The California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020.  Similar to the European Union’s General Data Protection Regulation (“GDPR”), CCPA creates significant compliance challenges for government contractors and commercial businesses doing business in California, with several states following suit.  Under CCPA, fines from the Attorney General for businesses that do not comply could be as high as $7,500 per violation, with CCPA also granting consumers the right to bring private action, exposing companies to actual and statutory damages.
Preparing for CCPA
To prepare for CCPA’s January 1, 2020 effective date, first determine if you fall within CCPA’s compliance criteria.  Critically, the statutorily defined terms “consumer” and “personal information” are far broader than most statutes and regulations.  The enlargement of these terms causes CCPA’s jurisdiction to be larger than it appears on the face of the statute.  Below are certain high-level questions that can help a business determine if it meets certain threshold standards:
 
  • Do you, or any of your subsidiaries or affiliates, engage in business in California?
  • Do you do business with contacts or employees who reside in California?
  • Does your business have over $25 million in annual gross revenues?
  • Does your business buy, sell, or receive personal information?

If you fit certain initial criteria, we recommend identifying the type of personal information your business collects.  As briefly mentioned above, CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer.  Similar to GDPR, CCPA grants consumers significant rights to the use or their personal information, including general notice rights.  It is here that companies can take proactive steps to prepare for CCPA’s implementation.  More specifically, CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them.  Additionally, several sections of CCPA require businesses to make affirmative disclosures to consumers by way of privacy policies and other notices.  

In addition to the various privacy policies that are required under CCPA, other reasonable steps include conducting regular training programs for employees, crafting tailored intellectual property rights contracts, and instituting third-party commercial contracts to ensure that CCPA’s requirements are adhered to.
Looking to the Future
CCPA was originally drafted as a ballot initiative before being transitioned into a statute in a relatively short timeframe.  Because of this, CCPA has already been through a series of amendments, with many more amendments still before the California legislature.  
More and more states are slated to follow California’s lead, including Hawaii, Maryland, Massachusetts, Mississippi, Nevada, North Dakota, New Mexico, New York, Rhode Island, and Washington.   If these states decide to enact similar legislation, it will have a far-reaching effect on government contractors and commercial businesses that conduct business in those regions.  In light of GDPR, CCPA, and these recent developments, the possibility of federal legislation being enacted is high.  Businesses should prepare now to preempt the potential impact. 
Attorneys in PilieroMazza’s Cybersecurity & Data Privacy Group are well-versed in this area of the law, and will continue to monitor CCPA developments, as well as the litany of other states that are in various stages of implementing additional privacy statutes and regulations.  For more information concerning CCPA, please contact:
 
David T. Shafer