The California Consumer Privacy Act (CCPA) is one of the most consequential data privacy laws passed to date in the U.S. and will require significant changes to the way many U.S. companies manage the personal information of their customers. The CCPA may apply to businesses even if they do not have a physical presence in California if they meet certain requirements, such as having 50,000 customers based in the state. Failure to comply with the CCPA when it enters into force in 2020 could result in costly fines or private lawsuits.
The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the CCPA. This is an opportunity for businesses to make their concerns known to the California Attorney General, who is tasked with enforcing the CCPA and drafting regulations to clarify the scope and application of the law. Murphy & McGonigle is available to advise companies wishing to provide comments and to assist in CCPA compliance efforts.
BACKGROUND ON THE CCPA
For brief background, the CCPA imposes several requirements regarding the collection, storage, maintenance, and sharing of consumers’ personal information. These requirements generally apply to those for-profit businesses that collect consumers’ personal information, determine the purposes and means of processing that information, do business in California, and either (i) exceed $25 million in annual gross revenue, (ii) annually buy, sell, receive, or share for commercial purposes the personal information of at least 50,000 consumers, households, or devices, or (iii) derive at least 50% of their annual revenue from selling consumer personal information.
Compliance with the CCPA may require businesses to drastically enhance their data governance programs, including adjustments to policies, procedures, and technical controls. While much of the personal information maintained by financial institutions, such as information subject to the Gramm-Leach-Bliley Act (GLBA), is explicitly exempt from the CCPA, those financial institutions are not entirely exempt themselves. What’s more, the potential fine for violations of the CCPA can reach $2,500 for each violation, and up to $7,500 per each intentional violation.
AREAS FOR RULEMAKING
Open issues for rulemaking by the California Attorney General include:
- Defining the categories of “personal information” covered by the law
- Resolving an open question of whether the CCPA applies to the personal information of a company’s employees as well as to its customers
- Establishing any exceptions to the CCPA necessary for businesses to comply with state or federal law
- Establishing rules for providing notice to consumers of their rights under the law
- Establishing rules for complying with consumer requests to exercise their rights under the law
- Adjusting the monetary thresholds for businesses to be covered by the CCPA