California Consumer Privacy Act & Data Breach Notification Legislative Updates

Published October 30, 2019

Recently, Governor Newsom approved several amendments to the California Consumer Privacy Act (“CCPA”), effective January 1, 2020.  These amendments come on the heels of the Attorney General’s release of the proposed CCPA regulations. Because of the CCPA’s broad reach, many companies (both within and outside of California) will be affected by the law.

The CCPA applies to for-profit companies if (1) the company collects the “personal information” of California residents (and controls the means and purposes for collection) and (2) one of the following thresholds applies:

  1. The company has an annual gross revenue that exceeds $25 million; or
  2. The company annually buys, receives, shares, or sells the personal information of more than 50,000 consumers, households or devices for commercial purposes; or
  3. The company derives 50% or more of annual revenues from selling consumers’ personal information (as “sale” is defined by the law).

Please note that the $25 million threshold is strictly revenue-based. It does not require a company to sell anything directly to California residents or have a robust online presence. The CCPA does not currently apply to nonprofit organizations unless it is affiliated with a for-profit company that is subject to the law.

The CCPA considers “personal information” to be any information that can be tied to an individual and is collected from any California resident, including employees and job applicants, subject to a few industry-specific exceptions (for data covered by laws such as HIPAA and Gramm-Leach Bliley).  If the CCPA applies, the company must afford certain rights to California residents and disclose certain information about its data practices.  The most visible effort towards CCPA compliance is to update the company’s privacy policy posted online, which must cover the company’s online and offline data practices.  Companies must also evaluate the categories of data collected, the sources of the data, and who that data is shared with and establish a process to timely handle consumer requests.  Violations of the CCPA and data breaches may subject companies to civil penalties under the consumers’ private right of action and AG enforcement actions.

Although employee-related data will be excluded from most of the CCPA requirements (until January 1, 2021), employers will still need to provide certain notices to their employees and employees will have a private right of action for data breaches.  The pending AG regulations, if promulgated, also impose certain employee training and record retention requirements on employers (among other things).

In addition to the various legislative amendments to the CCPA, Governor Newsom approved an amendment to California’s data breach law which expands the definition of “personal information” to include other government-issued identifiers (tax ID number, passport number, military ID number, etc.) and unique biometric data (such as fingerprints, retina and iris images).  By expanding this definition, the scope of the CCPA’s private right of action is likewise expanded because it is tied to the data breach law’s definition of “personal information.”

The text of the CCPA may be found here (see Cal. Civil Code sections 1798.100-1798.199).

For more information on the proposed regulations, please visit the Attorney General’s website dedicated to the CCPA here.

(Image by unknown author is licensed under CC BY-SA)

Legal Disclaimer:

Nothing in this blog is intended to constitute legal advice and your interactions with this blog do not result in the formation of an attorney-client relationship. All matters are different and, as such, nothing in this blog is intended to guarantee, warrant, or predict a specific outcome.