Maier Law Group

View Original

Top 10 Things Start-Ups Must Know About the CCPA

A quick primer on what you need to know about the California Consumer Privacy Act (“CCPA”).

 

1.      It’s Not Location Specific.

Even a fledgling company that doesn’t have physical operations in California may have to comply with the CCPA. The law applies to all for-profit entities that do business in the state where any of the following apply:

  • The entity has a gross annual revenue in excess of $25 million;

  • The entity annually buys, receives, sells[1] or shares the personal information of more than 50,000 California consumers, households or devices for commercial purposes;

  • The entity derives 50% or more of its annual revenue from selling California consumers’ personal information.[2]

 

2.      Its Definitions Are Broad.

CCPA defines personal information (PI) more broadly than California’s other privacy laws and generally covers even more information than the General Data Protection Regulation, (Europe’s omnibus privacy law).  CCPA defines PI as anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.  So even an IP address could be PI, for example, or a geolocation.  CCPA defines “consumers” similarly broadly, as those located in California for other than a transitory or temporary purpose.  The CCPA may affect, therefore, even smaller start-up companies if they deal in PI.

 

3.      It Grants California Consumers Greater Privacy Rights.

The CCPA gives California consumers the right to request that a business:

  • Disclose the categories AND specific pieces of PI it has collected;

  • Disclose the categories of sources from which the PI is collected;

  • Disclose the business or commercial purpose for collecting or selling the PI;

  • Disclose the categories of third parties with which the business shares the PI;

  • Delete any PI about the consumer that the business collected from the consumer, with limited exceptions; and,

  • Not “sell” the consumer’s PI.

 

4.      It Requires an Online Privacy Policy.

A business must update its company’s online privacy policy (or create one, as many start- ups do not already have one) to comply with the CCPA and other state and federal laws. Among other requirements, a company must include a “Do Not Sell My Personal Information” link on its website homepage that allows a consumer to request their information not be sold.[3]

 

5.      Employee Personal Information is Temporarily Exempt.

The CCPA requires that employees that are California residents be treated like any other consumer with respect to their privacy rights.  However, a recent amendment to the CCPA exempts employee PI collected in the course of employment until January 1, 2021.[4] Employees are still entitled, however, to notice when their PI is collected.  

 

6.      It Requires That Certain Employees Receive Privacy Training.

The CCPA requires training of all employees handling consumer inquiries about a company’s privacy practices and compliance with CCPA. Employees must know how to direct consumers to exercise their CCPA rights.

 

7.      It Creates Financial Consequences for Security Incidents.

The CCPA does not create new data security requirements, but it increases the financial risk for security incidents by creating a private cause of action for certain types of data breaches caused by security inadequacies. The consumers affected by such an incident can recover up to $750 per consumer, per incident, or actual damages, whichever is greater.

 

8.      It Requires Warranties from Vendors.

CCPA requires contracts with company vendors that handle PI. The vendor must make certain certifications and representations about their handling of the PI to ensure their client company remains in compliance with CCPA. The company can also shift liability to the vendor for any violation of the CCPA caused by the vendor. Such indemnification clauses are a good idea to include in any contract a fledgling (or other) business drafts with a vendor.

 

9.      CCPA Enforcement Is Delayed.

Although the CCPA is effective January 1, 2020, enforcement will be delayed until six months after publication of the final regulations implementing CCPA, or July 1, 2020, whichever is sooner. Nevertheless, Maier Law Group recommends that companies start implementing compliance controls now to be in full compliance by the time the law becomes effective.

 

10.  The CCPA Carries Steeper Penalties for Intentional Violations.

The California Attorney General’s office can seek penalties of $2,500 per violation[5] of the CCPA, or $7,500 for each intentional violation a company commits after notice and 30-day opportunity to cure have been provided. 


[1]Sale” is defined by CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration.

[2] CCPA also applies to any entity that either controls or is controlled by a covered business or share common branding with a covered business, such as a shared name, service mark, or trademark.

[3] The CCPA also defines “homepage” to include “any Internet Web page where personal information is collected,” suggesting the statute may be interpreted to require that the link be included on other parts of the website where the user inputs data or user data is tracked or collected- generally almost every page of a website when allowing for data analytic services. Sec. 1798.140(l).

[4] Employees are also entitled to the same private right of action as other consumers under CCPA. We anticipate new legislation by 2021 outlining employer-specific obligations with respect to employee personal information.

[5] A violation is defined as an incident in which a consumer, “whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ [that holds information on the consumer] violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”


The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations.  Please contact us at info@maierlawgroup.com for more information.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.