless fixed in the CCPA amendment process underway now, this includes data on consumers, employees, business contacts, business agents, and others.

    #3 Citizens will be allowed “private right of action” under CCPA for a security breach

    California residents will be allowed to bring a direct lawsuit if their unencrypted or unredacted personal information is subject to a data breach as a result of a business’s failure to implement reasonable security. Plaintiffs in these cases may seek set damages of between $100 and $750 per consumer per incident or an estimate of actual damages, depending on which is greater. The CCPA also empowers the Attorney General to pursue cases against businesses for damages of up to $7,500 per violation for intentional, or willful violations (e.g., Cambridge Analytica).

    #4 CCPA defines terms differently from previous privacy legislation. 

    CCPA defines terms differently from other pieces of law, coregulation, regulatory guidance, and privacy policy. The incongruity between the CCPA’s definition of terms is challenging for businesses that operate in states additional to California, thus covered by other state’s laws, and federal laws. One glaring example is the definition of “personal information,” which CCPA defines as including both individual-level and household-level information. Additionally, consumers in California who instruct a company not to sell their personal information to third parties is limiting more than just a traditional sale, since CCPA’s definition of “sell” is broader than simple monetary exchange. As explained by the IAPP, “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”This is new territory. 

    #5 Effective on January 1, 2020, much about how CCPA will be enforced is still unclear.  

    Due to the fact that CCPA was introduced and signed into law in a matter of days (in less than a week in June 2018), the law contains some flaws, contradictions, and what is referred to as “unintended consequences.” As a result of a number of ambiguities and issues in the law, many aspects still need to be clarified. This creates challenges with achieving compliance, making it a complex and uncertain task. Compounding the uncertainty, the legislative “fix” process is still underway, with the Attorney General implementing regulations that are forecasted to be released no earlier than mid- to late-October 2019, leaving businesses with less than 75 days before the enforcement date to analyze and react. 

    Despite this uncertainty, there are concrete steps you can take now to prepare for CCPA’s enforcement. Subscribe to RampUp to be one of the first to read our next article on what you can do to start preparing.

    The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.

    Subscribe to RampUp