The California Consumer Privacy Act (the “CCPA”) is a new law intended to enhance privacy rights and consumer protections for California residents, which comes into force on January 1, 2020.
In the lead-up to the CCPA coming into force, this blog post covers three common questions we receive: (1) do I need to comply? (2) when do I need to comply? and (3) what happens if I do not comply?
1. Do I need to comply? Probably, but not directly. Most companies that operate from Canada or in states other than California, will not directly have to comply with the CCPA as the territorial scope of the law is fairly limited, especially when compared with the EU’s General Data Protection Regulations (the “GDPR”). To fall under the territorial scope of the CCPA, you have to be a for-profit business doing business in the State of Californiaand have one of three factors apply:
(a) gross revenue of over $25,000,000 USD;
(b) handle the personal information of more than 50,000 consumers, households or devices (it is unclear in the Act, at this stage, whether this is a California or world-wide number); or
(c) derive more than 50% of annual revenue from the selling of consumers’ personal information.
While the CCPA may not apply directly to many companies, as we saw with the GDPR rollout in 2018, the CCPA will likely indirectly apply as major tech companies like Google and Apple will have to comply with this law and as such, they will likely require, as part of their own compliance requirements, that companies they do business with that collect personal information also comply. The extent of this indirect compliance is currently unclear and may only apply to certain provisions of the CCPA.
2. When do I need to comply? The effective date of the CCPA (the date at which the CCPA becomes law), is January 1, 2020, and while enforcement by the California Attorney General’s office may not begin until supporting regulations are finalized (deadline for regulations is June 1, 2020), we recommend that companies that need to comply directly begin compliance work immediately and aim to be fully compliant by January 1. Companies that only need to comply indirectly may have some time to wait and see how the CCPA will affect contracts and terms with CCPA compliant companies but it won’t hurt to be compliant by early 2020.
3. What happens if I do not comply? Beware of the cost! There are several penalty clauses in the CCPA, including $2,500 for each non-intentional violation and $7,500 for each intentional violation. If you have over 50,000 users, these penalties can easily amount to over $125,000,000. For companies that will have to comply indirectly through contracts or user agreements, beware of indemnification clauses and other liability amendments that may push these penalties onto your company.
For many companies, the CCPA may not directly apply. However, it’s important to monitor CCPA factors, relative to your company’s business, to ensure that you do not miss compliance should a factor be met in the future – this is especially important in rapidly growing startups where it’s easy for a compliance obligation to be missed. Even if the CCPA factors are not met, there may be an obligation to comply as large tech companies will likely be complying and force compliance on everyone else they do business with.