On January 1, 2020, the most restrictive data privacy act in the United States, the California Consumer Privacy Act (CCPA), went into effect.
This law is not limited only to businesses that are established or have locations in California. To the contrary, the CCPA applies to any for-profit business “doing any business in California” which collects personal information from California residents and satisfies just one of these criteria: (a) has a gross revenue of greater than $25 million dollars, (b) annually buys, receives, sells or shares personal information of more than 50,000 consumers, households or devices for commercial purposes or (c) derives more than 50% of its annual revenues from selling consumers’ personal information.
One goal of the CCPA is to give control of the dissemination of personal information back to California residents, whether they are currently living in the state or are temporarily outside the state. The legislators specifically referred to the March 2018 news reports regarding the misuse of personal information by Cambridge Analytica. In line with the stated mission to protect California residents’ personal information, the definition of personal information is very broad and encompasses “any information that directly or indirectly:
No other state’s privacy statute has included “household” in its definition of personal information; it’s defined as “a person or group of people occupying a single dwelling.” The CCPA’s laundry list of personal information includes (but isn’t limited to) biometric information, geolocation information, employment-related information, personal names, online identifiers, email addresses, social security, passport and driver’s license numbers, IP addresses, physical addresses, real property records, records of the consumer’s purchases of or searches for products or services, Internet search records, educational records and profiles created by a business about a consumer or job prospect.
So, what are the obligations of a covered business with respect to the consumer? Here are the highlights:
The CCPA has teeth. Consumers have a private right of action against a business if there is a data breach involving non-redacted/non-encrypted consumer information that isn’t cured within 30 days, with a potential recovery of statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater. But the CCPA doesn’t define what constitutes an effective cure. The Attorney General may sue a business for non-compliance (for any provision, not just a data breach) and, depending on whether the violation is intentional, demand civil penalties ranging from $2500 to $7500 per violation (the 30-day cure period applies here too).
Those businesses who are aware of the 2018 European General Data Protection Regulation (GDPR) will be familiar with the schema of the CCPA as the laws are similar in their protective approaches. But even if a business isn’t a CCPA covered business, New York may not be that far behind the West Coast: while the New York Privacy Act wasn’t passed in the 2019 legislative session, it may yet succeed, and its regulations were more restrictive than the CCPA. Will protection of personal information become the “new” New York State of Mind? Time will tell.
|Goldsmith, Amy B. Partner and Co-Chair of Intellectual Property Group||Partner and Co-Chair of Intellectual Property Group||212.216.1135|