A new decade in data privacy: Complying with the CCPA

By Charles Fleischmann and Ephraim Hintz

Charles Fleischmann (charles.fleischmann@huschblackwell.com) is an attorney with Husch Blackwell in Washington, DC, USA, and Ephraim Hintz (ephraimhintz32@gmail.com) is an attorney with Polsinelli in Denver, Colorado, USA.

Following daily headlines of data breaches and companies using or maintaining individuals’ data in less than desirable ways, governments around the globe have increasingly taken notice and started passing laws governing the rights of individuals with respect to their data, and the way others can permissibly use it.

Leading the pack was the European Union (EU), whose General Data Protection Regulation[1] (GDPR), came online in 2018. While companies doing business in the EU worked to become compliant with GDPR, various states in the US recognized that the federal government lacks much, if any, of the framework around this issue. As a result, several states have contemplated passing their own data privacy laws and regulations.

The most significant of these laws, the California Consumer Privacy Act (CCPA),[2] was passed in June of 2018. As California wrestled with the specifics of how compliance and enforcement would work, the state delayed the effective date of the CCPA until January 1, 2020. While the CCPA will be effective as of this article’s publication, enforcement is not set to begin until July 1, 2020.

As a result, the goals of this article are to (1) inform businesses whether they fall within the CCPA’s reach; (2) provide an understanding of the basics of the law, and the remaining areas of uncertainty; and (3) offer practical tips on how to comply for those affected businesses.

The CCPA in a nutshell

Dubbed California’s version of the GDPR, the CCPA shares a basic framework with its European predecessor, creating new rights for Californians with respect to their data, and imposing obligations on those businesses that handle it. Nonetheless, there are some key differences in the components and workings of these laws, such that a company already in compliance with the GDPR cannot simply assume compliance with the CCPA, or vice versa.

To state the obvious, the scope of coverage is different, focusing on California residents rather than Europeans. Specifically, the CCPA covers for-profit entities that do business in California, collect California residents’ “personal information,” and determine the means of processing that personal information, in addition to meeting any one of the following criteria:

  • Have an annual gross revenue exceeding $25 million;

  • Buy, receive, sell, or share, for commercial purposes, personal information of 50,000 or more consumers, devices, and households; or

  • Derive 50% or more of annual revenue from selling consumers’ personal information.

When reviewing these criteria, it is important to note that subsidiaries or entities that are controlled by a business and share common branding with a business are also covered.

Broadly, the CCPA protects California consumers (i.e., residents) and holds covered entities accountable on how they gather, receive, sell, or share a California consumer’s personal information. In terms of what constitutes “personal information,” the CCPA’s definition is extremely broad—in some respects broader than the GDPR’s.

Specifically, the CCPA defines personal information as information that reasonably identifies; relates to; describes; is reasonably capable of being associated with; or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information subject to the CCPA include, but are not limited to, names, mailing addresses, Social Security numbers, online identifiers, passport numbers, financial information, email addresses, driver’s license numbers, and biometric information.

The bottom line is that the CCPA covers all personal information that can be linked to a household or individual in California. The linkage to a household specifically is an area where the CCPA appears to go beyond the GDPR, which tends to focus only on individuals. However, there are a few key exclusions that businesses should be aware of. Specifically, the CCPA does not apply to personal information collected by a business from a person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor.

In determining the most efficient use of your business’s limited resources, understanding the CCPA’s enforcement mechanisms and penalties, as well as California’s enforcement priorities, can become almost as important as understanding what is required to comply. CCPA enforcement can occur via the California Attorney General’s Office or via private right of action/class action lawsuit.

The CCPA fixes statutory damages of $2,500 for each violation, or $7,500 for each intentional violation, with the California Attorney General issuing these fines. However, before the attorney general can bring an action for violation of the CCPA, a business must be given 30 days’ notice to cure the violation, with fines being assessed if the issues are not resolved. While the notice provision provides some level of protection for businesses, implementing a “cure” within 30 days, especially if it fundamentally alters a company’s data governance practices, could be an onerous task.

In addition to attorney general enforcement, the CCPA includes a private right of action for Californians in data breach scenarios. If a data breach occurs and the business failed to implement and maintain reasonable security procedures and practices, a private right of action could cost as much as $100–$750 per consumer per incident. Class action lawsuits are also contemplated—a class of consumers can sue a business stemming from a data breach when the business egregiously does not establish reasonable safety measures to prevent the data breach.

Nonetheless, there are a few key exclusions with respect to the enforcement of the CCPA. The law does not restrict a business’s ability to collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place outside of California. Additionally, the CCPA does not apply to information that is subject to other federal regulations, including the Health Insurance Portability and Accountability Act, the Gramm‐Leach‐Bliley Act, the Fair Credit Reporting Act, or the Driver’s Privacy Protection Act.

While the state’s enforcement priorities are far from clear at this stage, we can certainly expect the attorney general to try and notch a few high-publicity “big wins” early to show that the law is being strongly enforced. Additionally, due to the private right of action for data breaches, companies experiencing a breach should expect and take precautions for these sorts of actions. Because the harm to consumers is easier to quantify with a breach, and because of the high-profile nature of some breaches, we can certainly expect these incidents to be a top enforcement priority at the attorney general level as well.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings