The California Consumer Privacy Act

The California Consumer Privacy Act
February 18, 2019 dmock2015

In 2018, the Legislature passed the California Consumer Privacy Act (the “Act”). The Act becomes enforceable in January of 2020.  (See Cal. Civil Code Section 1798.100 et seq.).  The Act is applicable to for-profit businesses meeting at least one of these thresholds: (1) annual gross revenue in excess of $25 million; (2) annually buys, sells or shares for commercial purposes the personal information of 50,000+ consumers; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

Much has been written about the enhanced consumer rights, the required disclosures, and the private right of action provided under the Act, but the more pressing question for businesses subject to the Act  is how to comply with it. As for businesses that appear to be exempt from compliance with the Act for certain data (e.g., for data already protected by the Gramm-Leach-Bliley Act, HIPAA, and other enumerated exceptions), the Act’s broad definitions of “personal information” and “consumers” potentially means that data collected by business falling outside of specified exceptions will be subject to the Act. One of the significant such concerns is employee data. While everyone awaits regulations from the Attorney General’s Office (which must be promulgated before July 1, 2020) to hopefully clarify this and other issues, businesses should begin taking steps to determine what data it has collected from California residents, including their employees.  This means evaluating the different ways data flows into the organization, why it is gathered, whether it is sold or disclosed, and where it is stored. Going through this effort now will have tangible benefits later. For example, it will be easier for businesses to update their privacy policy with the required disclosures, and businesses will be better able to respond to consumer requests within the Act’s 45-day time frame.

The final public forum hosted by the Attorney General’s Office as part of the preliminary rulemaking activities is scheduled for early March, and written comments must be submitted by March 8, 2019 to be considered.


Legal Disclaimer:

This content of this blog is provided for informational purposes only and does not constitute legal advice. The transmission of information on this blog is not intended to establish, and receipt of such information does not establish or constitute, an attorney-client relationship. You should not act or rely on any information contained on this blog without first seeking the advice of an attorney.
This blog is not intended to be advertising, and Delfino Madden O’Malley Coyle & Koewler LLP does not desire to represent anyone desiring representation based upon viewing this blog or any articles contained on this blog in a jurisdiction where this email fails to comply with all laws and ethical rules of that jurisdiction.