A Little Privacy Please? (Part 1)
California’s new consumer privacy law uncovered, Part 1
On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”), the California Legislature enacted the California Consumer Privacy Act (“CCPA” or “Act”) on June 28, 2018. Effective January 1, 2020, the Act creates privacy protections for California consumers and subjects thousands of covered businesses to potential liability.
The CCPA has significant implications for consumers and Covered Businesses (defined below). The Act introduces new data privacy rights for California residents, including broad notice of what personal data is being collected, access to their personal information, and the right to delete their data. The Act allows consumers to opt out of the sale of their personal information. The Act also expands the definition of “personal information” and imposes strict rules for the collection of minors’ consumer data. In addition, the Act provides for statutory penalties for violations of its provisions, as well as a private right of action for certain data breaches.
Notably, the bill was introduced and passed in just one week to bypass a stronger ballot initiative. The delayed effective date gives businesses time to implement new compliance policies and practices, and also provides them a chance to lobby for amendments.
In a Four-Part Series, MLG will explain the CCPA’s major provisions and the related implications for Covered Businesses. In this first installment, we will discuss which businesses and consumers are covered under the Act. In the next CCPA post, we will break down the Act’s expanded definition of personal information and identify limitations of the Act and its exemptions. Next, we will discuss Covered Businesses’ obligations in relation to consumers’ new data privacy rights, including those of minors. Finally, we will identify the statutory penalties for violations of the Act and certain data breaches.
1. Is Your Business a "Covered Business" Under CCPA?
The Act applies to any company that does business in California and satisfies any one of the following conditions: (a) has an annual gross revenue in excess of $25 million; (b) annually buys, receives for its commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or (c) earns at least half of its annual revenue from selling consumers’ personal information. An organization that meets this definition is considered a “Covered Business” and must comply with the CCPA’s provisions.
2. Who is a "Consumer" Under CCPA?
Under the Act, a “consumer” is any person residing in California. This means that the Act only protects individuals who either live in California permanently, or are domiciled in California but are living temporarily outside of the state. Everyone else is considered a non-resident, and consequentially, would not be a covered “consumer” under the Act.
If you have any questions concerning whether your company might be covered under the Act, please reach out to an MLG attorney to assist you.
Read the full series:
Part 1: Addresses businesses and consumers are covered under the CCPA.
Part 2: The CCPA’s expanded definition of “personal information”, and some of its limitations and exemptions.
Part 3: Covered Businesses’ obligations to consumers under the CCPA.
Part 4: The CCPA’s enforcement framework and penalties for violations.
Amendments: What you should know about the September 2018 Amendments to the CCPA.
Author: Caitie Emmett, Associate.
The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations. Please contact us at firstname.lastname@example.org for more information.
This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.