With The California Consumer Privacy Act of 2018 Taking Effect on January 1, 2020, Businesses Will Need to Take Several Additional Steps to Safeguard Data Privacy
In the absence of federal regulations, California is taking the lead on consumer privacy protection. The California Consumer Privacy Act of 2018, which takes effect on January 1, 2020, will require businesses to take several additional steps to safeguard data privacy. While the new law does not apply to all businesses, it is important to understand that simply being located outside of California does not shield you from its requirements.
California Consumer Privacy Act of 2018
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Beginning January 1, 2020, consumers will have the right to request that a business disclose the following:
The categories of personal information it has collected about that consumer;
The categories of sources from which the personal information is collected;
The business or commercial purpose for collecting or selling personal information;
The categories of third parties with whom the business shares personal information; and
The specific pieces of personal information it has collected about that consumer.
Like the European Union’s General Data Protection Regulation (GDPR), the new law creates a “right to be forgotten.” It specifically grants a consumer the right to request the deletion of personal information and mandates that businesses delete such information upon receipt of a verified request. Consumers will also have the right to request that a business that sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. Under California’s new privacy law, a business will be required to provide this information within 45 days of receiving a verifiable consumer request.
The CCPA also authorizes a consumer to opt-out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. At the same time, the new law does authorize businesses to offer financial incentives for the collection of personal information. Additionally, California’s new privacy law bans businesses from selling the personal information of a consumer under 16 years of age, unless the children (between the ages of 13 and 16) or their parents expressly opt-in.
Businesses must also take certain steps to inform consumers about their privacy rights. For instance, they must provide a clear and conspicuous link on their Internet homepage, titled “Do Not Sell My Personal Information,” to a separate Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information. The law also mandates that businesses provide at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).
Entities Covered by California’s New Privacy Law
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing of that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its their annual revenues from selling consumers’ personal information.
Under the law, a “consumer” is broadly defined as a natural person who is a California resident, and includes California residents while they are traveling. Meanwhile, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.”
The CCPA also covers any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control” is defined as follows: ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.
Recent Amendments to the CCPA
Under amendments to the CCPA signed into law by California Gov. Gavin Newsom earlier this month, some businesses will get a reprieve. Under AB-1355, a one-year exemption will apply to personal information collected and used in certain business-to-business communications and transactions. A separate amendment, AB-25, contains a temporary carve-out for employee data. It provides that personal information that a business collects and uses solely in the context of the person’s role as a current or former job applicant, employee, owner, director, officer, medical staff member, or contractor, and their emergency contacts and plan beneficiaries is exempt from most CCPA’s requirements until January 1, 2021.
As noted above, the reprieve may only be temporary. The California Legislature intends to revisit how the CCPA applies to certain types of data, including business-to-business data and employee data. Accordingly, additional regulations are likely on the horizon.
Compliance with the CCPA
The California Department of Justice recently released draft regulations to implement the CCPA and provide further guidance to covered businesses. The regulations address, among other items, the consumer notices that must be provided under the law and the policies/procedures businesses must have in place to respond to consumer requests.
Failure to comply with the California Consumer Privacy Act will be costly for businesses. After providing notice of the violation and allowing 30 days for the business to cure it, the California Attorney General may issue civil penalties for each violation. Enforcement will begin on July 1, 2020, or six months after publication of the final regulations, whichever occurs first.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
According to the International Association of Privacy Professionals, more than 500,000 U.S. businesses will fall under the purview of the new privacy law. Because many large businesses have taken steps to comply with GDPR, they should be in a good position to meet the new requirements of California’s privacy law. However, small and medium-sized businesses who are not subject to the GDPR should begin the process of reviewing their privacy policies and procedures to ensure they prepared to comply with the California Consumer Privacy Act by the end of next year.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Robert A. Marsico, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Does California’s New Data Privacy Law Apply to Your NY or NJ Business?
Author: Robert A. Marsico
With The California Consumer Privacy Act of 2018 Taking Effect on January 1, 2020, Businesses Will Need to Take Several Additional Steps to Safeguard Data Privacy
In the absence of federal regulations, California is taking the lead on consumer privacy protection. The California Consumer Privacy Act of 2018, which takes effect on January 1, 2020, will require businesses to take several additional steps to safeguard data privacy. While the new law does not apply to all businesses, it is important to understand that simply being located outside of California does not shield you from its requirements.
California Consumer Privacy Act of 2018
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Beginning January 1, 2020, consumers will have the right to request that a business disclose the following:
The categories of personal information it has collected about that consumer;
The categories of sources from which the personal information is collected;
The business or commercial purpose for collecting or selling personal information;
The categories of third parties with whom the business shares personal information; and
The specific pieces of personal information it has collected about that consumer.
Like the European Union’s General Data Protection Regulation (GDPR), the new law creates a “right to be forgotten.” It specifically grants a consumer the right to request the deletion of personal information and mandates that businesses delete such information upon receipt of a verified request. Consumers will also have the right to request that a business that sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. Under California’s new privacy law, a business will be required to provide this information within 45 days of receiving a verifiable consumer request.
The CCPA also authorizes a consumer to opt-out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. At the same time, the new law does authorize businesses to offer financial incentives for the collection of personal information. Additionally, California’s new privacy law bans businesses from selling the personal information of a consumer under 16 years of age, unless the children (between the ages of 13 and 16) or their parents expressly opt-in.
Businesses must also take certain steps to inform consumers about their privacy rights. For instance, they must provide a clear and conspicuous link on their Internet homepage, titled “Do Not Sell My Personal Information,” to a separate Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information. The law also mandates that businesses provide at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).
Entities Covered by California’s New Privacy Law
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing of that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its their annual revenues from selling consumers’ personal information.
Under the law, a “consumer” is broadly defined as a natural person who is a California resident, and includes California residents while they are traveling. Meanwhile, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.”
The CCPA also covers any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control” is defined as follows: ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.
Recent Amendments to the CCPA
Under amendments to the CCPA signed into law by California Gov. Gavin Newsom earlier this month, some businesses will get a reprieve. Under AB-1355, a one-year exemption will apply to personal information collected and used in certain business-to-business communications and transactions. A separate amendment, AB-25, contains a temporary carve-out for employee data. It provides that personal information that a business collects and uses solely in the context of the person’s role as a current or former job applicant, employee, owner, director, officer, medical staff member, or contractor, and their emergency contacts and plan beneficiaries is exempt from most CCPA’s requirements until January 1, 2021.
As noted above, the reprieve may only be temporary. The California Legislature intends to revisit how the CCPA applies to certain types of data, including business-to-business data and employee data. Accordingly, additional regulations are likely on the horizon.
Compliance with the CCPA
The California Department of Justice recently released draft regulations to implement the CCPA and provide further guidance to covered businesses. The regulations address, among other items, the consumer notices that must be provided under the law and the policies/procedures businesses must have in place to respond to consumer requests.
Failure to comply with the California Consumer Privacy Act will be costly for businesses. After providing notice of the violation and allowing 30 days for the business to cure it, the California Attorney General may issue civil penalties for each violation. Enforcement will begin on July 1, 2020, or six months after publication of the final regulations, whichever occurs first.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
According to the International Association of Privacy Professionals, more than 500,000 U.S. businesses will fall under the purview of the new privacy law. Because many large businesses have taken steps to comply with GDPR, they should be in a good position to meet the new requirements of California’s privacy law. However, small and medium-sized businesses who are not subject to the GDPR should begin the process of reviewing their privacy policies and procedures to ensure they prepared to comply with the California Consumer Privacy Act by the end of next year.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Robert A. Marsico, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
