Nation’s Strictest Data Privacy Law Takes Effect January 1, 2020

The California Consumer Privacy Act of 2018 (“CCPA”), passed on June 28, 2018, established what is being considered the strictest and most comprehensive data privacy law in the Unites States. The CCPA includes the following consumer rights: (1) the right to know what personal information is collected from them by businesses they deal with; (2) the purposes for which such information is to be used; (3) to whom that information is disclosed or sold; (4) the right to opt out of the sale of personal information; and (5) the right to access and delete (with some exceptions) some personal information. The CCPA further provides for a private right of action seeking damages in the event that a business’s failure to implement and maintain reasonable security measures leads to the unauthorized access, disclosure or theft of a consumer’s personal information. With the CCPA taking effect on January 1, 2020, businesses that will be covered by the law should begin taking immediate steps toward compliance to timely meet all of its requirements.

The CCPA is being heralded by its supporters as a dramatic expansion of consumer power and a model for other states to follow. However, it does not cover all businesses. The CCPA only applies to those businesses doing business in California that collect their consumers’ personal information and that do one of the following: (1) generate gross annual revenue of $25 million or more; (2) collect, sell or share personal information of at least 50,000 consumers, households or devices annually for commercial purposes; or (3) derive at least 50% of its annual revenues from selling consumer personal information. An important and interesting aspect of the CCPA is that it also applies to affiliated, co-branded entities of any business that meets the criteria listed above – regardless of whether that affiliate actually does business in California.

As used in the CCPA, “personal information” is defined broadly to mean any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household, and includes name, alias, mailing address and IP address. The CCPA does not apply to consumer information that is already protected by HIPAA and a few other data protection regulations.

In the time between now and January 1, 2020, it is likely that the California legislature will face attempts to make amendments to the law. However, most of the law is likely to remain as is and businesses should not wait to begin implementing compliance-oriented measures. This law illustrates the ever-changing data privacy landscape that all businesses now must face. It is of the utmost importance for businesses to be familiar with all relevant data privacy laws and regulations and to consult an attorney experienced in data privacy practice in the states in which they do business.