In July, we published a client alert answering key questions about the CCPA. However, state lawmakers have made additional changes to the law since then. Below is an updated overview showing the amendments in bold underlining. We will continue to update this chart if CCPA is amended between now and its effective date.
When is CCPA effective? |
January 1, 2020 |
When does enforcement begin? |
The earlier of 6 months after publication of CCPA or July 1, 2020 |
Who is subject to CCPA? |
A company doing business in California, collecting or telling others to collect personal information of California residents, determining the purposes and means for using that information, and meeting one of three thresholds: (1) Annual gross revenues over $25MM (2) Annually buys, receives, sells, or shares the personal information of 50,000 or more California residents, households or devices (3) Derives 50% or more of its annual revenue from selling personal information of California residents |
What information is protected? |
Personal information of California residents, which is broadly defined. It includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked , directly or indirectly, |
What rights are granted under CCPA? |
California residents are granted the following rights: - Right to know, at or prior to collection, the purpose of collection and the categories of personal information collected - Right to request certain additional information, including specific pieces of personal information collected - Right to request deletion of their personal information in certain instances and subject to several exceptions - Right to know whether their personal information is sold or disclosed and to whom - Right to say no to the sale of personal information - Right to equal service and price, even if they exercise their privacy rights |
What steps can my company take between now and CCPA’s effective date? |
- Determine whether CCPA applies to you - Know and map your data: What specific pieces of personal information do you collect? Who do you collect it from? Why do you collect it? How do you share it? Where do you store it? - Implement processes to respond to requests from California residents (or all of your customers if you take a “one size fits all” approach) - Update your privacy policy and be prepared to do so at least once a year |
What are the penalties? |
- $2,500 per violation; $7,500 per intentional violation, enforceable by the Attorney General - Limited private right of action for data breaches if occur as a result of a company’s breach of its duty to implement and maintain reasonable security procedures and practices |
Are there any exemptions? |
Information: - Information collected, processed, sold or disclosed pursuant to GLBA, the Driver’s Privacy Protection Act, or California Financial Information Privacy Act - Protected health information collected by HIPAA covered entities and business associates - Clinical trial data subject to the Federal Policy for the Protection of Human Subjects Entities: - HIPAA covered entities and health care providers subject to California’s Confidentiality of Medical Information Act |