The California Consumer Privacy Act of 2018 (CCPA) took effect on January 1, 2020. But enforcement actions cannot be taken by the California Attorney General (CAG) any earlier than six months after the regulations have been issued or July 1, 2020, whichever comes sooner. Since passage of the law on June 28, 2018, eight amendments have been passed and on October 11, 2019 the CAG issued proposed implementing regulations. Stay tuned for new developments.

Many believe that other states will follow California’s lead on consumer privacy. Microsoft announced that it will implement the CCPA for all customers in the U.S. As result, this is likely just the beginning of stronger data privacy regulations at the state and federal level. In conjunction with GDPR in the European Union, the CCPA requires a thorough understanding of the personal data collected by your company, who has access to it and how it is being used.

Application of the CCPA

The CCPA was drafted to provide Californians the ability to have greater control of their personal information. The law focuses on for-profit businesses that:

• Do business in California;
• Collect, sell, and/or disclose personal information of California residents; and
  • Meet one or more of these classifications:
    Have annual gross revenues in excess of $25 million
  • Receive, sell or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
  • Derives 50% or more or its revenue from selling consumers’ personal information

If the CCPA pertains to you, then the preparations you have made to be GDPR-compliant, assuming you have taken these steps, will go a long way to meeting the legislation’s requirements.

CCPA Similarities and Differences Compared with the GDPR

As noted, the CCPA is modeled after the GDPR in many ways. At the core, both are intended to provide a comprehensive approach to the protection of consumer data. However, the two pieces of legislation take aim at different business activities. The GDPR focuses on the processing of personal data, while the CCPA addresses with the collection, sale and disclosure of personal data largely in response to the Cambridge Analytica fiasco.

Under both laws, consumers have the right (i) to know what personal data is being collected and how their personal data is being used, which is generally outlined in a privacy policy, and (ii) to access their personal data or have it deleted. However, there are some important differences. For example, GDPR has a broader scope in that it covers all businesses that process personal data of EU citizens regardless of whether they are doing business in the EU; whereas, the CCPA only applies when a company does business in the State of California. The CCPA also requires a business selling personal data to provide a conspicuous link on its website homepage, titled “Do Not Sell My Personal Information.” Since to the best of our knowledge, clients do not sell alumni data, this should not be applicable.

The financial penalties for non-compliance also differ between the two laws. The GDPR assesses an aggregate penalty of up to the greater of 4% of the company’s annual revenue or €20 million. The CCPA fines are applied per violation up to a maximum of $7,500 with no cap. Additionally, the consumer can take direct legal action against the business on an individual or class-wide basis if the business fails to cure the violation within 30 days and the CAG declines to prosecute. Under both laws, the use of data encryption can greatly reduce or eliminate these penalties.

How to Comply with the CCPA

The following steps should be taken to comply with the CCPA:

1. Read the law, amendments and proposed regulations if you haven’t already
2. Make sure you know what personal data is being collected by your business, who has access to it and how it is being used
3. Revise your privacy policy to incorporate a section for California residents sometime before July 1, 2020

At a minimum, the California resident section should include the following information:

• A list of the consumer’s rights under the CCPA and two or more designated methods for submitting requests for information including, at a minimum, a toll-free telephone number and a website address
• A list of the categories of personal information collected the preceding 12 months
• A list of the categories of personal information sold the preceding 12 months; if none sold, then disclose that fact
• A list of the categories of personal information disclosed for a business purpose the preceding 12 months; if none disclosed, then disclose that fact

The regulation currently requires that this information be updated at least once every 12 months as indicated above. Hopefully this requirement will be relaxed via amendment or regulations.

This information is not a substitute for having your own legal counsel provide guidance on the implications of CCPA to your business and your responsibilities under the law. We also encourage you to read the CCPA yourself to gain a fuller understanding of it.