The past year brought an onslaught of new data privacy risks and compliance obligations to many companies led in large part by the EU’s landmark General Data Protection Regulation (GDPR) that came into effect last May. The GDPR sparked a significant amount of media attention and caused most organizations to devote their privacy-related resources to determining whether the law applied to them and fast-tracking compliance programs where necessary. However, during the GDPR hoopla, the California legislature quickly and somewhat quietly passed a privacy law that will impose compliance burdens and risks on most US businesses that will likely prove to be far greater than those caused by the GDPR. This law, the California Consumer Privacy Act of 2018 (CCPA), has been dubbed “GDPR Light” because it imposes GDPR-like notice and transparency obligations onto companies that collect or sell personal data of California residents.
Specifically, the CCPA will apply to any entity doing business in California that meets at least one of the following criteria:
- Annual gross revenue in excess of $25,000,000
- Buy, sell, receive, or share personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derive 50% or more of annual revenue from selling consumer personal information
As a practical matter, this means that a very high number of US companies will fall within the ambit of the CCPA. In addition, the exposure for non-compliance will be significant: the law provides for both public enforcement by the California Attorney General as well as a private right of action in some circumstances with statutory fines up to $7,500 per individual whose data was processed in violation.
The CCPA goes into effect January 1, 2020 with enforcement likely beginning in the second half of 2020. However, early compliance efforts will be complicated by the fact that the law is likely to be amended at least once this year by the legislature, and the California Attorney General is empowered to issue a set of implementing regulations (also expected later this year) that will no doubt have an impact on certain nuances of compliance. Nonetheless, companies should start mapping out their compliance initiatives now to ensure appropriate programs are in place before the end of the year. This is especially imperative for organizations that are not already GDPR compliant because they will be starting from ground zero and will likely need at least 12 months to become fully compliant with CCPA.
The NGE data privacy team stands ready to assist with any and all aspects of CCPA compliance. Please contact Greg Leighton with any questions or requests for further information.