The California Consumer Privacy Act

Published February 18, 2019

In 2018, the Legislature passed the California Consumer Privacy Act (the “Act”). The Act becomes enforceable in January of 2020.  (See Cal. Civil Code Section 1798.100 et seq.).  The Act is applicable to for-profit businesses meeting at least one of these thresholds: (1) annual gross revenue in excess of $25 million; (2) annually buys, sells or shares for commercial purposes the personal information of 50,000+ consumers; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

Much has been written about the enhanced consumer rights, the required disclosures, and the private right of action provided under the Act, but the more pressing question for businesses subject to the Act  is how to comply with it. As for businesses that appear to be exempt from compliance with the Act for certain data (e.g., for data already protected by the Gramm-Leach-Bliley Act, HIPAA, and other enumerated exceptions), the Act’s broad definitions of “personal information” and “consumers” potentially means that data collected by business falling outside of specified exceptions will be subject to the Act. One of the significant such concerns is employee data. While everyone awaits regulations from the Attorney General’s Office (which must be promulgated before July 1, 2020) to hopefully clarify this and other issues, businesses should begin taking steps to determine what data it has collected from California residents, including their employees.  This means evaluating the different ways data flows into the organization, why it is gathered, whether it is sold or disclosed, and where it is stored. Going through this effort now will have tangible benefits later. For example, it will be easier for businesses to update their privacy policy with the required disclosures, and businesses will be better able to respond to consumer requests within the Act’s 45-day time frame.

The final public forum hosted by the Attorney General’s Office as part of the preliminary rulemaking activities is scheduled for early March, and written comments must be submitted by March 8, 2019 to be considered.

Legal Disclaimer:

Nothing in this blog is intended to constitute legal advice and your interactions with this blog do not result in the formation of an attorney-client relationship. All matters are different and, as such, nothing in this blog is intended to guarantee, warrant, or predict a specific outcome.