CALIFORNIA CONSUMER PRIVACY ACT: WHAT YOU SHOULD KNOW BEFORE JULY 1ST ENFORCEMENT (Second In A Series)
June 11, 2020
By: Jason L. Ott, Derrick L. Maultsby, Jr., and Adam Zaccari
As we discussed in this series’ first entry, the uncertainty caused by COVID-19 forced many companies to shift focus to immediate financial and operational issues to keep their businesses afloat, which may have resulted in certain initiatives (such as corporate compliance matters) being put on temporary hold. However, the pandemic did not affect the July 1, 2020 enforcement deadline for the California Consumer Privacy Act (“CCPA”) and the Cybersecurity Maturity Model Certification (“CMMC”), two major regulatory provisions affecting hundreds of thousands of businesses. This entry focuses on the CCPA and some key details to know ahead of enforcement.
The CCPA went into effect on January 1, 2020, and statutorily defines California residents’ rights on how businesses collect, use, and share their personal information. CCPA applies to any business that operates in California and: (i) derives at least $25 million in annual revenue generally; (ii) gathers data on more than 50,000 users’ devices; or (iii) generates more than 50% of its revenue from selling consumers’ personal data. Failure to comply with CCPA regulations can lead to substantial economic repercussions. Given the present climate concerning data privacy on a global scale, the California Attorney General’s Office has indicated that it is fully staffed and committed to enforcing the CCPA beginning on July 1, 2020. The potential statutory fines are hefty - for each intentional violation, a company may be fined up to $7,500.00 and for each unintentional violation, a company may be fined up to $2,500.00. The “per violation” language creates the possibility for major fines.
For companies that are subject to the CCPA, some key provisions are the following:
- Companies must disclose data collection and sharing practices to consumers;
- Consumers have a right to request for personal data to be deleted (although there are exceptions that apply to the collections industry);
- Consumers have a right to request what information is collected; and
- Companies are required to provide a privacy notice prior to collecting information from a consumer.
Even with the COVID-19 interruptions in business operations, businesses operating in California that fall under the CCPA’s purview are required to ensure that their practices regarding the collection, use, and sharing of personal information conform to the CCPA’s requirements. Despite the strict governmental shutdown orders that have been in place throughout California for some time, all such businesses must comply with the CCPA by the July 1, 2020 enforcement date.
Considering the significant impact that the CCPA may have on companies across the world, Jackson Kelly is committed to providing knowledgeable counsel to help our clients navigate these pending requirements. We have partnered with SecureSky, a leading cybersecurity firm specializing in helping companies meet compliance demands while improving their security posture. Jackson Kelly and SecureSky actively engage with industry leaders that provide technology, tools, and resources enabling companies around the globe to ensure compliance in all facets of business, specifically including the ever-growing world of data privacy and security regulation. We will continue to explore the CCPA and its effects on companies across various industries. Please feel free to contact us any time to discuss your needs in more detail.