California Consumer Privacy Act & Data Breach Notification Legislative Updates
Published October 30, 2019
Recently, Governor Newsom approved several amendments to the California Consumer Privacy Act (“CCPA”), effective January 1, 2020. These amendments come on the heels of the Attorney General’s release of the proposed CCPA regulations. Because of the CCPA’s broad reach, many companies (both within and outside of California) will be affected by the law.
The CCPA applies to for-profit companies if (1) the company collects the “personal information” of California residents (and controls the means and purposes for collection) and (2) one of the following thresholds applies:
- The company has an annual gross revenue that exceeds $25 million; or
- The company annually buys, receives, shares, or sells the personal information of more than 50,000 consumers, households or devices for commercial purposes; or
- The company derives 50% or more of annual revenues from selling consumers’ personal information (as “sale” is defined by the law).
Please note that the $25 million threshold is strictly revenue-based. It does not require a company to sell anything directly to California residents or have a robust online presence. The CCPA does not currently apply to nonprofit organizations unless it is affiliated with a for-profit company that is subject to the law.
Although employee-related data will be excluded from most of the CCPA requirements (until January 1, 2021), employers will still need to provide certain notices to their employees and employees will have a private right of action for data breaches. The pending AG regulations, if promulgated, also impose certain employee training and record retention requirements on employers (among other things).
In addition to the various legislative amendments to the CCPA, Governor Newsom approved an amendment to California’s data breach law which expands the definition of “personal information” to include other government-issued identifiers (tax ID number, passport number, military ID number, etc.) and unique biometric data (such as fingerprints, retina and iris images). By expanding this definition, the scope of the CCPA’s private right of action is likewise expanded because it is tied to the data breach law’s definition of “personal information.”
The text of the CCPA may be found here (see Cal. Civil Code sections 1798.100-1798.199).
For more information on the proposed regulations, please visit the Attorney General’s website dedicated to the CCPA here.
(Image by unknown author is licensed under CC BY-SA)