The California Consumer Privacy Act, which entered into effect in January 2020, has broadened consumer privacy rights and business compliance obligations.
While enforcement by the California attorney general is expected to commence in July 2020, consumers have already instituted civil actions as permitted by the CCPA against businesses for alleged violations of the duty to implement and maintain reasonable security procedures and practices.
Given that, the CCPA warrants careful review by businesses across sectors. The CCPA is the first comprehensive consumer privacy law in the U.S. with reverberations felt across state lines.
Why is the California Consumer Privacy Act significant to businesses beyond California?
The CCPA potentially applies to any commercial business that has California customers.
Businesses need not hold physical operations in California to face compliance obligations. Indeed, any business that collects personal information from a California resident – either on its own or by others on its behalf – may need to comply.
The law does provide some limitations, however. First, it applies only to for-profit entities. Second, such entities must be “doing business” in California. Third, they must be collecting the personal information of California residents. And fourth, they must meet one of the following thresholds: (1) generate annual gross revenue in excess of $25 million; (2) derive half or more of their annual revenue from selling the personal information of Californians; or (3) buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices.
[Read our guidance on what to do – and missteps to steer clear from – when responding to a Data Subject Access Request (DSAR).]