January 21, 2020

Top 5 Things You Need To Know About the CCPA

Client Alert
Julian L. Bibb IV | Leigh Stanfield

Much as GDPR set the online privacy world on fire a couple of years ago, a new law out of California is expected to have a similar impact of privacy concerns for many companies in the United States and elsewhere. Here's what you need to know.

  • What is the CCPA?

The “CCPA” is the California Consumer Privacy Act, a statute passed by the California legislature and signed into law on June 28, 2018 (AB 375). It went into effect on January 1, 2020. It gives California citizens certain rights concerning their personal information, such as the right to request what information has been collected about them, whether that information has been sold, the right to “opt-out” of having their information sold, and similar other rights.

  • But I run a business in Tennessee, Alabama, Mississippi, North Carolina, New York … why should I care about the CCPA?

Your business is obligated to comply with the CCPA if one of the following is true:
(1) your business earns $25M in revenue annually, and you collect personal information of California residents;

(2) your company collects personal information of California residents, and your company receives, buys, sells, or shares the personal information of 50,000 residents, households, or devices; OR

(3) your company collects personal information of California residents, and it earns more than half of its annual revenue from the sale of personal information. Regardless of where your business is located, if any of the above-listed factors are true, then you should seriously consider your potential obligations under the new statute.

  • How can I begin to comply with the CCPA?

A key first step is to know what information you are collecting, how you are processing the information, and with whom you are sharing the information. Many companies are surprised to learn that their marketing departments have established a number of creative ways for obtaining and marketing back to customers and potential customers. Cross-selling and cross-promotions, giveaways, and other means of sharing personal information abound among many medium-to-large businesses.

  • What if a California consumer contacts my company, requesting information?

There are several “steps” involved in handling consumer requests under the CCPA. Before responding to a request, the CCPA requires companies to verify the identity of the requestor and confirm that the person making the request is either (1) the person whose information has been collected or (2) an authorized agent of that person. Also be aware that the CCPA limits the amount of time you have to respond to a request, and that those time limits include the amount of time it takes to verify the requestor’s identity. Businesses subject to the CCPA should consider implementing an efficient system of receiving, verifying, and responding to requests to ease their administrative burdens.

  • Can I get in trouble if I don’t do anything?

The CCPA gives the California Attorney General the authority to impose fines ranging between $2,500 - $7,500 for each violation. Additionally, where non-encrypted (or non-redacted) personal information has been the subject of a breach, the statute provides a private right of action for individual California residents, allowing for recovery of $100 - $750 in damages for each event.

Related Practices

Data Strategy, Security & Privacy HIPAA and Healthcare Privacy Technology
Subscribe to Updates and Events
Click to Sign Up

Related Insights

View More