Special thanks to Tevin Hopkins for his contributions to this post.
Have you ever wondered how much information and personal data companies have about you? The data could range from your email address to your social security number. Beginning on January 1, 2020 it may become easier for consumers to discover this information, after the California Consumer Privacy Act (the “CCPA”) goes into effect. The CCPA, which includes various protections against the collection and disclosure of consumers’ personal information, was signed into law in June 2018.
The CCPA will require many businesses to allow California consumers to direct the company to delete all information collected about them or prohibit the company from selling their personal information to third parties. The law also allows individuals to ask companies exactly what kind of information has been collected, why their data is being collected and sold, to learn about the types of third-party companies buying and using the data and to find out about the financial incentives the company receives for selling the data. If a company is subject to this law, the fines can add up quickly. Under the statute, penalties for noncompliance levied by the government can reach up to $7,500 for each intentional violation, or $2,500 per violation without the requisite intent. Consumers themselves can also collect between $100 and $750 for each violation, under the private right of action established in the CCPA.
While the law is on the books in California, its impact is not limited to companies based in California. The CCPA directly applies to many out-of-state companies that do business in California. A company must comply with the CCPA if it meets at least one of three requirements: (1) has $25 million or more in gross revenue; (2) buys, sells, or shares personal data of 50,000 or more Californians; or (3) makes 50% or more of its revenue from selling personal data.
The CCPA applies a broad definition of “personal data,” covering any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes data such as IP addresses, browsing history, records of purchases, biometrics, geolocation, and employment- or education-related information. As a result, many out-of-state companies may be subject to the CCPA because they buy, sell or share personal data of over 50,000 residents of California.
Even if a company is not currently subject to the CCPA, it is anticipated that other states may follow California in enacting similar legislation. The cost of compliance could be substantial depending on the size of the company and how much consumer data it possesses. Working toward compliance before a company’s home state enacts similar legislation could streamline and potentially reduce the costs of compliance.