On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). CCPA, unlike any other law, requires companies to honor specific privacy rights of California consumers granted under CCPA.

While this is a California law, it has a national effect. Practically, companies subject to CCPA may treat all of their customers the same to avoid implementing a state-by-state approach or appearing to favor California residents. Other states may follow California’s lead and enact similar laws, like states have done for other privacy laws currently in effect.

Below is a high-level overview of CCPA. We will update this chart if CCPA is amended between now and its effective date.

When is CCPA effective?

January 1, 2020

Who is subject to CCPA?

A company doing business in California, collecting or telling others to collect personal information of California residents, determining the purposes and means for using that information, and meeting one of three thresholds:

  1. Annual gross revenues over $25MM
  2. Annually buys, receives, sells, or shares the personal information of 50,000 or more California residents, households or devices
  3. Derives 50% or more of its annual revenue from selling personal information of California residents

What information is protected? 

Personal information of California residents, which is broadly defined.  It includes any information, directly or indirectly, relating to an individual or household.

What rights are granted under CCPA?

California residents are granted the following rights:

  • Right to know, at or prior to collection, the purpose of collection and the categories of personal information collected
  • Right to request certain additional information, including specific pieces of personal information collected
  • Right to request deletion of their personal information in certain instances and subject to several exceptions
  • Right to know whether their personal information is sold or disclosed and to whom
  • Right to say no to the sale of personal information
  • Right to equal service and price, even if they exercise their privacy rights

What steps can my company take between now and CCPA’s effective date?

  • Determine whether CCPA applies to you
  • Know and map your data:  What specific pieces of personal information do you collect?  Who do you collect it from?  Why do you collect it?  How do you share it?  Where do you store it? 
  • Implement processes to respond to requests from California residents (or all of your customers if you take a “one size fits all” approach)
  • Update your privacy policy and be prepared to do so at least once a year

What are the penalties?

  • $7,500 per violation, enforceable by the Attorney General
  • Limited private right of action for data breaches